Post

TryHackMe - MD2PDF

Hello Hacker!TopTierConversions LTD is proud to announce its latest and greatest product launch 'MD2PDF'. This easy-to-use utility converts markdown files to PDF and is totally secure! Right...?

TryHackMe - MD2PDF

Tryhackme Room Link https://tryhackme.com/room/md2pdf

Reconaissance

Fist recon the website and look which ports are open I can see there are three open ports : recon

Checks every ports and we can see in port:5000 it looks like both port:80 and port:5000 are same.

Directory Fuzzing

Lets fuzz the website. dirbuster Looks like we got some hidden info. let’s access it. it says: only localhost can access it admin portal

Verdict

so we can’t access the localhost. let’s try some other way. After some research, I have found and artical Here So, basically i need to do SSRF.

Approach

I have tried some basic way like img tag but failed then tried xss with javascript but could works. Finally tried the <iframe> tag and it’s worked. injection flag

Conclusion

When a service developed, it’s need to sanitize the user inputs, otherwise a simple injection can break the system.

Reference

This post is licensed under CC BY 4.0 by the author.