Pdfy Htb Writeup Upd
PDFy is an easy-rated web challenge that focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion tool [26]. 1. Enumeration
- Discovery: The "Convert URL" functionality is vulnerable to Server-Side Request Forgery (SSRF).
- The Attack: While
wkhtmltopdftypically restricts access to local files (likefile:///etc/passwd), it is often possible to force it to render internal web pages. - Internal Enumeration: By using the SSRF to scan internal ports (e.g.,
http://127.0.0.1:PORT), you typically discover an internal administrative dashboard or API endpoint that is firewalled off from the outside. Let's say this internal service runs on port 5000 or 8080. - Exploitation: You can feed the PDF converter a URL like
http://127.0.0.1:5000/adminor an internal API endpoint.If the application allows uploading images/files alongside the URL, and the backend uses PHP with specific libraries, it might be vulnerable to Phar Deserialization. However, in most "Pdf" themed boxes, the vector is simpler. pdfy htb writeup upd
cat /root/root.txt
- Not beginner-friendly – If you haven’t completed at least 5–10 easy HTB machines, some steps (like URL encoding the payload or setting up a listener with
rlwrap) will feel rushed. - Missing alternative paths – PDFy has at least two ways to get user (one via PDF injection, another via a forgotten API endpoint). The writeup only covers the main path. A short “alternative approach” section would enrich it.
- Outdated links – Some referenced GitHub gists for the exploit code are dead (though the author provides inline code, so it’s not crippling).
1. Reconnaissance & Enumeration
- Not beginner-friendly – If you haven’t completed at least 5–10 easy HTB machines, some steps (like URL encoding the payload or setting up a listener with
