TryHackMe: MD2PDF write-up
In this article we are going to explore the solution to TryHackMe’s MD2PDF and exploit a Markdown converter.
Link: https://tryhackme.com/room/md2pdf
Difficulty: Easy
Enumeration
To begin the enumeration process, I launched an Nmap scan, which revealed that the target machine is running three services: a standard HTTP server on port 80, an SSH server, and another HTTP server on port 5000. Additionally, the machine appears to be running some version of Ubuntu Server.
Next, I performed a Gobuster scan against both web servers, which revealed a hidden directory named “/admin” for both web services, piquing my interest.
Moving forward, I decided to explore the web applications presented to me. Both looked very similar, featuring a text box where Markdown could be entered, and a button to convert the Markdown to a PDF document.
I tried the application running on port 80 and was able to successfully generate a PDF containing my entered Markdown. However, the other application seemed to be malfunctioning as clicking the Convert button did not produce any output.
For the time being, I focused on the application running on port 80. My next course of action was to enter some HTML into the textbox to determine whether or not it would render. As expected, the HTML was rendered successfully:
The /admin directory for both applications displayed a “Forbidden” error:
Forbidden This page can only be seen internally (localhost:5000)
Exploit
Since we already knew that the PDF document could render HTML, I had an idea to try and get a sneak peek of what the /admin directory looks like. I thought maybe embedding it into an iframe could do the trick:
<iframe src="http://localhost/admin" width="800" height="800"></iframe>
That did not work however:
Hm, that did not work. Maybe we can view the /admin directory on the other port?
<iframe src="http://localhost:5000/admin" width="800" height="800"></iframe>
That does the trick and we are rewarded with the flag:
Recent comments