This challenge involves a three-stage exploit chain:

1. SQL Injection via Unicode normalization bypass to extract credentials
2. Privilege Escalation via JSON Unicode escape bypass to gain admin access
3. Remote Code Execution via newline injection in filename to exfiltrate the flag

Initial Recon:

It shows that users password is stored as md5 hash

-- users table
CREATE TABLE users (
    id INTEGER PRIMARY KEY,
    username TEXT UNIQUE,
    password TEXT,  -- MD5 hash
    role TEXT DEFAULT 'user'
)

-- notes table
CREATE TABLE notes (
    id INTEGER PRIMARY KEY,
    user_id INTEGER,
    title TEXT,
    content TEXT,
    shared INTEGER DEFAULT 0,
    tags TEXT
)

-- logs table
CREATE TABLE logs (
    id INTEGER PRIMARY KEY,
    user_id INTEGER,
    action TEXT,
    metadata TEXT,
    timestamp TEXT
)

The tags variable (from user-controlled note tags) is directly interpolated into SQL

But there's a catch! All user input goes through filter_security_input()

Problem:

• Regex checks for SQL keywords (like SELECT, UNION) on line 38-40
• But Unicode NFKC normalization happens - AFTER the check!

What is NFKC Normalization?