TryHackMe: MD2PDF write-up

In this article we are going to explore the solution to TryHackMe’s MD2PDF and exploit a Markdown converter.

Link: https://tryhackme.com/room/md2pdf

Difficulty: Easy

Enumeration

To begin the enumeration process, I launched an Nmap scan, which revealed that the target machine is running three services: a standard HTTP server on port 80, an SSH server, and another HTTP server on port 5000. Additionally, the machine appears to be running some version of Ubuntu Server.

Next, I performed a Gobuster scan against both web servers, which revealed a hidden directory named “/admin” for both web services, piquing my interest.

Moving forward, I decided to explore the web applications presented to me. Both looked very similar, featuring a text box where Markdown could be entered, and a button to convert the Markdown to a PDF document.

I tried the application running on port 80 and was able to successfully generate a PDF containing my entered Markdown. However, the other application seemed to be malfunctioning as clicking the Convert button did not produce any output.

For the time being, I focused on the application running on port 80. My next course of action was to enter some HTML into the textbox to determine whether or not it would render. As expected, the HTML was rendered successfully:

The /admin directory for both applications displayed a “Forbidden” error:

Forbidden

This page can only be seen internally (localhost:5000)

Exploit

Since we already knew that the PDF document could render HTML, I had an idea to try and get a sneak peek of what the /admin directory looks like. I thought maybe embedding it into an iframe could do the trick:

<iframe src="http://localhost/admin" width="800" height="800"></iframe>

That did not work however:

Hm, that did not work. Maybe we can view the /admin directory on the other port?

<iframe src="http://localhost:5000/admin" width="800" height="800"></iframe>

That does the trick and we are rewarded with the flag:

In the cyber world, coffee is the potion of champions. Support my efforts by offering me a virtual cup through 'Buy Me a Coffee'! Let's unravel the enigmas of CTF challenges and fortify our cyber arsenals together!

Leave a reply

Your email address will not be published. Required fields are marked *