Try Hack Me: MD2PDF
Today we are going to look at a machine on Try Hack Me that is vulnerable to Cross Site Scripting (XSS) to be able to read a file on the local server.
TryHackMe | MD2PDF
TopTierConversions LTD is proud to present its latest product launch.
tryhackme.com
We will start off as normal with a rustscan / nmap scan:
Port 5000 is strange, I ran an NMAP scan on it to see what it was and it turned out to be the same thing as port 80:
Looking at both 5000 and 80 we can see they are the same page, lets run a feroxbuster on port 5000 and port 80:
Port 80 shows an admin and convert page, looking at the admin page we see the following:
Now we are starting to get an idea of how to put our attack together. We need to be able to read the localhost on port 5000 to be able to see the admin page, to do this we can use the Markdown 2 PDF converted against itself depending on if it is vulnerable to XSS or not, lets try:
Notice how we are calling for the localhost on port 5000 and page admin:
Hopefully you liked the article and learned something along the way.
