- Name : Hack.lu CTF 2017
- Website : flatearth.fluxfingers.net
- Type : Online
- Format : Jeopardy
- CTF Time : link
🔗150 Mistune - Web
Markdown parsers are fun. Now click here and steal the cookie!
- escape: if set to False, all raw html tags will not be escaped.
- hard_wrap: if set to True, it will has GFM line breaks feature. All new lines will be replaced with
Normally Markdown accepts HTML tags but they will be escaped by the renderer here.
So it seems there is a filtering on the input but not the output. Error!
Let's try it locally:
The rendered content seems good with the base64 trick, it worked on my browser but not with the bot.
Check if HTML tags are really escaped:
Normal html tags are escaped. Let's continue:
Invalid tags are too.
What???? The rendered just created a link with
100% valid link. Just send it to the bot and collect the flag