On July 4, 2025, I discovered a critical stored HTML injection vulnerability in Google Gemini that allowed attackers to inject arbitrary HTML through improperly sanitized Markdown rendering. This vulnerability enabled sophisticated phishing attacks through Gemini's chat sharing feature, ultimately earning recognition from Google's VRP panel with a reward of $13,337 for its high exploitation likelihood and abuse-related impact.

This challenge is from the m0leCon Teaser CTF. It was an interesting but relatively easy challenge, so the write-up will be brief. The objective was to exploit SQL Injection (SQLi) and CRLF (Carriage Return Line Feed) vulnerabilities to retrieve the flag from an internal server. Two services were running: an FTP server and a Node.js application, alongside a PHP server running on Nginx.