Introduction
TryHackMe’s MD2PDF room puts players in the position of discovering and taking advantage of security holes in the MD2PDF program in order to enter the system without authorization. Elevating privileges and capturing the flag are the ultimate objectives, as they show a thorough comprehension of assault pathways and mitigation techniques.
Scanning
Using Nmap script scan and version detection, this combination provides a comprehensive understanding of the target system, including potential vulnerabilities and the versions of services running on open ports. It is a commonly used option for initial reconnaissance and vulnerability assessment during penetration testing or network scanning, providing detailed and valuable insights quickly.
nmap -sC -sV 10.10.26.18
Service Enumeration
We can see that RTSP (Real-Time Streaming Protocol) is running on both port 80 and 5000. SSH is also open in port 22, but it’s no good; there is no information which can be used for further exploitation. RTSP (Real-Time Streaming Protocol) is a stateful protocol that maintains session state between the client and server, allowing for continuous and interactive control over the media stream, facilitating efficient management and real-time interaction of media sessions. This protocol is essential for streaming applications that require precise control and feedback.
Directory Brute-Forcing
Let’s see if any other directory is present; we can use a Gobuster scan to find it. Gobuster is a popular command-line tool used for directory and file brute-forcing on web servers. It is primarily used for web application penetration testing and vulnerability assessment, offering a reliable method for discovering hidden directories and files. This tool is highly efficient and widely adopted by security professionals. By running a Gobuster scan, we can enumerate potential paths that may lead to additional content or reveal vulnerabilities, aiding in thorough security analysis.
gobuster dir -u http://10.10.26.18 -w /home/kavin/Try\ hack\ me/SecLists-master/Discovery/Web-Content/big.txt
gobuster dir -u http://10.10.26.18/5000 -w /home/kavin/Try\ hack\ me/SecLists-master/Discovery/Web-Content/big.txt
Let’s try converting the text to PDF; it can be random inputs, and if it generates a PDF, we can analyze it for vulnerabilities and potential exploits ,
Here, the given input text is converted to output as a PDF file. This transformation allows us to analyze the resulting PDF for vulnerabilities, potential exploits, and other characteristics.
Metadata and File Analysis
We can find the details of the pdf using the pdfinfo tool this tool will give the information like Owner , Date , Size , Version and etc , . There are many open source tools like pdftotext , pdfimages , qpdf even exiftool can also be used . The owner here is wkhtmltopdf . wkhtmltopdf is an open-source command-line tool that converts HTML web pages or documents to PDF format.
Exploitation
Previously , we found that it runs in the localhost , port 5000 and we also found the directory /admin and /convert . So we are gonna write the command in the html code with the frame . Then convert it into the pdf .
<iframe src="http://localhost:5000"></iframe>
Conclusion
There we found the flag..,
Flag
flag{1f4a2b6ffeaf4707c43885d704eaee4b}