Writeup Upd — Pdfy Htb

The UPnP service running on port 5000 appears to be a potential attack surface. However, there are no obvious vulnerabilities.

Use the file:// protocol or http://localhost to read files.

Try:

<img src="file:///etc/passwd">

Generate the PDF. You’ll see the contents of /etc/passwd rendered in the PDF.

UPD Note: The User Proof Data flag is often not in /etc/passwd, but this confirms LFI via SSRF.

If you are attempting this box, focus on the protocols (file://, gopher://) and the metadata of the files you are asking the server to process. The flag is usually found in /root/root.txt or a similar standard location after escalating privileges via a misconfigured script or binary.

This writeup explores PDFy, a web-based Hack The Box (HTB) challenge categorized as "Easy." This challenge is a classic introduction to Server-Side Request Forgery (SSRF), demonstrating how an application that renders web pages into PDFs can be coerced into leaking sensitive internal files. Challenge Overview Category: Web Difficulty: Easy

Goal: Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration pdfy htb writeup upd

Upon launching the challenge, you are greeted with a simple web interface that prompts for a URL. The application’s stated purpose is to "turn your favorite web pages into portable PDF documents".

The Test: Entering a standard URL like http://google.com confirms the functionality—the application fetches the page and returns a PDF version of it.

The Theory: If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology

By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: wkhtmltopdf.

This is a known command-line tool that uses the WebKit rendering engine to convert HTML to PDF. Crucially, older versions of this tool are vulnerable to SSRF because they follow redirects and execute JavaScript. 3. Exploitation Strategy: SSRF via Redirect

Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read. Step A: Set Up a Redirect Server

You need a way to serve a 302 Redirect. You can use a simple PHP script or a Python server to achieve this. Example PHP Redirect (index.php): Use code with caution. Step B: Expose Your Server The UPnP service running on port 5000 appears

If you are running this locally, you must expose your server to the internet so the HTB challenge instance can reach it. Using a Reverse Proxy or tools like Serveo is recommended over ngrok for this specific challenge to avoid browser warning screens that might break the automated PDF rendering. Step C: Trigger the Exploit

Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php). The PDFy server sends a request to your server.

Your server responds with a 302 Redirect to file:///etc/passwd.

The wkhtmltopdf engine follows the redirect and reads the local file. The content of /etc/passwd is rendered into the PDF. 4. Capturing the Flag

Download the resulting PDF. Inside, you will see the text content of the server's password file. Scroll through the entries to find the HTB flag, which is typically appended as a comment or a user entry. Key Takeaways

SSRF (Server-Side Request Forgery): Always validate and sanitize user-provided URLs. Blacklisting "localhost" or "file://" is rarely sufficient, as redirects can often bypass these filters.

Tool Hardening: If using wkhtmltopdf in production, ensure it is updated and configured with --disable-local-file-access to prevent this exact type of leak. Generate the PDF

Keep it Simple: As noted in the official HTB discussion, beginners often overcomplicate this by trying to get a shell, but the goal is purely a file leak.

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

PDFy is an easy-rated web challenge that focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion tool [26]. 1. Enumeration

The application provides a simple interface where you can submit a URL, which the server then converts into a downloadable PDF [26]. Key Discovery

: By inspecting the PDF metadata or generating an error (e.g., submitting a local address), you can identify that the backend uses wkhtmltopdf to perform the conversion [26]. 2. Exploitation (SSRF) wkhtmltopdf

tool is known to be vulnerable to SSRF if it renders user-controlled HTML or follows redirects to local files [1, 26]. : Read the /etc/passwd file to find the flag [13, 14]. The Technique : Since direct file paths (like file:///etc/passwd ) may be blocked by a basic filter, you can use a PHP redirect script hosted on your own server (or a service like ) [1, 11]. redirect.php

Here’s a detailed draft for a Hack The Box write‑up on the machine PDFY (assuming it’s a typical HTB machine involving PDF parsing, file uploads, or command injection via PDF metadata).

If PDFY is not an actual retired HTB machine, consider this a template/reference for a realistic PDF‑related challenge.