Tags: local_file_inclusion rce
Rating:
At the start we are presented with a form containing 2 things: a text area (with some example in it) and a submit button.
![](https://i.imgur.com/CdYaDAG.png)
When we submit the form we get back a PDF file with the content of the textarea rendered as HTML. If we download this file we can check what was used for generating it, and we will see that it was [wkhtmltopdf](https://wkhtmltopdf.org/) 0.12.4.
![](https://i.imgur.com/aWfD6Fp.png)
After that we can do a quick search for `wkhtmltopdf 0.12.4 exploit` and we will quickly [find](http://hassankhanyusufzai.com/SSRF-to-LFI/) this article about a local file read vulnerability. We can now write a simple request to try reading the `passwd` & `shadow` file:
![](https://i.imgur.com/g6iS2JX.png)
In both cases we will presented with a pdf that contains the content of those files. Once we have those we can unshadow them and use [john](https://www.openwall.com/john/) to try and crack the password.
![](https://i.imgur.com/CMH8g1N.png)
With that we can head to the login page, enter the username & password and get the flag.