HTB: PDFy Machine Writeup (Updated) If you are prepping for the OSCP or just sharpening your web exploitation skills, on Hack The Box is a classic "easy" rated machine that provides a textbook example of Server-Side Request Forgery (SSRF) .
The server processes the request. It fetches our index.html , which contains the <iframe> pointing to our axura.php script. The server then fetches our script and receives a redirect to file:///etc/passwd . Finally, it retrieves the contents of the local password file and renders them into a PDF.
Checking the frontend JavaScript source code (often found directly embedded or inside an attached asset) shows that when a submission occurs, the app sends a POST request to /api/cache with a JSON payload: "url": "http://example.com" Use code with caution. Probing for Basic SSRF
Web Vulnerability Scanning, Command Injection, Privilege Escalation pdfy htb writeup upd
Locate the target flag string—typically appended at the bottom of the system file or hidden in a custom directory—to complete the challenge! 🛡️ Remediation: How to Fix SSRF in PDF Generators
# Receive the response response = s.recv(1024)
To execute this, you will need a public-facing system or an exposed local server to capture the callback. You can use a Virtual Private Server (VPS) or tunneling tools like Serveo to expose your local environment. Crafting the Malicious Script HTB: PDFy Machine Writeup (Updated) If you are
If you closely look at the metadata generated within the output PDF or notice error codes triggered by invalid page parameters, you can identify the backend generation engine: .
Interacting with the application web page reveals a single input form requiring a URL. Submitting a legitimate external site (like http://google.com ) successfully triggers the application to query the destination and serve a valid HTML layout inside a rendered PDF file. 2. Testing for Direct Local Restrictions
Create a simple PHP or HTML file on your server that issues a location header redirect. The server then fetches our script and receives
The UPD for PDFY is typically located in the home directory of a low-privilege user. Let's enumerate.
The first breakthrough came from testing the boundaries of that URL input. By pointing the tool toward a local loopback address, the researcher confirmed a Server-Side Request Forgery (SSRF) vulnerability. The server wasn't just fetching public websites; it was willing to talk to itself. : Lack of input validation on the submitted URL.