Upd | Pdfy Htb Writeup

The PDF generator accepts HTML input. If you embed an <img> tag with a src pointing to a local file or internal service, the server will fetch it during PDF rendering.

Visiting the website on port 80 reveals a simple webpage with a link to a PDF file.

$ curl -s 10.10.11.206
<!DOCTYPE html>
<html>
<head>
    <title>Pdfy</title>
</head>
<body>
    <h1>Pdfy</h1>
    <p><a href="pdf_file.pdf">Pdf File</a></p>
</body>
</html>

Downloading the PDF file does not reveal any sensitive information.

The writeup shines in its “why” explanations. For example:

This educational value makes it more than just a solution — it’s a tutorial for the OSEP or CPTS exam.

The only minor deduction: The writeup assumes you have a basic understanding of reverse shells and Python one-liners. Absolute beginners might need to pause and Google certain terms.

The Hack The Box PDFy challenge involves exploiting a Server-Side Request Forgery (SSRF) vulnerability in a PDF generation feature to achieve Local File Read. By manipulating input to the vulnerable library with file protocols or HTML injection, users can bypass filters and render local files such as /etc/passwd. You can read the full official discussion at Hack The Box Forums

PDFy is an easy-rated web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) via a PDF generation service. 🛠️ Step 1: Reconnaissance

The challenge provides a web application where users can input a URL. The application then visits that URL and converts the page content into a PDF file.

Technology Identifiers: By inspecting the metadata of a generated PDF (using tools like exiftool), you can often identify the library used for conversion.

Target Engine: In many HTB "PDF" challenges, common engines include wkhtmltopdf, dompdf, or PDFKit. 🚀 Step 2: Identification & Exploitation pdfy htb writeup upd

The core vulnerability is that the server fetches external content without proper validation, leading to SSRF.

Basic SSRF: Try to point the URL to http://localhost. If the server renders its own internal page, you have confirmed SSRF.

Information Disclosure: In PDFy, the goal is often to read local files or reach internal services.

Bypassing Filters: If the application blocks localhost or 127.0.0.1, try: Decimal Encoding: http://2130706433 Shortened URLs: Using a service like bit.ly or tinyurl.

Redirection: Point the input to a server you control that returns a 302 Redirect to the target internal resource. 🏁 Step 3: Capturing the Flag Once you bypass the URL filter, you can target local files. Common Targets: file:///etc/passwd (to confirm file read).

This writeup explores PDFy, a web-based Hack The Box (HTB) challenge categorized as "Easy." This challenge is a classic introduction to Server-Side Request Forgery (SSRF), demonstrating how an application that renders web pages into PDFs can be coerced into leaking sensitive internal files. Challenge Overview Category: Web Difficulty: Easy

Goal: Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration

Upon launching the challenge, you are greeted with a simple web interface that prompts for a URL. The application’s stated purpose is to "turn your favorite web pages into portable PDF documents".

The Test: Entering a standard URL like http://google.com confirms the functionality—the application fetches the page and returns a PDF version of it.

The Theory: If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology The PDF generator accepts HTML input

By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: wkhtmltopdf.

This is a known command-line tool that uses the WebKit rendering engine to convert HTML to PDF. Crucially, older versions of this tool are vulnerable to SSRF because they follow redirects and execute JavaScript. 3. Exploitation Strategy: SSRF via Redirect

Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read. Step A: Set Up a Redirect Server

You need a way to serve a 302 Redirect. You can use a simple PHP script or a Python server to achieve this. Example PHP Redirect (index.php): Use code with caution. Step B: Expose Your Server

If you are running this locally, you must expose your server to the internet so the HTB challenge instance can reach it. Using a Reverse Proxy or tools like Serveo is recommended over ngrok for this specific challenge to avoid browser warning screens that might break the automated PDF rendering. Step C: Trigger the Exploit

Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php). The PDFy server sends a request to your server.

Your server responds with a 302 Redirect to file:///etc/passwd.

The wkhtmltopdf engine follows the redirect and reads the local file. The content of /etc/passwd is rendered into the PDF. 4. Capturing the Flag

Download the resulting PDF. Inside, you will see the text content of the server's password file. Scroll through the entries to find the HTB flag, which is typically appended as a comment or a user entry. Key Takeaways

SSRF (Server-Side Request Forgery): Always validate and sanitize user-provided URLs. Blacklisting "localhost" or "file://" is rarely sufficient, as redirects can often bypass these filters. Downloading the PDF file does not reveal any

Tool Hardening: If using wkhtmltopdf in production, ensure it is updated and configured with --disable-local-file-access to prevent this exact type of leak.

Keep it Simple: As noted in the official HTB discussion, beginners often overcomplicate this by trying to get a shell, but the goal is purely a file leak.

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

Pdfy HTB Writeup

Introduction

Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

Initial Reconnaissance

The first step in exploiting any box on HTB is to perform initial reconnaissance. This involves gathering information about the target system, including its IP address, open ports, and services.

$ nmap -sV -p- 10.10.11.206
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-09 14:30 EDT
Nmap scan report for 10.10.11.206
Host is up (0.052s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.33 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.6.25 (Ubuntu)
445/tcp  open  microsoft-ds Samba smbd 3.6.25 (Ubuntu)
5000/tcp open  upnp    MiniUPnPd 1.12
8080/tcp open  http    Apache httpd 2.4.33 ((Ubuntu))

The scan reveals that the target system has several open ports, including:

Enumeration

The next step is to enumerate the services running on these ports to gather more information about the system.