Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

MD2PDF — TryHackMe Walkthrough Writeup

Hello Everyone! It’s been awhile since my last writeup. I’ve been focusing lately on CTFs more than bug bounty.

MD2PDF

MD2PDF (https://tryhackme.com/room/md2pdf) is an Easy CTF challenge that is very much beginner friendly.

Recon

MD2PDF stands for Markdown2PDF. The homepage offers a functionality which converts HTML markup to PDF format. This pretty much opens up the possibilities for XSSs or better, SSRFs (Server Side Request Forgery).

if an XSS/SSRF in the PDF generator is possible, we may use this to read private server files or send requests posing as the server.

Gobuster

there is an /admin directory. But it returns 403 Forbidden Error.

It says that the directory can only be accessed through localhost:5000

Exploitation

We must craft an <iframe> that frames the http://localhost:5000/admin directory.

<iframe src="http://localhost:5000/admin" height="1000" width="1000">
</iframe>

The generated pdf should show the /admin directory since the request came from server side, not from our network.

The admin directory contains the flag

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 12 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
0xEchidonut
0xEchidonut
Follow

Written by 0xEchidonut

577 Followers
15 Following

JM Sanchez | Bug Bounty Hunter | Penetration Tester | Philippines

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech