Recently Elliot got a job as a web developer. He got a project to create a website that converts webpage into pdf but he don't know about the web app security and somehow hackers got access to admin panel content running locally. As a pentester, we need to find the flaw in the app to see admin panel.
It's a web page which can convert provided domain to pdf file:
According to the description it looks like SSRF, we need to access admin panel which running locally, so I guess it's http://localhost or other common ports.
Steiner-254
commented
1 year ago
It's a web page which can convert provided domain to pdf file:
According to the description it looks like SSRF, we need to access admin panel which running locally, so I guess it's
http://localhostor other common ports.I tried:
and it returns
Not that Easy, it seems it blocks accessing local ip address.Then I tried server side redirect it fails as well with message
URL Redirecting is not Working!!How about client redirect? We can host the html file locally and use ngrok to generate a domain.
Unfortunately it doesn't work as well.
How about... iframe inside valid domain? Just like above but the html content is an iframe:
boom! it works!
We can get the flag from iframe content.
Additional note
The author of this chall published the official writeup: PDF Generator Writeup | DNS Rebinding Attack | TrollCat CTF Writeup and the expected solution is DNS rebinding (useful link).