Markdown to PDF Code Injection (CSAW CTF 2022)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
application security is something that we all need to take seriously especially when you create small services that might allow you to do your job faster or small simple things like hey converting even markdown code into HTML or to a PDF file so in this video I want to showcase a challenge from the Seesaw Capture the Flag competition qualifiers that was just simply that converting markdown into a PDF and how we might be able to explore some vulnerabilities and ultimately compromise it let's dive in before we dive into the video here's a quick note from today's sponsor there are so many vulnerabilities out there like prototype pollution SQL injection remote code execution and more they're fun to play with in CTF challenges pen testing and ethical hacking but they're not so fun when they're in your own applications and that is where sneak comes in sneak automatically scans your code dependencies containers and config files finding and fixing vulnerabilities in real time here's how easy it is with sneak you can sign up for free with my link below import your repositories and there sneak just finds your vulnerabilities and it's not just looking for old deprecated libraries sneak literally found a serious command injection vulnerability in a project of mine so all I have to do is fix it with the single click sneak will open up fixing pull requests so you can just merge them into your repository and move on and it does this all from your existing tools Ides the command line repos pipelines Docker Hub and so many more and you can see for yourself check it out and find out if there are any vulnerabilities affecting your projects it's all totally free and you can sign up using my link sneak.com John Hammond huge thanks to sneak for sponsoring this video so this challenge is in their web category the challenge was called my little website for 148 points at the time of recording this is after the game has concluded so there are about 204 solves up here and it says I'm new to programming and I made this simple PDF creator website hopefully it is secure enough so we have this link we can go ahead and open that up in a new tab and this is it enter markdown code here and that's all you need to do you simply enter whatever you would like to go ahead and be converted once you hit the submit button it will go ahead and spit out a PDF and that's exactly what I'm looking at right here just a simple PDF that includes the text now bear in mind this is supposed to render markdown so if I go ahead and put this in sort of a header tag like one of those larger hey H1 or H2 or H3 or H4 by adding these you know octothorps pound symbol hashtag whatever the heck you want to call them we could see that rendered out now it's a much larger text please subscribe good enough so what could we do to take advantage of this this is a web challenge of course so we could go ahead and view the source code I hit control U on my keyboard however you can right click and view page Source now it is just bare bone basic HTML there's not a whole lot Happening Here looks like there's a form to go ahead and submit with a post method including the data that you wanted to include and some Simple Text area and a submit button nothing else available to me though if I go ahead and open the network tools or the developer tools open in in Firefox in my web browser if I go ahead and reload this page with the network tab listening I might be able to access this I'll turn off my filter I think I'm currently looking at websockets hitting the all section shows me hey this is retrieving the website uh there aren't any special headers that return back from this that kind of clue me in as to what I might be looking at no cookies nothing here but this is the page so I don't exactly know what I'm up against I gotta admit we could start to kind of poke around and explore and test things if it is rendering markdown we could very well be able to just simply add HTML I suppose right could I add a just I don't know a bold tag to Please Subscribe and then let's do another I guess some like italics I as the HTML element there and let's see if that renders oh looks like it does in fact Please Subscribe and bold and please subscribe in italic so we might be able to actually return something else with that like could we actually run a simple script could I do like a console.log Please Subscribe could I try and run JavaScript rendered out this way if I submit this well I suppose that's not really going to help me much oh there's an interesting thing in the console output I see a PDF and then cbfd seemingly a hash 1.4 skya PDF m106 chromium PDF JS maybe that clues mean as what I'm looking at this is viewer viewer.js oh okay some Apparent Source Code that we might be able to see present in the debugger uh are these sources that I might be able to read yeah okay build pdf.js this might just be how it naturally displays things within PDFs in your browser though that probably isn't all that helpful uh anyway it didn't show me my Please Subscribe within the console but let's try something else let's do like a simple alert let's see if that will render here again because this is like on the server side processing and recreating this markdown into a PDF uh maybe we've caused a pop-up on the back end but we won't be able to see that in fact it's not even going to return the page for us yeah connections reset because it just took too long to load okay um I don't know we could do some other things we could try to bring document location to like example.com will that drive us there oh oh what the heck that actually just straight up rendered it like within the PDF itself kind of interesting so we know we can in fact execute JavaScript and we can do what we might like here in fact we might be able to just steal cookies or do some potential things um but what damage could we do with this could we like load specific files maybe let me look for file Etc hosts presumingly being on a Linux machine does that render that for us no okay I don't know if we're on a Linux machine or not but we can assume that what if I were to do some Googling let's do a markdown to PDF vulnerabilities is there some special syntax or things that we could use oh sneak has some stuff super cool markdown PDF vulnerabilities MD to PDF and the sneak vulnerability database known vulnerabilities in the markdown PDF package this has directory traversal seemingly is there any info on it not quite yet just showcasing severities um how about this other one the other tab that we have open here remote code execution oh I'm down for that if I click on that does that tell me oh okay oh perfect yeah yeah this looks like it could be what I need here what uh I guess I needed to check out directory traversal here to actually even see this how does this work oh they're just using like a a specific URL to go to that I don't think that's exactly what we're working with here because it's literally embedded in the code um this uses a proof of concept for MD to PDF as a command line tool but again we don't know for sure if this is what we are up against um but we could try this payload this gives us some JavaScript code require Envy to PDF VAR payload equals all this and that has new lines in here this requires a trial process to execute code and slap it in and then rce now this has new lines since I'm going to end up entering this into a real thing I'm going to open up a text editor just so I can play with that uh we know that I'm assuming this is supposed to be a new line and then we do that is that is that all it's supposed to do question is we're not going to be able to read this temp rce file because we haven't figured out how to do local file inclusion If This Were to even work uh so let's enter a new script here though or I guess presumably that is language for this code right we don't need the script tags it just knows to use JavaScript right here would that work rce I don't know if you saw that at the top here so did that actually run it there are no errors what if we tried like a a sleep command that's probably the easiest way to kind of know whether or not we are successfully executing this being blind to what this might be executing unless we could just probably maybe even see that output like if I run ID on its own it's not going to just show in the response no all right so let's try that sleep strategy let's do sleep five oh that has taken some time to come back five seconds okay so that is theoretically code execution right uh what do I do I mean we just try to get a shell like that might be super duper easy am I like cruising through this way too quick way too quick way too quick I was trying to say fast is there more that I need to like learn here but like this payload seems to work sneak was just telling us how to do it so uh let me note here if you do want to do any other exploring what you could check out is hat tricks you could do some PDF injection or server-side cross-site scripting Shenanigans and this is all documented reference here as to what you might be able to do for other libraries that could be vulnerable like this PDF lib uh I don't know if there are other options I think the server side one on the other page would be more worthwhile to read yeah so here's some of these uh payloads that you could try and throw in here and this is kind of what we were exploring seeing whether or not we could write stuff uh that would be worth using so let me submit this to see if document.write tests will even render or have I broke this thing now that I'm going to have to have to sleep five times or sleep for five seconds every time you want to see this render did I break it I might I might have just right it broke it or this payload is bad it's kind of finicky we could try a document right Json stringify maybe just can't load images let's try that oh okay that gives us a little bit more now we've got seemingly Local Host on a port so window.location that we can at least use document.write as we did previously but honestly we don't need to do too much of this because like you know at this point okay we've already found some remote code execution what I do want to showcase here though is if you were to end up being able to retrieve the source code because what we've just done with that previous payload you can see how I'm rendering out okay potentially the contents of this service like looking and rendering at whatever localhost might have been if I actually amp up this like oh let's make a width 100 pixels and let's make the height you know a thousand pixels I should have said a thousand earlier if we get a bigger iframe we might be able to read this a little bit more so now you can see all the files that are present here because whatever directory indexing is allowing and enabling us to be able to view these so if I try to go to that it won't display because it's trying to link me to literally my own Local Host but if we use that payload as we slap stuff into an iframe loading our window location locally according to the application what we could do is end up saying hey let's check out index.js relative to this application right so I'll go ahead and submit this look at that now we've got the source code I can see hey we're using the express engine and node we're using that MD to PDF library that we were just reading about on sneak's vulnerability database and we can see how this thing works it's using extended URL encoding it has some get and post handlers get to just go ahead and retrieve okay the template that we're sending for the HTML and then what we're doing when we submit data here we end up using the string of markdown this is simply passed by the body's request argument the HTTP here and then we do some weird shenanigans okay checking if you're cruising into AWS and Amazon that's a little fascinating uh but ultimately we end up running a weight MD to PDF and I think looking back at what sneak was telling us is vulnerable here that's exactly the same code you're requiring this and they use await MD to PDF content of the payload they spit it out into a temporary file like output But ultimately we're gonna end up rendering it onto the screen onto what's returned in the service so that is how you might be able to explore the source code um with some of those payloads you might be able to track down on hack tricks and again you could do some basic blind Discovery like say hey can you call back to uh service that you are hosting which is what we're gonna have to do if we want to get a shell and okay you could actually just see oh can we retrieve other sensitive things like a document cookie or other pages that you might be able to read locally just as a proof of concept to see can you call back out to yourself blindly we kind of got around that using the Sleep command and that was nice and easy for us but again there's a whole lot of good resources here to see oh can we read local files like we just kind of did exploring Etc that at least showed us the source code to this application but we didn't have arbitrary file read like specifying any absolute path that we might like Anyway let's get to the good stuff let's see if we can get a reverse shell I'm gonna go to rev shells.com so we can go ahead and spit together a simple bash script I do like the one that they give us right away however I know normally you want bash to invoke this personally I that's how I like to do it and I like to wrap it in another bash command because it needs to be within bash to be able to do that trust me bear with me those are just some good tricks to know I always try to extend the syntax a little bit more anyway let's go ahead and get a netcat listener I'll go ahead and listen on quad nine and let's see if I can use an ngrok tunnel thing here I will use ngrok TCP quad nine this way I'm going to be spitting this out onto the interwebs and I do have this host and Port ready and waiting for me here so what I'll do is go ahead and pass this in to the Rev shell or revshells.com generator grab the port just as well paste that in and now we have that syntax so fingers crossed if I go ahead and move this to the other side of the screen if I go ahead and go back to our syntax here we know that we want to use the special payload that sneak is willingly giving to us as our rce and I'll grab this here I am noting that this n I'm assuming is supposed to be a backslash N I think that's a typo but then when we pass this here what I'm going to do is change the command to run with exact sync into this callback now I could try this on its own and I guess let's do it let's see I'm going to keep this in my clipboard and just run and hopefully it comes through but that did not like that okay maybe that aired let's try to use bash rather than sh hit submit on that still doesn't like it okay let's try to use bash taxi even as prefix before that see if this works bad MD code aborting uh if I wrap that in another single quote keeping the internal Command right that bash would want to run inside of a subshell within single quotes let's see if this comes together for me hit submit oh there it is you see that heck yeah look at that okay so we have a callback we are dub dub data and Bash has no job control whatever so if I try to hit Ctrl L it won't really let me uh I am in bash right if I were to Echo the shell environment variable uh I'm my running bash I mean I ran Bash uh hello I don't like that let me go ahead and Export term equals x term and let's see if now I can control l no no it probably needs like the stt of raw minus Echo Shenanigans but because I'm in Z shell it probably won't play nicely so let me just not bother with that but those are normally the techniques you might end up using to uh go ahead and you know stabilize your shell in a raw remote shell you could do the same thing with Pawn cat or whatever you might end up use to have a nice pretty shawl but we can just type in clear rather than hitting control L to try and clear our screen so let's run the ls command and let's see what we've got here and we have access to all of the files and the file system itself right because we are on the Box in this case but what we are looking for is the flag let's go ahead and check out the root directory slash flag there we go I just LS slash and there is our flag.text present there so all we really need to do here is go ahead and cut slash flag.10 next and there we go here is our flag CTF PDFs continue to suck super cool super fun uh that's all that this really was honestly sneak is what saved the day here I do love the fact that they cover a whole lot of the details for a lot of different vulnerabilities in their vulnerability database and I also appreciate they're willing to Showcase some proof of concept code and get a little bit more of an understanding of what is going on here in this case it's a matter of just that Library it's MD to PDF marked down to PDF uh vulnerable version here is hey okay it uses gray matter I suppose to try and parse what is passed to it but it doesn't disable the JavaScript engine and with that you were able to go ahead and execute code so boom that's that let's go and submit this and get our points excellent thanks so much for watching everybody I hope you enjoyed this video I realized hey kind of a little quick fun a little in the moment tap dancing to go see if we can learn and go figure out something on the Fly again I hope this kind of worked well with our sneak sponsor so again huge thanks to them helping support the channel helping support everything that I do and what we do here together in this Channel and community so thank you thank you thank you hope you enjoyed the video if you did please do what this YouTube algorithm things like comment subscribe Etc you know where to find me and please give some love to sneak on your way out Link in the description thanks so much everybody I'll see in the next video
Info
Channel: John Hammond
Views: 66,221
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: QVaf4DMYPFc
Channel Id: undefined
Length: 20min 46sec (1246 seconds)
Published: Thu Sep 22 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.