Pdfy Htb Writeup Upd ^hot^ Review

The PDFy interface lets users input a website address. The application visits the URL, takes a screenshot, and serves it back inside a dynamically generated PDF document. Web Exploitation Difficulty Rating Primary Vulnerability Server-Side Request Forgery (SSRF) Secondary Impact Local File Inclusion (LFI) via redirection Target Binary Underlying wkhtmltopdf Phase 1: Reconnaissance & Enumeration Step 1: Analyze the Front-End Interaction

dirty pipe

Submit a benign live website (e.g., http://google.com ) to check if the app functions properly.

ngrok http 8080

This walk-through covers the discovery, exploitation, and resolution of the vulnerability to grab the hidden flag. Challenge Overview pdfy htb writeup upd

Host this script dynamically so the HTB infrastructure can query it over the internet. You can stand up a lightweight PHP server directly on your public IP or Virtual Private Server (VPS): php -S 0.0.0.0:8000 Use code with caution.

: Configure your rendering library explicitly to deny local file access. For wkhtmltopdf , always include flags like --disable-local-file-access in the execution string.

If you want to fine-tune your exploit or explore other options for this challenge,

If you are attempting this box, focus on the ( file:// , gopher:// ) and the metadata of the files you are asking the server to process. The flag is usually found in /root/root.txt or a similar standard location after escalating privileges via a misconfigured script or binary. The PDFy interface lets users input a website address

Save the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard

Upload a normal PDF → metadata extracted successfully. Try injecting a command in the :

"endpoint": "/upload", "methods": ["POST"] ,

The challenge on Hack The Box is an Easy-rated Web Challenge designed to test your understanding of Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) when dealing with automated PDF generation engines. ngrok http 8080 This walk-through covers the discovery,

$ enum4linux -u nobody -p 10.10.11.206 [+] Enumerated users user:[pdfy] uid:[1677721600] gid:[1677721600] groups:[1677721600] user:[phr] uid:[1677721601] gid:[1677721601] groups:[1677721601]

Start a temporary PHP web server on your attack machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Step 3: Triggering the Exploit

The application allows inputting text or a URL to generate a PDF. 3. Vulnerability Research and Exploitation