Pros:
Cons:
Final Verdict:
This machine is an excellent bridge between "Easy" and "Medium" difficulty. It teaches that trusted tools (like PDF converters) can become vulnerabilities if they accept untrusted input. It reinforces the importance of sanitizing URL inputs and restricting the protocols (http/https only) that a backend server is allowed to request.
gobuster dir -u http://10.10.10.XXX -w /usr/share/wordlists/dirb/common.txt
Common findings:
The PDF generator accepts HTML input. If you embed an <img> tag with a src pointing to a local file or internal service, the server will fetch it during PDF rendering.
The “UPD” tag is critical. Older versions of the PDFy writeup (from 2020–2021) often missed some nuanced vectors or used deprecated tools. The updated version reviewed here (likely late 2024 or early 2025) reflects:
It’s clear the author revisited the machine to ensure relevance, which is a breath of fresh air compared to outdated walkthroughs that leave you stuck.
Happy hacking. Remember: Always root legally and ethically.
For a writeup of the PDFy challenge on Hack The Box (HTB), the primary vulnerability lies in an SSRF (Server-Side Request Forgery) found in the PDF generation process. The application uses the wkhtmltopdf tool, which can be manipulated to interact with internal resources. Challenge Overview pdfy htb writeup upd
Target: A web application that converts provided URLs into PDF documents. Vulnerability: Insecure URL handling during PDF generation.
Goal: Read local files (like /etc/passwd) using the server's internal access. Step-by-Step Walkthrough Reconnaissance & Identification The web interface accepts a URL to convert to PDF. The backend often uses wkhtmltopdf to render the content.
Traditional injections (like HTML tags) might not directly validate, but the server must query the provided URL to render it. Foothold: Local File Inclusion (LFI) via SSRF
Since the server fetches and renders the URL, you can use the file:// protocol to point it toward internal system files.
Payload Example: Instead of a web URL, provide file:///etc/passwd to see if the server renders the system's password file into the resulting PDF.
Tip: If the direct file:// protocol is blocked or fails, you can host a simple redirect script on your own server (using Serveo to expose it) that redirects the HTB bot to the local file. Exploitation & Data Exfiltration
Once you successfully render /etc/passwd, you have confirmed the LFI/SSRF vulnerability.
Use this access to hunt for the flag, typically located in a standard user directory or within the web application's configuration files. Key Takeaways for Success Final Verdict: This machine is an excellent bridge
Avoid Redirectors with Warnings: Services like ngrok often include browser warnings that can break the automated PDF rendering process. Use cleaner alternatives like Serveo or your own VPS.
Local Testing: If the remote target is behaving unexpectedly, try running wkhtmltopdf locally with various inputs to understand how it handles redirects and local file protocols.
Stay Simple: Many users struggle by overcomplicating the attack with complex reverse proxies. The most straightforward path is often a basic redirect to a file:// URI.
Official PDFy Discussion - Page 2 - Challenges - Hack The Box
Pdfy HTB Writeup
Introduction
Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.
Initial Reconnaissance
The first step in exploiting any box on HTB is to perform initial reconnaissance. This involves gathering information about the target system, including its IP address, open ports, and services.
$ nmap -sV -p- 10.10.11.206
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-09 14:30 EDT
Nmap scan report for 10.10.11.206
Host is up (0.052s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.33 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.6.25 (Ubuntu)
445/tcp open microsoft-ds Samba smbd 3.6.25 (Ubuntu)
5000/tcp open upnp MiniUPnPd 1.12
8080/tcp open http Apache httpd 2.4.33 ((Ubuntu))
The scan reveals that the target system has several open ports, including:
Enumeration
The next step is to enumerate the services running on these ports to gather more information about the system.
Once you have a shell as the www-data user, the goal is root access.
Use the file:// protocol or http://localhost to read files.
Try:
<img src="file:///etc/passwd">
Generate the PDF. You’ll see the contents of /etc/passwd rendered in the PDF. but this confirms LFI via SSRF.
UPD Note: The User Proof Data flag is often not in /etc/passwd, but this confirms LFI via SSRF.