Markdown parsers are fun. Now click here and steal the cookie!

The website has two pages. One for testing the markdown parser and second to send a message to the admin. The website also tells us that the admin will click on the links given in the message. We are going to steal the admin’s cookie via Cross-Site Scripting (XSS) attack.

First, we will use the testing page to make sure we have a valid xss payload. I basically tried

However, the result was just a plain text which means html tags are escaped. Then, I tried

This one worked. Now, if we try

the result is a link to the current page. By the way, %29 is ‘)’ character in url encoding. We escaped it via url encoding, otherwise it would obviously convert our link from

to

by closing the outer parenthesis. Anyway, since it pointed to the current page which means it was the same as

there must be a filter. Let’s try

The result is a link to:

Therefore, we can use javascript but not at the beginning of the address. I tried adding whitespaces (%0A, %0B, %09, %0D, %0C) before javascript but none of them worked. Then, I wondered what would happen if I used a control character which was not a whitespace at the beginning like Start of Heading (SOH) character which is  (%01).

So, I tried the following:

Yay! It created a link to javascript:alert(‘xss’) which displays an alert box with the text ‘xss’ when we click on it. Now, we need to set up netcat to listen on some port. I will listen on the port 1337, but I need to learn my public(external) ip address first.

Now, I will send the admin the xss payload below as message while listening on port 1337.

Let’s wait for the admin to click on the link.

Here is flag{92da883eb1df9d1287ff25f1a1099f29}.