MD2PDF is a "5 minute hack" challenge at TryHackMe. This means, that we only need to solve one or two riddles to complete the room, and it should not take more than 3 hours 😅

Introduction

The room provides the following description to the task:

TopTierConversions LTD is proud to announce its latest and greatest product launch: MD2PDF. This easy-to-use utility converts markdown files to PDF and is totally secure! Right…?

According to this we have to find a vulnerability in a custom application.

Enumeration

Not much initial information is provided. So first I used an nmap scan:

nmap 10.113.136.129

This revealed the following results:

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp

After this I ran a more detailed scan on these ports:

nmap -sC -A -p 22,80,5000 10.113.136.129

This shows, that on port 5000 a web service is running, just like on port 80. I used my web browser to visit the website: http://10.113.136.129/ It contains a big textbox, where we can write markdown code:

None
Main interface of MD2PDF

If we click on the Convert to PDF button, it generates a PDF and applies markdown formatting:

None

This works well! If we examine the source code of the website, we can see, that the content of the big textbox is sent to the server to the convert endpoint, and the conversion happnes there:

(...)
$("#convert").click(function () {
const data = new FormData()
data.append("md", editor.getValue())
$("#progress").show()

fetch("/convert", {
  method: "POST",
  body: data,
}
(...)

We can also check the website on port 5000, and that is similar to the original, but without styling:

None
Web interface on port 5000

The conversion function also doesn't work there. One another thing, I tried is searching for web directories using gobuster:

gobuster dir -u http://10.113.136.129/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64

This gave an interesting result:

/admin                (Status: 403) [Size: 166]
/convert              (Status: 405) [Size: 178]

When running the same enumeration on the website on port 5000, the result is the same. The convert endpoint is used to apply the conversion, and it gives code 405 because it only accepts POST requests. But the admin site can be interesting to look at. When we try to visit it, it shows the following message:

None
"Access denied" message at the admin site
This page can only be seen internally (localhost:5000)

According to this there is a high chance, that the target is the admin endpoint, and if we can visit it, we can get the flag.

Exploiting the converter application

I didn't find out immediately, what the solution is. I had a couple of attempts before finding it:

  • I tried to view the source code of the website, but I didn't find helpful comments.
  • I reviewed the js files, but I didn't find vulnerability in them.
  • I found out, that the website uses jquery-3.3.1, and I tried to find exploits for it. I found this exploit, which uses XSS vulnerability. If I run this in the Console tool of my developer tools in Firefox, it works, but it doesn't help to get the contents of the admin site.

Luckily for me I recently started to use Markdown to create notes during my learning and challenges at TryHackMe, so I learned a thing or two about the language. It got to my mind, that I can use Markdownsyntax, to embed images, other Markdownfiles, and even websites in a document. So if I could find the syntax to embed a website, I could read the flag if I would use it.

It took me a couple of attempts, but after I searched for "markdown embed webpage"on Google, I found a site, that describes, how to embed webpages. It tells about the iframe HTML tag, which can be used just for this (Markdownalso supports HTMLelements for formatting). So if we want to see the admin endpoint on localhost:5000, we can embed it to the document using this line:

<iframe src="http://localhost:5000/admin"></iframe>

Because the conversion happens on the server, the webpage is accessed internally, so it can be embedded. I wrote this expression to the textbox, and requested the conversion:

None
Using iframe element in the Markdown code

And the application created the PDF with the admin site embedded:

None
Converted document with the admin site inside, and the flag on it

And this contains the flag, we were looking for!

This wouldn't make us able to gain admin access over the website, but it's content is enough for us in this task. This was an exciting challenge! Even if it took me more, than 5 minutes. The key of solving it was knowledge about how Markdown works, which can only be learned, when someone writes documents with it. This is also an advantage of precise note-taking and documentation. If we have experience in it, we can use it to our advantage in a quite unique way ☺️

Summary

I took the following steps to solve the challenge:

  1. Discovery of the converter application using nmap and Firefox.
  2. Finding the admin site with gobuster.
  3. Understanding that the adminsite can only be accessed from the server, where the conversion runs.
  4. Finding the way to embed webpages to Markdowndocuments.
  5. Claiming the flag by creating a Markdown document with the admin page embedded.

Finally coming to the conclusion, that MD2PDF is totally secure! Almost…

None