MD2PDF
Code injection
tool used: Nmap
Scanning
I used nmap to scan the ip address and i found something interesting ‘rtsp’ which is Real-Time-Subscribe wire protocol.
Note to yourself. Always scan the url to make sure no hidden directories are created
1
2
3
4
5
6
7
8
#Gobuster Command:
nmap -sV [ip]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open rtsp
5000/tcp open rtsp
Getting the key
After spending hours trying to understand how code injection works, messing around with different codes and decoding the pdf response i gave up and looked at the guide. Turns out I missed the /admin page which has a message that only localhost:5000 can see it. Meaning that the page I am using to convert to pdf can see it so all i have to do is craft the ‘<iframe>’ that frames the localhost:5000/admin page/directory. With that I recieved the flag.