Pdfy Htb Writeup Upd [work]

This writeup explores PDFy, a web-based Hack The Box (HTB) challenge categorized as "Easy." This challenge is a classic introduction to Server-Side Request Forgery (SSRF), demonstrating how an application that renders web pages into PDFs can be coerced into leaking sensitive internal files. Challenge Overview Category: Web Difficulty: Easy

Goal: Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration

Upon launching the challenge, you are greeted with a simple web interface that prompts for a URL. The application’s stated purpose is to "turn your favorite web pages into portable PDF documents".

The Test: Entering a standard URL like http://google.com confirms the functionality—the application fetches the page and returns a PDF version of it.

The Theory: If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology

By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: wkhtmltopdf.

This is a known command-line tool that uses the WebKit rendering engine to convert HTML to PDF. Crucially, older versions of this tool are vulnerable to SSRF because they follow redirects and execute JavaScript. 3. Exploitation Strategy: SSRF via Redirect

Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read. Step A: Set Up a Redirect Server

You need a way to serve a 302 Redirect. You can use a simple PHP script or a Python server to achieve this. Example PHP Redirect (index.php): Use code with caution. Step B: Expose Your Server

If you are running this locally, you must expose your server to the internet so the HTB challenge instance can reach it. Using a Reverse Proxy or tools like Serveo is recommended over ngrok for this specific challenge to avoid browser warning screens that might break the automated PDF rendering. Step C: Trigger the Exploit

Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php). The PDFy server sends a request to your server.

Your server responds with a 302 Redirect to file:///etc/passwd.

The wkhtmltopdf engine follows the redirect and reads the local file. The content of /etc/passwd is rendered into the PDF. 4. Capturing the Flag

Download the resulting PDF. Inside, you will see the text content of the server's password file. Scroll through the entries to find the HTB flag, which is typically appended as a comment or a user entry. Key Takeaways

SSRF (Server-Side Request Forgery): Always validate and sanitize user-provided URLs. Blacklisting "localhost" or "file://" is rarely sufficient, as redirects can often bypass these filters.

Tool Hardening: If using wkhtmltopdf in production, ensure it is updated and configured with --disable-local-file-access to prevent this exact type of leak.

Keep it Simple: As noted in the official HTB discussion, beginners often overcomplicate this by trying to get a shell, but the goal is purely a file leak. pdfy htb writeup upd

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

Title: PDFY - A Challenging PDF-themed Machine on Hack The Box

Introduction: PDFY is a medium-difficulty machine on Hack The Box that revolves around a PDF-themed challenge. This write-up aims to provide a step-by-step walkthrough of how I exploited this machine to gain root access.

Initial Reconnaissance: The first step in any penetration test is to perform an initial scan of the target machine to identify open ports and services. Using Nmap, I ran a basic scan:

nmap -sV -p- 10.10.11.224

This revealed several open ports, with notable services including an HTTP server running on port 80 and a PDF-related service on port 8080.

Exploring the HTTP Service: Upon accessing the HTTP service on port 80, I found a default Apache web server page. However, further investigation revealed a peculiar directory listing at /pdfs/, which seemed to host various PDF files.

Identifying the Vulnerability: The real breakthrough came when I noticed a peculiar PDF upload functionality on the web server. Users could upload PDF files, which were then converted to text. Intrigued, I decided to test this functionality with a malicious PDF.

Exploiting the PDF Upload: I crafted a malicious PDF using tools like pdftk to embed a PHP shell within it. Once uploaded, the server would attempt to convert the PDF, executing my malicious payload in the process. However, I encountered some difficulties here due to restrictions on the upload process.

Escalating Privileges: After gaining an initial foothold on the system through the web application, I needed to escalate my privileges. This involved enumerating the system to find potential vulnerabilities or misconfigurations that could be exploited for privilege escalation.

Detailed Steps for Initial Foothold:

  1. Identifying Open Ports and Services:

    • Command: nmap -sV -p- <IP Address>
    • Findings: Multiple open ports, with particular interest in HTTP (port 80) and a custom service (port 8080).

  2. Exploring the Web Application:

    • Action: Navigate to http://<IP Address>
    • Findings: A basic webpage. Notable directories or files include /pdfs/.

  3. Analyzing the PDF Service:

    • Action: Investigate the functionality around PDF uploads and processing.
    • Findings: The service converts uploaded PDFs to text.

  4. Crafting and Uploading a Malicious PDF:

    • Tools Used: pdftk, a Linux utility for manipulating PDFs.
    • Action: Embed a PHP shell into a PDF and upload it via the web interface.

  5. Executing the Payload:

    • Action: Trigger the execution of the uploaded malicious PDF.
    • Outcome: Gained a foothold on the system.

Detailed Steps for Privilege Escalation: This writeup explores PDFy , a web-based Hack

  1. Enumeration:

    • Commands: id, whoami, groups, find / -perm /u=s -type f 2>/dev/null, etc.
    • Findings: A user with a specific group that has write access to certain directories.

  2. Identifying Potential Exploits:

    • Tools: ps aux, checking for cron jobs, etc.
    • Findings: A particular process running with elevated privileges that can be exploited.

  3. Exploitation:

    • Tool/Method: Using a specific exploit or misconfiguration to gain elevated access.

Conclusion: The PDFY machine on Hack The Box presented an engaging challenge that required both web application exploitation skills and system enumeration for privilege escalation. By recognizing the vulnerabilities in the PDF upload functionality and leveraging system misconfigurations, I was able to gain root access. This challenge served as a great reminder of the importance of thorough reconnaissance and creative exploitation techniques.

Recommendations:

  • Always thoroughly scan and enumerate target systems.
  • Investigate web application functionalities for potential vulnerabilities, especially file uploads.
  • Regularly review system configurations and user privileges to minimize attack surfaces.

I hope this draft helps! Let me know if you want to add or modify anything.

Kindly Update According To Your Necessities And Requirements And also Do A upd of Information For Accurate Representation Regards

PDFy is an Easy-rated Web Challenge on Hack The Box (HTB) that centers on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. The goal is to exfiltrate the contents of the /etc/passwd file from the server to retrieve the flag. Challenge Overview Difficulty: Easy Category: Web Primary Objective: Leak the /etc/passwd file. Core Vulnerability: SSRF via a PDF generation library. Walkthrough & Exploitation Steps

Initial EnumerationThe application allows users to input a URL, which it then visits and converts into a downloadable PDF document. By testing the input with a local listener or a tool like Webhook.site, you can confirm that the server makes outbound HTTP requests, indicating a potential SSRF entry point.

Identifying the SSRF ConstraintStandard attempts to load local files using protocols like file:///etc/passwd are typically blocked by the application's filters. To bypass this, you must host a malicious file on your own server (e.g., using a Python HTTP server or Serveo) that the PDFy service will visit.

Exploitation via PHP RedirectThe most common way to solve this is by using a PHP redirect. Create a .php file on your server that uses the header() function to redirect the incoming request to the target local file on the HTB server. Payload Example (exploit.php): Use code with caution. Copied to clipboard

Execution: Enter the URL of your hosted exploit.php (e.g., http://your-ip:port/exploit.php) into the PDFy input field.

Retrieving the FlagWhen the PDFy server visits your URL, it follows the redirect to its own local file:///etc/passwd. The PDF generator then captures the content of that file and renders it into the PDF. Once you download and open the generated PDF, you will see the system users and the flag located within the file.

Avoid Parameters: Some versions of this challenge may fail if the redirect URL contains complex parameters; keep the exploit path as simple as possible.

Local Testing: If you are stuck, try running similar PDF conversion tools (like wkhtmltopdf) locally to see how they handle redirects.

Tooling: Using Serveo is often recommended over Ngrok for this challenge to avoid extra sign-up steps or security headers that might interfere with the conversion process. This revealed several open ports, with notable services

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

PDFy is an easy-rated web challenge that focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion tool [26]. 1. Enumeration

The application provides a simple interface where you can submit a URL, which the server then converts into a downloadable PDF [26]. Key Discovery

: By inspecting the PDF metadata or generating an error (e.g., submitting a local address), you can identify that the backend uses wkhtmltopdf to perform the conversion [26]. 2. Exploitation (SSRF) wkhtmltopdf

tool is known to be vulnerable to SSRF if it renders user-controlled HTML or follows redirects to local files [1, 26]. : Read the /etc/passwd file to find the flag [13, 14]. The Technique : Since direct file paths (like file:///etc/passwd ) may be blocked by a basic filter, you can use a PHP redirect script hosted on your own server (or a service like ) [1, 11]. redirect.php

Here’s a detailed draft for a Hack The Box write‑up on the machine PDFY (assuming it’s a typical HTB machine involving PDF parsing, file uploads, or command injection via PDF metadata).

If PDFY is not an actual retired HTB machine, consider this a template/reference for a realistic PDF‑related challenge.

Introduction

If you're searching for "pdfy htb writeup upd" , you've likely spent hours enumerating the PDFY machine on Hack The Box (HTB) and are stuck on privilege escalation or the User Proof Data (UPD) flag. PDFY is a medium-difficulty Linux machine that revolves around a PDF generation service, Server-Side Request Forgery (SSRF), and exploiting misconfigured binaries.

In this writeup, we will cover:

  • Full reconnaissance and enumeration
  • Exploiting the PDF generator to read local files
  • Getting a reverse shell as www-data
  • Privilege escalation via pdftex and CVE-2018-19475 (or similar)
  • Capturing the User Proof Data (UPD) and Root Proof Data (RPD).

2. User Flag: Exploiting SSRF

The core vulnerability lies in how the application handles the conversion.

  • Discovery: The "Convert URL" functionality is vulnerable to Server-Side Request Forgery (SSRF).
  • The Attack: While wkhtmltopdf typically restricts access to local files (like file:///etc/passwd), it is often possible to force it to render internal web pages.
  • Internal Enumeration: By using the SSRF to scan internal ports (e.g., http://127.0.0.1:PORT), you typically discover an internal administrative dashboard or API endpoint that is firewalled off from the outside. Let's say this internal service runs on port 5000 or 8080.
  • Exploitation: You can feed the PDF converter a URL like http://127.0.0.1:5000/admin or an internal API endpoint.
    • The PDF renderer fetches the internal page.
    • It converts the HTML response (which contains sensitive data or admin functionality) into a PDF.
    • You download the resulting PDF to view the content of the internal admin page.
  • Credential Leak: Inside the generated PDF (viewing the internal admin page), you often find hardcoded credentials, an API key, or a private SSH key.
  • Shell: Use the found credentials to SSH into the machine and grab the user.txt flag.

1. Reconnaissance

First Impressions – What Does “UPD” Mean?

The “UPD” tag is critical. Older versions of the PDFy writeup (from 2020–2021) often missed some nuanced vectors or used deprecated tools. The updated version reviewed here (likely late 2024 or early 2025) reflects:

  • Changes in HTB’s network environment.
  • Newer enumeration techniques (e.g., using feroxbuster over gobuster, modern ffuf usage).
  • Clarified privilege escalation paths with actual exploit reasoning.

It’s clear the author revisited the machine to ensure relevance, which is a breath of fresh air compared to outdated walkthroughs that leave you stuck.

HTTP (80)

Visiting the website on port 80 reveals a simple webpage with a link to a PDF file.

$ curl -s 10.10.11.206
<!DOCTYPE html>
<html>
<head>
    <title>Pdfy</title>
</head>
<body>
    <h1>Pdfy</h1>
    <p><a href="pdf_file.pdf">Pdf File</a></p>
</body>
</html>

Downloading the PDF file does not reveal any sensitive information.

HTTP (8080)

The HTTP service running on port 8080 appears to be a REST API for managing PDFs.

$ curl -s 10.10.11.206:8080
"endpoints": [
"endpoint": "/upload",
      "methods": ["POST"]
    ,
"endpoint": "/download",
      "methods": ["GET"]
]

Exploitation

The exploitation phase involves using the information gathered during enumeration to gain access to the system.