In this detailed , we will walk through the entire methodology—from initial reconnaissance and vulnerability identification to crafting the exploit payload and capturing the flag. 🔍 Phase 1: Reconnaissance and Enumeration
Upon launching the PDFY virtual machine, we are provided with an IP address: 10.10.10.187 . Our first step is to perform a basic port scan using Nmap:
Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI) Target Binary Component: wkhtmltopdf 1. Initial Reconnaissance & Enumeration
Port 5000 is not directly accessible from outside (filtered). However, the main web app on port 80 makes requests to localhost:5000 during PDF processing.
Instead of a web URL, provide file:///etc/passwd to see if the server renders the system's password file into the resulting PDF. pdfy htb writeup upd
Before starting, ensure your VPN is connected to the Hack The Box network. Assuming the machine IP is 10.10.10.x (substitute with your allocated target IP). 2. Enumeration: Discovering the Surface
PDF metadata reveals usage of wkhtmltopdf , a utility prone to Local File Inclusion (LFI) and SSRF, which executes scripts on the server. While direct file:///etc/passwd inputs are blocked by input filters, an SSRF redirection bypass allows accessing local files. Phase 3: Exploitation via Redirection Bypass
su
The PDFY challenge serves as a valuable learning experience for cybersecurity enthusiasts, highlighting the importance of thorough vulnerability assessment, creative exploitation, and strategic privilege escalation. In this detailed , we will walk through
The modified PDF file is then uploaded to the system.
It’s clear the author revisited the machine to ensure relevance, which is a breath of fresh air compared to outdated walkthroughs that leave you stuck.
The wkhtmltopdf tool will render the main HTML page and, while processing it, it will attempt to load the <iframe> . The src="file:///etc/passwd" will cause it to read the local file and embed it into the generated PDF.
If you are developing or securing an application that converts HTML to PDF documents, consider implementing the following security measures: Initial Reconnaissance & Enumeration Port 5000 is not
*/5 * * * * python /home/pdfy/new.py
As noted in the official HTB discussion , beginners often overcomplicate this by trying to get a shell, but the goal is purely a file leak.
Like all good penetration tests, the first step is thorough reconnaissance.