Official PDFy Discussion

I solved it using your comment, thx

Solved after weeks. For those who are struggling like I was:

  • Don’t give up. I hate to use the cliches, but it’s the journey and what you learn in the process that matters.
  • Embrace the opportunity to learn new things. You probably need it, like I needed. I searched a lot about reverse proxies (that actually didn’t use), learned a bit about nginx (also didn’t use), web requests, etc.
  • Listen to other fellows here: keep it simple.
  • I tried a lot with ngrok. Than occurred me to search for similar services that didn’t have the browser warning and after a lot of tries I founded. If that’s your your problem, happy hunting.
1 Like

Hi,
the exploit is very straight forward, using the information in this thread. The hardest part for me was exposing my local webserver to the internet. Ngrok is not working for me and i didn’t figure out how to go for TCP instead HTTP. After some google i found: https://serveo.net/. No install required, no confirmation pages that break this challenge
good luck!

1 Like

straightforward even though it’s blackbox.
what helped me was to use the tool locally and see how it behaves with various inputs, local/remote

Try to find out what software it’s using then try to find some known exploit POCs for it on google.

Tip: Use serveo to expose your webserver to the internet. Don’t waste your time with ngrok or anything similar as it requires you to download stuff and sign up for an account. Also with ngrok I’m pretty sure it has a warning on it or something like that which will stop the attack from working.

Do i need to setup a local php server also? Or just port forwarding by serveo.net would be enough

It wasn’t too easy since following wrong path, it was easier when i found a better way than ngrok
Thank you Serveo!
any help needed for hints, don’t hesitate to DM me!

1 Like

Same here any clue you can help me with

Are you used the free plan of ngrok? I have a working payload , but I can’t find any working free virtual servers service. Free plan doesn’t work for me because of the default landed page. Because of that page the payload doesn’t work either.

But how to use that address, in the payload? I tried, but I got the error: “Malformed HTTP Request”. It looks like : tcp://0…

Hello,
really sorry i did this challange few months ago . As i remember you should specify tcp and not http for the request n port 443 .

For example, I got this address: tcp://0.tcp.ngrok.io:17290 and it doesn’t works: the error: “Malformed HTTP Request”

serveo is down now

use npm package to expose your localhost it’s easy to use

npm install -g localtunnel

what is straight forward about this?
I tried the SSRF PoC but it won’t create the PHP thingy, it gives -bash: syntax error near unexpected token `(’
so what are you supposed to do with the php code??

It doesn’t seem to be possible to get it to print the /etc/passwd through a screenshot of a PDF file… and why should it? that doesn’t make any sense… it has to somehow be able to fetch the text in the file and print it out through a HTML response somehow… any leads on that?

I’ve set up Expose (alternative to ngrok) server and forwarding local php shell as per the supposed PoC, I can see the server hits through Expose CLI and I am even getting code 302 on my local PHP server again as per the PoC, but it has no data in its response… I know I can smell the answer right in front of me but what’s missing?

aaaaand 30 minutes later it was there all along… just followed the PoC a little TOO close when it didn’t apply 100% to this scenario. It was actually like people said a bit more straightforward than that. wink wink
it actually prints the contents of /etc/passwd on the page and then takes a PDF of that, so that makes sense after all i guess… woohoo done with this finally

(also, the php shell has to have actual HTML code and point straight to the file without parameters)

put http://o.tcp… it will work

Finished, dm if want help.

:sweat_smile: Haha yeah… that whole “without parameters” thing tripped me up too. I only noticed the problem because my server was showing a stray quotation mark.
Once I hardcoded it, it was easy peasy!

Oh, and fwiw, mine did not have any HTML in it.

In case anyone’s wondering, I checked out a whole bunch of alternatives and ended up using a tool called Pinggy, on their paid subscription (seems just as capable as ngrok but only a fraction of the price)

I tried redirection and still no find the way to read local file?
Dns rebinding maybe?
Any hints?