Pdfy Htb Writeup Upd Upd ✦ Trusted Source
: Configure your underlying PDF utilities to ignore HTTP redirection headers so they do not follow unexpected third-party paths.
When the application successfully processes a standard external URL (such as a public web server), look closely at the generated PDF metadata. You can download the PDF and inspect it using command-line utilities like pdfinfo or by checking how the elements are structured.
Create a simple PHP script named exploit.php on your server to handle incoming automated queries and issue a location header response:
wait 5 min
The Hack The Box PDFy challenge involves exploiting Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerabilities within a PDF generation service using an outdated wkhtmltopdf version. By utilizing a redirect or iframe injection, attackers can force the application to read sensitive local files, such as /etc/passwd , allowing for the retrieval of the final flag. For a detailed walkthrough of the writeup, visit Blog Manh Tuong . Exploitation of PDF Generation Vulnerabilities - Academy pdfy htb writeup upd
"endpoint": "/download", "methods": ["GET"]
Next, we perform a system enumeration using tools like linpeas and systemd-analyze . The results reveal that the machine uses a SystemD service called pdfy-converter to manage the PDF converter service on port 8080.
Crucially, the challenge description includes a vital note: . This provides the first clear objective: exploit the application to read an internal system file. The immediate implication is that the application is vulnerable to a Server-Side Request Forgery (SSRF) attack.
import os with open('/etc/passwd', 'a') as f: f.write("newuser::0:0:root:/root:/bin/bash\n") : Configure your underlying PDF utilities to ignore
The first step in any successful penetration test is thorough reconnaissance. Upon spinning up the challenge instance, you're greeted by a simple but functional web application. Its purpose is clear: it invites you to input a URL of a website, which it then converts into a downloadable PDF file.
The server returns the contents of the /etc/shadow file, which includes the hashed password for the user pdfy .
Use code with caution. 2. Trigger the SSRF
If you are developing or maintaining applications that generate PDFs from web inputs, you can protect your systems with the following defensive practices: Create a simple PHP script named exploit
Analyze the source code to find config.php or similar files to identify database credentials.
Understanding how improper sanitization leads to .
A web application that converts provided URLs into PDF documents. Vulnerability: Insecure URL handling during PDF generation.