aszx87410 / ctf-writeups

ctf writeups

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TrollCAT CTF 2021 - PDF Generator

aszx87410 opened this issue · comments

commented

Recently Elliot got a job as a web developer. He got a project to create a website that converts webpage into pdf but he don't know about the web app security and somehow hackers got access to admin panel content running locally. As a pentester, we need to find the flaw in the app to see admin panel.

It's a web page which can convert provided domain to pdf file:

螢幕快照 2021-02-07 上午11 52 14

According to the description it looks like SSRF, we need to access admin panel which running locally, so I guess it's http://localhost or other common ports.

I tried:

  1. http://localhost
  2. http://0.0.0.0

and it returns Not that Easy, it seems it blocks accessing local ip address.

Then I tried server side redirect it fails as well with message URL Redirecting is not Working!!

How about client redirect? We can host the html file locally and use ngrok to generate a domain.

<script>window.location = 'https://google.com?q=123'</script>

Unfortunately it doesn't work as well.

How about... iframe inside valid domain? Just like above but the html content is an iframe:

<iframe width="800" height="800" src="http://localhost"></iframe>

boom! it works!

螢幕快照 2021-02-07 上午11 59 16

We can get the flag from iframe content.

Additional note

The author of this chall published the official writeup: PDF Generator Writeup | DNS Rebinding Attack | TrollCat CTF Writeup and the expected solution is DNS rebinding (useful link).

Interesting <3