PDFReacter SSRF to ROOT Level Local File Read which led to RCE

What is PDFReacter? 
- PDFReacter is a parser which parses HTML content from HTML to PDF.

While testing an application i have identified that an application is using the PDFReacter parser.

Since PDFReacter is parsing HTML content so I started with XSS vectors and I tried with<img> tag to inject, and when i exported the from into PDF, the response was like this,

Which means an application and PDFReacter both does not escapes the html tags.

Next attempt was with <iframe> tag. I tried loading google.

Now it was clear that an application was accepting the Iframe tag, I also tried to load my website into frame, and while exporting the the from to the PDF, I noticed that my I was getting External hit from target application.

Next attempt was to load a local files with file:/// wrapper. I tried with “><iframe src=”file:///etc/passwd”/></iframe>

Bang !!!!!

Next attempt was to get shadow files. Since webserver was running with the root permissions, it fetched all the shadow files. 
“/><iframe src=”file:///etc/shadow”></iframe>

Next was to pop a shell, I Fetched Private SSH keys, And was able to SSH to the server.

Thanks for reading. Shoot a DM on twitter for any queries. 
Have a great day ahead.