Pdfy Htb Writeup Upd New!

PDFy is an easy-rated web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) via a PDF generation service. 🛠️ Step 1: Reconnaissance

The challenge provides a web application where users can input a URL. The application then visits that URL and converts the page content into a PDF file.

Technology Identifiers: By inspecting the metadata of a generated PDF (using tools like exiftool), you can often identify the library used for conversion.

Target Engine: In many HTB "PDF" challenges, common engines include wkhtmltopdf, dompdf, or PDFKit. 🚀 Step 2: Identification & Exploitation

The core vulnerability is that the server fetches external content without proper validation, leading to SSRF.

Basic SSRF: Try to point the URL to http://localhost. If the server renders its own internal page, you have confirmed SSRF.

Information Disclosure: In PDFy, the goal is often to read local files or reach internal services.

Bypassing Filters: If the application blocks localhost or 127.0.0.1, try: Decimal Encoding: http://2130706433 Shortened URLs: Using a service like bit.ly or tinyurl.

Redirection: Point the input to a server you control that returns a 302 Redirect to the target internal resource. 🏁 Step 3: Capturing the Flag Once you bypass the URL filter, you can target local files. Common Targets: file:///etc/passwd (to confirm file read).

challenge on Hack The Box (HTB) is an easy-rated web challenge that focuses on identifying and exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. Challenge Summary Vulnerability: Server-Side Request Forgery (SSRF). Target Component: wkhtmltopdf (a command-line tool used to render HTML into PDF).

Use the SSRF to read local files (LFI) from the server and retrieve the flag. 1. Initial Enumeration

The web application provides a simple interface where users can input a URL. The application then visits that URL, captures the page, and converts it into a downloadable PDF file. Identify the Engine:

By examining the metadata of the generated PDF or observing error messages, the backend is identified as using wkhtmltopdf Test for SSRF: Entering a basic URL like

First Impressions – What Does “UPD” Mean?

The “UPD” tag is critical. Older versions of the PDFy writeup (from 2020–2021) often missed some nuanced vectors or used deprecated tools. The updated version reviewed here (likely late 2024 or early 2025) reflects:

• Changes in HTB’s network environment.
• Newer enumeration techniques (e.g., using feroxbuster over gobuster, modern ffuf usage).
• Clarified privilege escalation paths with actual exploit reasoning.

It’s clear the author revisited the machine to ensure relevance, which is a breath of fresh air compared to outdated walkthroughs that leave you stuck. pdfy htb writeup upd

Foothold via SSRF

Upload a PDF with a malicious GoToR (remote goto) action pointing to http://127.0.0.1:5000/internal.

Steps:

1. Create a PDF with a link to http://127.0.0.1:5000/debug.
2. Upload it → server processes it and fetches the internal page.
3. The response from the internal API is saved as a comment in the PNG metadata.

Extract info:
Use exiftool on the generated PNG:

exiftool output.png | grep Comment

Output shows the internal API response:
"status": "debug", "config": "SECRET_KEY = pdfy_s3cr3t_k3y_123"

Depth of Explanation – 9.5/10

The writeup shines in its “why” explanations. For example:

• On PDF metadata injection: It doesn’t just say “use exiftool.” It explains that the server uses a vulnerable pdftotext or qpdf library that executes embedded system commands when parsing certain fields like /Author.
• On lateral movement: After gaining www-data, the author shows how to find a database config file with hardcoded creds for user pdfy_user.
• On privilege escalation: Instead of just running linpeas, the writeup teaches you to manually check sudo -l, find / -perm -4000 2>/dev/null, and then reverse-engineer the binary with strings and ltrace.

This educational value makes it more than just a solution — it’s a tutorial for the OSEP or CPTS exam.

The only minor deduction: The writeup assumes you have a basic understanding of reverse shells and Python one-liners. Absolute beginners might need to pause and Google certain terms.

1. Reconnaissance & Enumeration

The box typically starts with a standard web server running a simple web application. The core functionality allows a user to input a URL or upload a file to generate a PDF.

• Port Scanning: Standard nmap scans reveal ports 22 (SSH) and 80 (HTTP).
• Web App Analysis: The site features a form where a link is submitted. The backend uses a library (often wkhtmltopdf or similar headless browser tools) to render the webpage and convert it to a PDF file for the user to download.

Tools Used

• Nmap
• Exiftool
• Netcat
• Burp Suite
• Python one‑liners
• SSH keygen

If you intended a different machine name, feel free to clarify.

Summary of Flags

| Flag Type | Location | Method | |-----------|----------|--------| | UPD (User Proof Data) | /home/robert/user.txt | LFI via SSRF in PDF generator | | RPD (Root Proof Data) | /root/root.txt | pdftex with -shell-escape sudo misconfiguration |

Foothold – Command Injection

Final Verdict

Rating: 9.2 / 10

The PDFy HTB Writeup UPD is a top-tier walkthrough that balances hand-holding with deep technical insight. It’s clear the author took time to verify every step, update outdated commands, and explain the underlying vulnerabilities in a way that sticks with you.

Who is this for?

• HTB users stuck on PDFy who want a reliable, modern solution.
• Aspiring penetration testers preparing for eJPT, PNPT, or OSCP (the PDF injection and setuid abuse are very exam-relevant).
• Anyone looking to understand how PDF metadata can lead to RCE.

Who might struggle?

• Complete beginners who haven’t learned basic Linux enumeration or reverse shells.
• Readers expecting a one-click script — this is a manual walkthrough, as it should be.

If you’re looking for a single resource to conquer PDFy and actually learn from the process, this updated writeup is your best bet. Pair it with the official HTB forum discussion for extra context, and you’ll own the box — and the knowledge — in no time.

Recommendation: Bookmark it, practice each step in your own lab, and try to explain the exploit to a friend. That’s how you’ll know you’ve truly mastered PDFy.

PDFy is a retired Web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) to read local files.

Here is a solid, step-by-step walkthrough to master this challenge. 🔍 Challenge Overview Name: PDFy Category: Web Difficulty: Easy

Core Vulnerability: Server-Side Request Forgery (SSRF) triggered via PDF generation. 1. Initial Reconnaissance

When you launch the target instance and navigate to the provided IP address, you will find a simple web application. The Functionality: The app prompts you to input a URL.

The Behavior: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.

The Goal: Leverage this behavior to trick the server into accessing its own internal files. 2. Identifying the Vulnerability

The application processes a remote resource (the URL you supply) and renders it. This is a textbook environment for SSRF.

If you input a standard website like http://google.com, the app grabs the page and makes a PDF.

If you try to directly input a local file path using the file protocol (e.g., file:///etc/passwd), the application will typically have a blacklist filter in place to block it. 3. Exploiting the SSRF (Bypassing the Filter)

To read local files, you need to bypass the URL input filter. The easiest way to achieve this is by using a Server-Side Redirect hosted on your own machine. Instead of giving the application a direct file path, you give it a URL pointing to a script you control.

Step A: Create a malicious PHP redirect scriptSave the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard PDFy is an easy-rated web challenge on Hack

This script instructs anyone (or any bot) visiting it to immediately redirect to the local /etc/passwd file of the machine reading it.

Step B: Host the scriptStart a local PHP server on your machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Copied to clipboard

Step C: Expose your server (If necessary)If you are playing on a cloud instance and the HTB box cannot route directly to your local IP, use a tool like Serveo to expose your local port 80 to the public internet: ssh -R 80:localhost:80 serveo.net Use code with caution. Copied to clipboard 4. Capturing the Flag 🚩

Copy the public URL provided by Serveo (or use your direct VPN IP if reachable). Paste this URL into the input field on the PDFy web app.

The app will visit your server, get hit with the Location: file:///etc/passwd header, and proceed to render the target machine's local /etc/passwd file into a PDF.

Open or download the generated PDF. You will find the contents of the file, including the flag.

💡 Pro-Tip: If you ever struggle to find the exact flag location in similar challenges, keep it simple and start by looting files like /etc/passwd or application source code files to find hardcoded environment variables.

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

Pdfy HTB Writeup

Introduction

Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

Initial Reconnaissance

The first step in exploiting any box on HTB is to perform initial reconnaissance. This involves gathering information about the target system, including its IP address, open ports, and services.

$ nmap -sV -p- 10.10.11.206
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-09 14:30 EDT
Nmap scan report for 10.10.11.206
Host is up (0.052s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.33 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.6.25 (Ubuntu)
445/tcp  open  microsoft-ds Samba smbd 3.6.25 (Ubuntu)
5000/tcp open  upnp    MiniUPnPd 1.12
8080/tcp open  http    Apache httpd 2.4.33 ((Ubuntu))

The scan reveals that the target system has several open ports, including: Changes in HTB’s network environment

• SSH (22)
• HTTP (80)
• NetBIOS (139)
• Microsoft-DS (445)
• UPnP (5000)
• HTTP (8080)

Enumeration

The next step is to enumerate the services running on these ports to gather more information about the system.