Exploit the misconfiguration of the pdftex service running as backend to execute commands and gain access to the flag file
We are given a port to connect to and the info that this challenge probably has to do something with pdfs.
When connected to the service, we can choose between 3 options.
Option 1 tells us that pdfmax is a cloud LaTeX interpreter and that it can compile any TeX files we’d like. Option 2 lets us write the TeX files and option 3 lets us compile them
After toying around with different input options, I noticed that the compile feature cuts the connection when trying to compile a partially faulty TeX file. The smallest file that could be submitted was of this structure:
\documentclass{article}
\begin{document}
\end{document}
After compiling this TeX file, the service tells us that it is running pdfTeX and that \write18 is enabled. With this info, we can start to exploit the service and get access to the backend server
The TeX \write command lets you write to a file that is specified after the command. However, 18 specifies the bash terminal, so \write18 allows us to send commands to the terminal. However, normally these commands are only completed once the page has finished compiling. To circumvent this we need to put \immediate before \write18 to tell the compiler to execute the command immediately.
The next step would be to run the ls command to see what’s in the directory that the service is running in:
\documentclass{article}
\begin{document}
\immediate\write18{ls}
\end{document}
We see that a flag.txt file is part of the directory so we access it:
\documentclass{article}
\begin{document}
\immediate\write18{cat flag.txt}
\end{document}
And we get the flag LLS{write18_my_flag_down_immediately}