Pdfy Htb Writeup Upd !link!
When the application successfully processes a standard external URL (such as a public web server), look closely at the generated PDF metadata. You can download the PDF and inspect it using command-line utilities like pdfinfo or by checking how the elements are structured.
Like all good penetration tests, the first step is thorough reconnaissance.
The PDFY challenge has been updated to reflect the fix for the path traversal vulnerability. However, some of the other exploitation steps remain feasible, demonstrating the importance of comprehensive system hardening and continuous vulnerability assessment.
: Ensure the application server cannot reach sensitive internal metadata or management IPs. Response Validation pdfy htb writeup upd
Read local files or access internal metadata services. Step 1: Enumeration
I crafted a malicious PDF using tools like pdftk to embed a PHP shell within it. Once uploaded, the server would attempt to convert the PDF, executing my malicious payload in the process. However, I encountered some difficulties here due to restrictions on the upload process.
To bypass the frontend filters, you can use a technique. Instead of pointing the tool directly to a local file, you point it to a server you control (a VPS or a local server exposed via a tool like Serveo ). The PDFY challenge has been updated to reflect
Generate the PDF, and the flag appears.
tool is known to be vulnerable to SSRF if it renders user-controlled HTML or follows redirects to local files [1, 26]. : Read the /etc/passwd file to find the flag [13, 14]. The Technique : Since direct file paths (like file:///etc/passwd ) may be blocked by a basic filter, you can use a PHP redirect script hosted on your own server (or a service like ) [1, 11]. redirect.php
The UPD for PDFY is typically located in the home directory of a low-privilege user. Let's enumerate. Response Validation Read local files or access internal
Entering internal addresses like http://127.0.0.1 or file:///etc/passwd directly into the input field typically results in an error message or a blocked request. This suggests there is a blacklist or a basic filter in place to prevent direct SSRF. 3. Bypass via Redirect
: By inspecting the PDF metadata or generating an error (e.g., submitting a local address), you can identify that the backend uses wkhtmltopdf to perform the conversion [26]. 2. Exploitation (SSRF) wkhtmltopdf
Reviewing the client-side JavaScript reveals how the application handles data transmission: javascript