{"id":302,"date":"2023-02-18T20:40:41","date_gmt":"2023-02-18T19:40:41","guid":{"rendered":"https:\/\/babdcatha.net\/?p=302"},"modified":"2023-02-18T21:59:25","modified_gmt":"2023-02-18T20:59:25","slug":"tryhackme-md2pdf","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/02\/18\/tryhackme-md2pdf\/","title":{"rendered":"TryHackMe : MD2PDF"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hi ! Today we are going to take a look at the <a href=\"https:\/\/tryhackme.com\/room\/md2pdf\">MD2PDF<\/a> machine on <a href=\"https:\/\/tryhackme.com\">TryHackMe<\/a> ! This machine is a web server hosting a service that allows us to convert markdown files to PDFs. If not done properly, it is easy to miss something when developing this kind of applications and have a big hole in it. This is what we are going to try to find here.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The first thing we are going to do is take a look at the application. Here, it is pretty simple, with a textbox to input our markdown, and a button to convert it to a PDF.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-2.png\" alt=\"\" class=\"wp-image-306\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-2.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-2-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-2-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When inputting a simple test, it opens a new window with the generated PDF :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/test_conversion.png\" alt=\"\" class=\"wp-image-307\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/test_conversion.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/test_conversion-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/test_conversion-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The website seems to be working as expected. The next step will be to scan it with nmap, to see what services are running on the machine.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-2.png\" alt=\"\" class=\"wp-image-308\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-2.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-2-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-2-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We find an ssh server, and two unrecognized services running on ports 80 and 5000. We already know that port 80 is holding the webpage, and, after visiting it, it seems that port 5000 is serving the same page as port 80.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When trying to enumerate directories, we find two pages : <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/admin<\/mark> and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/convert<\/mark>. <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/convert<\/mark> is the endpoint a POST request with the markdown data is sent to when converting a file, and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/admin<\/mark> looks to be inaccessible from the outside.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/admin_forbidden.png\" alt=\"\" class=\"wp-image-311\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/admin_forbidden.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/admin_forbidden-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/admin_forbidden-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When we did the <a href=\"https:\/\/babdcatha.net\/index.php\/2023\/02\/09\/hackthebox-stocker\/\">Stocker<\/a> machine, we injected iframes into a pdf to get access to a local file. Maybe we can use something similar here to access the admin page.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Well, indeed inputting this into the markdown input :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"markup\" class=\"language-markup\">&lt;iframe src='http:\/\/localhost:5000\/admin' width='1000' height='1000'&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Gives us a PDF showing the admin page, which contains the flag we were looking for :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/flag_blur-1.png\" alt=\"\" class=\"wp-image-313\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/flag_blur-1.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/flag_blur-1-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/flag_blur-1-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay ! This machine was a nice quick refresher on iframe injection. I hope you enjoyed it as much as I did !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi ! Today we are going to take a look at the MD2PDF machine on TryHackMe ! This machine is a web server hosting a service that allows us to convert markdown files to PDFs. If not done properly, it is easy to miss something when developing this kind of applications and have a big [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[28,29,30,8,23],"class_list":["post-302","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-iframe","tag-markdown","tag-pdf","tag-tryhackme","tag-xss"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=302"}],"version-history":[{"count":7,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/302\/revisions"}],"predecessor-version":[{"id":315,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/302\/revisions\/315"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}