Pdfy Htb Writeup Upd -

Use the file:// protocol or http://localhost to read files.

Using the SSRF, read the main PHP file that handles PDF generation.

: Prevent following redirects to non-internal hosts. Sandbox : Run the service in an isolated environment. pdfy htb writeup upd

Upload → reverse shell as www-data .

sudo /usr/bin/pdftex --shell-escape

Submit the URL to your hosted exploit.php in the target application's input field. The server follows the redirect and renders the target file in the PDF. Step 3: Extracting the Flag Use the file:// protocol or http://localhost to read files

However, this approach doesn't work as expected. Instead, we can create a simple Python script to modify the /etc/passwd file directly.

Older or default configurations of wkhtmltopdf are highly susceptible to SSRF because they execute JavaScript and follow HTTP redirects seamlessly. Phase 3: Exploitation and Bypass

This comprehensive technical walkthrough breaks down the enumeration steps, vulnerability discovery, exploit formulation, and final flags extraction. 🔑 Challenge Overview Hack The Box (HTB) Category: Web Difficulty: Easy Sandbox : Run the service in an isolated environment

PDFY is a web application that allows users to upload PDF files, extract metadata, and convert them to images. The application uses an unsafe system call to pdftotext and pdfimages , allowing command injection via crafted PDF metadata or filenames. Privilege escalation involves a misconfigured sudo permission for a custom PDF processing script.

Your server responds with a 302 Redirect to file:///etc/passwd .