CSRv2022 - PDFCARNAGE

TLDR: SSRF in dynamic pdf creator

Writeup:

== Information Presented ==

Our intern created this PDF generator. It's not 100% secure yet, but there's nothing valuable on this host anyway.
Website:   http://pdfcarnage.rumble.host/


website

== What is this Website about? ==

The content of the Website looks rather simple and so is its purpose. You can submit a query and it redirects you to a pdf where the input and the user-agent of the browser is reflected.


website

We can download the pdf and check if anything seems odd. What about strings? Hidden Text or anything else?
But after a while I came to the conclusion that this will not lead to anything useful.

Except the creator of the pdf. This might give a hint about the program running in the background. I checked this by opening dev tools in the browser and inspecting the console:


website

wkhtmltopdf? Never heared of it. Searching github I found its repository:   https://github.com/wkhtmltopdf/wkhtmltopdf

Checked the version for vulnerabilitys and took a look at some security reports where I found a link to an interesting Blogpost about XSS that could lead to SSRF and further exploitation.   https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently

Yeah, dont want to read everything in detail now, I wanna try this by myself...



== Where is the vulnerabilitys? What about the promised XSS? ==

So first lets put in a basic XSS command to check wether this is a thing or not. <script>document.alert(1)</script>


website

Not so cool...
After trying several different methods to gain xss I realized that this is not gonna happen and my input will always be detected as dangerous, no workaround for the filter...

But my input isnt the only thing that gets reflected in the pdf, so what about the user agent?
Setting my user-agent to:    <img src="https://i1.sndcdn.com/artworks-000599808744-91k9x2-t500x500.jpg">Worked!


website


== External Pictures are good. Internal files are better ==

So far so good, but imbedding pictures wont help to crush this challenge. What about webhooks? Works, but wont get us further either...
What about internal files? Trying a few scripts I came up with:
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script>


website

There were a few files accesible, but not all of them were interesting or usefull for this challenge
But lets take a look at /etc/hosts


website


== Run for the flag ==

Two private network addresses, one for the flask application and one for an nodeApi?
Can we access these somehow within the pdf creation? So, flask usually runs on port 5000, lets check!
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","http://pdf-carnage-flask:5000/"); x.send(); </script>


This will create an pdf, however its empty. So the port seems to be the right one, but no more information besides that. Tinkering with that for a while I found nothing...
So I took a closer look at the api, accessable on http://nodeapi:3000 within the payload.


website

Yeah, no shit Sherlock, I already knew you were the API.
Okay lets check some endpoints here. Maybe /flag?    ... Unfortunately not.
So there are two options now to solve the challenge:
The real Problem at the end was that requesting a PDF had a limitation of 15 requests per minute. Maybe this writeup reads like "I know about dynamic pdf XSS, let me grab the flag real quick", but it was not. Finding out LFI works was a matter of under 30min. Finding the flag? Whole different story.
Time ran out, and either you were lucky enough to check for http://nodeapi:3000/sitemap.xml or u were super lucky enough to check directly for http://nodeapi:3000/api/flag



website

Thoughts:

The challenge was overall pretty cool. Fuzzing limitaiton was pain in the ass


Post By : Layton


About Myself

#

Layton

Comming Soon I guess
Just a S0l0N00b crushing some easy WebChallenges