Pdfy Htb Writeup Upd
If you are attempting this box, focus on the ( file:// , gopher:// ) and the metadata of the files you are asking the server to process. The flag is usually found in /root/root.txt or a similar standard location after escalating privileges via a misconfigured script or binary.
Official PDFy Discussion - Challenges - Hack The Box :: Forums
To execute this, you will need a public-facing system or an exposed local server to capture the callback. You can use a Virtual Private Server (VPS) or tunneling tools like Serveo to expose your local environment. Crafting the Malicious Script
Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration pdfy htb writeup upd
The PDFY machine on Hack The Box presented an engaging challenge that required both web application exploitation skills and system enumeration for privilege escalation. By recognizing the vulnerabilities in the PDF upload functionality and leveraging system misconfigurations, I was able to gain root access. This challenge served as a great reminder of the importance of thorough reconnaissance and creative exploitation techniques.
Use code with caution. Step 2: Spin Up a Web Server
su root
$ curl -X POST -F "file=@shell.pdf" 10.10.11.206:8080/upload
We find an unusual script or a cron job running as root. In the case of Pdfy, there is often a customized script in /var/www/html/ or a cron job that interacts with the files we can control.
We obtain a root shell, and our mission is accomplished! If you are attempting this box, focus on
<img src="http://127.0.0.1:8080/generate?html=<iframe src='file:///etc/passwd' />">
(ALL) NOPASSWD: /usr/bin/pdftex
Once we find an upload functionality or an LFI that can be turned into an RCE, we can upload a PHP reverse shell. Create a shell.php file: Use code with caution. You can use a Virtual Private Server (VPS)
: We run basic post-enumeration commands (like id , whoami , and checking for SUID binaries) to see how we can escalate our privileges.
Create a simple PHP script named exploit.php on your server to handle incoming automated queries and issue a location header response: