Skip to content

Commit bf0c1f5

Browse files
MrmaxmeierMrmaxmeier
authored
midnightsun/marcozuckerbergo: fix markdown
1 parent fddae18 commit bf0c1f5

File tree

1 file changed

+6
-9
lines changed

1 file changed

+6
-9
lines changed

2019/midnightsunctf/marcozuckerbergo/marcozuckerbergo.md

+6-9
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ tags: ["xxs", "mermaidjs"]
44
# Challenge
55
> Fine, I'll use a damn lib. Let's see if it's any better.
66
7-
This challenge is based on the same setup as marcodowno. Instead of converting markdown, this challenge converts mermaidjs[1] charts to HTML.
7+
This challenge is based on the same setup as marcodowno. Instead of converting markdown, this challenge converts [mermaidjs](https://mermaidjs.github.io/) charts to HTML.
88

99
# Solution
1010

@@ -15,13 +15,15 @@ graph TD;
1515
A-->B;
1616
```
1717

18-
This input is parsed using the flowchart parser[2] written in a bison-like language.
18+
This input is parsed using the [flowchart parser](https://github.com/knsv/mermaid/blob/master/src/diagrams/flowchart/parser/flow.jison) written in a bison-like language.
1919
A few of the parsing rules look promising:
2020

21-
`textToken` consumes a bunch interesting characters that are dumped as-is into the HTML output: ```<>[]"'`:.-``
21+
`textToken` consumes a bunch interesting characters that are dumped as-is into the HTML output:
22+
```<>[]"'`:.-```
23+
The `textToken` rule is used to parse vertex names in the link statement `A-->B`.
2224
Parentheses are not allowed though so we'll have to improvise on the `alert(1)` call:
2325

24-
ES2015 template literals[3] can be used to call functions without using parentheses.
26+
[Template literals](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals) can be used to call functions without using parentheses.
2527
```alert`1` ``` is equivalent to `alert(["1"])` and by string coercion equivalent to `alert('1')`.
2628

2729
Here's the final payload:
@@ -40,8 +42,3 @@ This is the relevant output produced:
4042
http://marcozuckerbergo-01.play.midnightsunctf.se:3002/markdown?input=%67%72%61%70%68%20%4c%52%3b%0a%20%20%20%20%58%2d%2d%3e%59%5b%59%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%27%61%6c%65%72%74%60%31%60%27%20%2f%3e%5d%3b
4143

4244
midnight{1_gu3zz_7rust1ng_l1bs_d1dnt_w0rk_3ither:(}
43-
44-
# References
45-
- [1] https://mermaidjs.github.io/
46-
- [2] https://github.com/knsv/mermaid/blob/master/src/diagrams/flowchart/parser/flow.jison
47-
- [3] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals

0 commit comments

Comments
 (0)