MD2PDF – Tryhackme Walkthrough CIF

MD2PDF is a beginner-level room on the TryHackMe platform that teaches users about web enumeration and exploitation techniques. The room is designed to help users familiarize themselves with the process of identifying and exploiting vulnerabilities in web applications.

The walkthrough begins by introducing users to the target website, which is a simple web application that allows users to upload Markdown files and convert them into PDFs (MD2PDF). Users are encouraged to conduct initial reconnaissance using tools such as Dirbuster and Gobuster to identify hidden directories and files on the target website.

The next step involves identifying vulnerabilities in the web application. The author of the room has intentionally left a few vulnerabilities for users to exploit. The first vulnerability is a file upload feature that allows users to upload arbitrary files to the server. Users can exploit this vulnerability by uploading a PHP web shell, which allows them to gain remote access to the server and execute arbitrary commands.

Once users have gained access to the server, the next step is to enumerate the file system and identify sensitive files such as configuration files and user credentials. In this room, users are asked to locate the database configuration file containing the database credentials in plain text by MD2PDF.

After obtaining the database credentials, users can access the MySQL database and extract the user credentials from the user’s table. The author has intentionally stored the passwords in plain text, allowing users to easily obtain them.

The final step involves using the obtained credentials to log in to the web application and gain access to the admin panel. Once users have access to the admin panel, they can upload a malicious Markdown file that contains a payload to execute arbitrary commands on the server. The payload can be in the form of a reverse shell that connects back to the user’s machine, allowing them to gain remote access to the server.

Overall, the MD2PDF room on TryHackMe is a great introduction to web application enumeration and exploitation techniques. The space covers a variety of concepts, including file upload vulnerabilities, SQL injection, and web shells. By following the walkthrough and completing the challenges, users can gain a solid understanding of the process of identifying and exploiting vulnerabilities in web applications.

MD2PDF Room Link

First, Login tryhackme and download the configuration file from the access page below in the More menu as shown in Figure 1.2 below:

If you have already installed OpenVPN on your computer, otherwise you can install it by typing the following command: (Linux user sudo)

apt install openvpn -y

Once you have installed OpenVPN on your computer, go to the directory of this configuration file and enter the following command as shown in Figure 1.3 below:

openvpn Filename.ovpn

It will start connecting and when the terminal shows you that the sequence is complete as shown in the message in Figure 1.4, it means that your VPN is connected to the TryHackMe network.

If OpenVPN will not connect you then the IP address will not work on your system. Will not come online.

First, we need to run a nmap scan to see which ports are open and which services are running on those ports.

Nmap (Network Mapper) is a free and open-source network discovery and security auditing tool.

nmap -p- 10.10.3.4

-p- : You can specify “-p-” to scan ports from 1 to 65535.

You can use various parameters to specify which services run on which ports. That’s entirely up to you.

When we access port 80 through the browser, we see a field where we can enter any input. I think this website converts the input to pdf format.

And when we access port 5000 through the browser we see a similar structure but it doesn’t work…

We can use Go Buster to explore the directories to know more about ports 80 and 5000. You can also use different tools like dir buster and dirb for this process. Your choice…

Gobuster is a tool used to brute force URIs including directories and files as well as DNS subdomains.

gobuster dir -u http://10.10.175.100 -w /usr/share/wordlists/dirb/common.txt

dir: Uses directory/file enumeration mode.

-u: We can use the “-u” option to specify the target domain or subdomain you want to dig into hidden directories and files.

-w: Path to the word list.

Looking at the results, we see that the admin directory exists for both. However, when we try to access it, we get an HTTP 403 Forbidden error.

HTTP 403 is an HTTP status code that means access to the requested resource is denied.

When we investigate the error, we realize that these pages are only accessible internally.

So far we have seen some mistakes and rest assured that these mistakes will make us achieve the result.

Now let’s go back and do some basic tests inside the input field. I think we can start by typing “Hello World!”.

Before we start testing, let me explain what HTML Injection is.

HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While an XSS vulnerability allows an attacker to inject and execute Javascript code, an HTML injection attack allows only certain HTML tags to be injected. When the application does not properly process user-supplied data, an attacker can supply valid HTML, usually via a parameter value, and inject their own content into the page.

Let’s write some basic HTML code and see what happens as a result.

<h1>TryHackMe</h1> 
<a href="https://tryhackme.com">Click here!</a>

Yes, it worked. So what can we do next?

Remember the first bug we ran into? I have a feeling we’re thinking the same thing. Maybe we can get there via HTML. Let’s try it!

<iframe src="http://localhost:5000"></iframe>

An IFrame, also known as an Inline Frame, is an element that loads another HTML element inside a web page. They are commonly used to embed specific content such as external advertisements, videos, tags or other interactive elements on a page.

src: Specifies the address of the document to be inserted into the <iframe>.

Great! This way we can see what’s inside.

So we can apply the same logic to the admin directory. Are you as excited as I am? Uhhh.

<iframe src="http://localhost:5000/admin"></iframe>

Incredible! My friend, we did it. by MD2PDF

What is the flag?

• flag{1f4a2b******4eaee4b}

Congratulations, you found the flag! Say goodbye.

Disclaimer:

The information provided by me, MD2PDF, is for educational and informational purposes only. While I strive to provide accurate and up-to-date information, I make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability respect of the information, products, services, or related graphics contained in this communication for any purpose.