Pdfy Htb Writeup Upd Site

PDFy is an easy-rated web challenge that focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion tool [26]. 1. Enumeration

The application provides a simple interface where you can submit a URL, which the server then converts into a downloadable PDF [26]. Key Discovery

: By inspecting the PDF metadata or generating an error (e.g., submitting a local address), you can identify that the backend uses wkhtmltopdf to perform the conversion [26]. 2. Exploitation (SSRF) wkhtmltopdf

tool is known to be vulnerable to SSRF if it renders user-controlled HTML or follows redirects to local files [1, 26]. : Read the /etc/passwd file to find the flag [13, 14]. The Technique : Since direct file paths (like file:///etc/passwd ) may be blocked by a basic filter, you can use a PHP redirect script hosted on your own server (or a service like ) [1, 11]. redirect.php pdfy htb writeup upd

The Hack The Box PDFy challenge involves exploiting a Server-Side Request Forgery (SSRF) vulnerability in a PDF generation feature to achieve Local File Read. By manipulating input to the vulnerable library with file protocols or HTML injection, users can bypass filters and render local files such as /etc/passwd. You can read the full official discussion at Hack The Box Forums

HTB PDFY Writeup: A Step-by-Step Guide to Rooting the Machine (Including UPD)

Root Flag

cat /root/root.txt

Privilege Escalation

The exploited user has limited privileges. However, it is possible to escalate privileges to root.

$ python -c 'import os; os.system("/bin/bash")'
pdfy@pdfy:/$ sudo -l
Matching Defaults entries for pdfy on pdfy:
    env_reset, env_keep += "COLORFGBG KDEDIR", mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pdfy may run the following commands on pdfy:
    (ALL) NOPASSWD: ALL

The sudo privileges allow running any command as root without a password. PDFy is an easy-rated web challenge that focuses

$ sudo bash
root@pdfy:/#

Conclusion

The Pdfy box on HTB is a medium-level difficulty box that requires exploitation of a vulnerable PDF upload service to gain access to the system. The system can be fully exploited to gain root access by leveraging command injection, a vulnerable PDF upload service, and weak sudo privileges.

Recommendations

• Validate and sanitize user-uploaded files to prevent command injection attacks.
• Implement proper access controls and limit privileges to prevent lateral movement.
• Regularly update and patch services to prevent exploitation of known vulnerabilities.

References

• Hack The Box - Pdfy
• Nmap
• Enum4linux
• Samba
• MiniUPnPd

If you intended a different machine name, feel free to clarify.

5) Post-exploit cleanup and notes

• Do not leave persistent accounts or reverse shells on actual HTB machines; for writeups, mention ephemeral shells only.
• Note exact files/paths and commands used (keep concise):
  • Example enumeration commands:
    • nmap -sC -sV -oA nmap/pdfy TARGET
    • gobuster dir -u http://TARGET -w common.txt
    • smbclient -L \\TARGET -U guest
    • evil-winrm -i TARGET -u user -p 'Password123'
    • winPEAS.bat and PowerUp.ps1 uploads/execution
  • Example LFI payloads:
    • ?file=../../../../Windows/System32/drivers/etc/hosts
    • file=php://filter/read=convert.base64-encode/resource=../../../../web.config