Home
Profile

To successfully exploit this, we need a server that is accessible from the internet. The PDFy application must be able to reach our server to fetch our malicious HTML file.

That’s rare in HTB writeups.

Surprisingly, the server returns a portion of the /etc/passwd file, confirming our suspicion of a path traversal vulnerability.

<!DOCTYPE html> <html> <body> <object data="file:///etc/passwd" width="100%" height="800px"></object> </body> </html>

Hack The Box (HTB) is a popular online platform that provides a challenging and interactive environment for cybersecurity enthusiasts to test their skills. One of the recent challenges on HTB is PDFY, a medium-level difficulty box that requires a combination of web exploitation, file analysis, and system compromise. In this writeup, we will walk through the step-by-step process of solving the PDFY challenge, highlighting the key techniques and tools used.

user wants a detailed write-up for "pdfy htb writeup upd". I need to search for relevant information. I'll follow the search plan as outlined. search results show several potential write-ups. I need to open them to gather detailed information. The results include a writeup from tiemenruijgrok.com, one from medium.com, one from 4xura.com, and a blog post from blog.manhtuong.net. I will open these to extract the content. opened pages provide detailed write-ups. I also need to search for "upd" or "updated" information. The user might be looking for an updated write-up. I'll search for "pdfy htb upd" and "pdfy hackthebox upd". have gathered enough information to write a comprehensive article. The article will cover the challenge description, SSRF vulnerability, wkhtmltopdf, CVE-2022-35583, exploitation with iframe and redirects, obtaining the flag, references, and conclusions. I will also address the "upd" aspect by noting that the exploit remains applicable. Now I will write the article. article provides a comprehensive, step-by-step walkthrough of the web challenge from Hack The Box. PDFy is a beginner-friendly challenge designed to teach the fundamentals of Server-Side Request Forgery (SSRF) . By the end of this guide, you will understand how to identify, exploit, and understand the implications of this critical web security vulnerability.

The website presents a simple, clean interface. It is a "black-box" challenge, meaning no source code is provided, mirroring a real-world penetration test scenario.

A common vulnerability in these converters is the ability to read local files or execute commands. We attempt to read the /etc/passwd file by inputting the following into the URL/Text field: Use code with caution.

sudo /usr/local/bin/pdf_convert.py "test; echo '$(cat id_rsa.pub)' >> /root/.ssh/authorized_keys;"

No bloated scripts — every tool serves a clear purpose.

cURL , Burp Suite , Python3 , Nginx / Apache (or a public VPS) 🔍 Phase 1: Information Gathering & Enumeration

Using ngrok tcp instead of the default HTTP tunnel is crucial. An HTTP tunnel would display a warning page, which the wkhtmltopdf tool cannot process, breaking the exploit. The TCP tunnel creates a raw connection, avoiding this issue.

The application allows external URLs. If we host a basic PHP script or configuration script on a public Virtual Private Server (VPS) or an exposed local port, we can make the PDFy backend visit our server. Our server will then immediately issue an HTTP redirect header instructing the wkhtmltopdf engine to load a local system resource. Setting up the Exploit Payload