Rating: 2.0

## PyCrypto Writeup

To begin with, there is a very easy crypto chall. By solving it with collision, we can get:

key = "ASIS2020_W3bcrypt_ChAlLeNg3!@#%^"

Then, leverage this vuln (https://github.com/trentm/python-markdown2/issues/348) to make `/ticket` to have XSS.

Finally, since we can only submit URL starts with ``, an iframe of `` could be injected to
`/ticket` to get to make sure we are at same origin with ``. Yet, `/ticket` prevents
any connection on ``. So we can conduct DNS rebinding:
[DOMAIN] => [,]
Now using `http://[DOMAIN]/ticket` could get the flag.


Didn't get up early enough to solve the last part before it ends : (

Original writeup (https://gist.github.com/shouc/f6271dc4b3329e6bf2cc494a61657775).