In this lab, we explore the exploitation of DOMPDF 2.0 to achieve remote code execution. The challenge is set with $isRemoteEnabled disabled, which prevents the application from fetching remote assets. Our approach involves injecting an HTML style tag containing a base64-encoded malicious font, leveraging a Monolog gadget to gain RCE.
Following the steps outlined, you will create a valid font file containing the exploit, encode it appropriately, and inject it via HTML. The server then caches this font, allowing you to execute the payload using the phar protocol. This method bypasses the restriction on remote asset downloading, enabling you to create a file on the server and fetch it for code execution.