Server-Side Request Forgery (SSRF) / Local File Inclusion (LFI) Target Component: wkhtmltopdf
The PDFy backend sends a request to your server, reads the 302 Found redirect response pointing to file:///etc/passwd , and the underlying wkhtmltopdf engine renders the system file contents into the document structure.
Upon launching the PDFY machine on HTB, we are provided with an initial IP address: 10.10.11.232 . Our first step is to perform an initial enumeration of the machine using tools like Nmap. We run the following command:
pdftotext /tmp/malicious.pdf -
"cmd": "id"
root::0:0:root:/root:/bin/bash
If you look at the metadata, you will find a critical clue that identifies the PDF generation engine: pdfy htb writeup upd
id
php -S 127.0.0.1:8000
Start a lightweight PHP server on your exploitation node to serve the script: php -S 0.0.0.0:8080 Use code with caution. Step 3: Triggering the SSRF Payload Server-Side Request Forgery (SSRF) / Local File Inclusion
When you launch the target instance and navigate to the provided IP address, you will find a simple web application. : The app prompts you to input a URL.
Hack The Box (HTB) is a popular online platform that provides a challenging and interactive environment for cybersecurity enthusiasts to test their skills. One of the recent challenges on HTB is PDFY, a medium-level difficulty box that requires a combination of web exploitation, file analysis, and system compromise. In this writeup, we will walk through the step-by-step process of solving the PDFY challenge, highlighting the key techniques and tools used.
Ngrok will provide you with a public URL (e.g., https://abc123.ngrok.io ). This is the URL you will enter into the PDFy application. We run the following command: pdftotext /tmp/malicious
From the source, you may find API endpoints, database credentials, or internal service ports. In PDFY, there is often a local service on port 8080 or 5000 that isn't exposed externally.
Now for the . PDFY has a known escalation vector: pdftex with shell escape enabled.