aszx87410 / ctf-writeups

ctf writeups
62 stars 9 forks source link

TrollCAT CTF 2021 - PDF Generator #12

Open aszx87410 opened 3 years ago

aszx87410 commented 3 years ago

Recently Elliot got a job as a web developer. He got a project to create a website that converts webpage into pdf but he don't know about the web app security and somehow hackers got access to admin panel content running locally. As a pentester, we need to find the flaw in the app to see admin panel.

It's a web page which can convert provided domain to pdf file:

螢幕快照 2021-02-07 上午11 52 14

According to the description it looks like SSRF, we need to access admin panel which running locally, so I guess it's http://localhost or other common ports.

I tried:

  1. http://localhost
  2. http://0.0.0.0

and it returns Not that Easy, it seems it blocks accessing local ip address.

Then I tried server side redirect it fails as well with message URL Redirecting is not Working!!

How about client redirect? We can host the html file locally and use ngrok to generate a domain.

<script>window.location = 'https://google.com?q=123'</script>

Unfortunately it doesn't work as well.

How about... iframe inside valid domain? Just like above but the html content is an iframe:

<iframe width="800" height="800" src="http://localhost"></iframe>

boom! it works!

螢幕快照 2021-02-07 上午11 59 16

We can get the flag from iframe content.

Additional note

The author of this chall published the official writeup: PDF Generator Writeup | DNS Rebinding Attack | TrollCat CTF Writeup and the expected solution is DNS rebinding (useful link).

Steiner-254 commented 1 year ago

Interesting <3