search

Mythic PDF Forge

hashtag
Description

We as developers love markdown but our non dev friends don't. Convert Your Markdown to PDF and send them easily :)

To access the challenge, click on the following link: http://challenges.hackrocks.com:33333/arrow-up-right

hashtag
Analysis

We are given application that converts markdown to pdf, so let's try using script tags to do something.

mystic-pdf-forge-1

Generated PDF content:

mystic-pdf-forge-2

Nice, there's no sanitazation on markdown so we can do whatever. HackerTricks has useful stuff for us Server Side XSS Dynamic PDFarrow-up-right.

I used discovery payload <script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script> to see what files are there.

mystic-pdf-forge-3

We dont get information about what files are listed in directory. So let's try guessing. There's a standard to name application file index.js or app.js.

0w0

mystic-pdf-forge-4

We identifed that md-to-pdf is being used, and quick google search shows us RCE vulnerabilityarrow-up-right. Let's not jump straight to exploit, let's first find version of packages. Node stores module versions in package.json

mystic-pdf-forge-5

We are good to proceed. Let's get shell! 0w0

hashtag
Solution

Simple:

Fun! (Idk I just wanted to try getting shell from remote machine to local, ~~real life scenario?)

We need 2 things:

  1. Listener - simple netcat will do

  2. Server - to let challenge server connect to us. netcat opens port locally, we need globally and ngrokarrow-up-right can do it for us.

mystic-pdf-forge-6

Create reverse shell. I generated it using revshellsarrow-up-right. (I couldnt make sh shell work, so I ended up with netcat shell payload)

Server hangs and boom! we get a shell. Pretty cool for first time experience.

circle-check

Flag flag{un1esh_t4e_f0rge_666f726765}

PreviousOdysseyCTFNextPicoCTF

Last updated