Recently Elliot got a job as a web developer. He got a project to create a website that converts webpage into pdf but he don't know about the web app security and somehow hackers got access to admin panel content running locally. As a pentester, we need to find the flaw in the app to see admin panel.

It's a web page which can convert provided domain to pdf file:

According to the description it looks like SSRF, we need to access admin panel which running locally, so I guess it's http://localhost or other common ports.

I tried:

1. http://localhost
2. http://0.0.0.0

and it returns Not that Easy, it seems it blocks accessing local ip address.

Then I tried server side redirect it fails as well with message URL Redirecting is not Working!!

How about client redirect? We can host the html file locally and use ngrok to generate a domain.

<script>window.location = 'https://google.com?q=123'</script>

Unfortunately it doesn't work as well.

How about... iframe inside valid domain? Just like above but the html content is an iframe:

<iframe width="800" height="800" src="http://localhost"></iframe>

boom! it works!

We can get the flag from iframe content.

Additional note

The author of this chall published the official writeup: PDF Generator Writeup | DNS Rebinding Attack | TrollCat CTF Writeup and the expected solution is DNS rebinding (useful link).

Interesting <3