Upd: Pdfy Htb Writeup

Port 5000 is not directly accessible from outside (filtered).
However, the main web app on port 80 makes requests to localhost:5000 during PDF processing.

The HTTP service running on port 8080 appears to be a REST API for managing PDFs.

$ curl -s 10.10.11.206:8080
"endpoints": [
"endpoint": "/upload",
      "methods": ["POST"]
    ,
"endpoint": "/download",
      "methods": ["GET"]
]

Exploitation

The exploitation phase involves using the information gathered during enumeration to gain access to the system.

If you want, I can expand this into a full step-by-step writeup with exact commands, payloads, and screenshots for each stage — tell me which level of detail (brief, full, or forensic).

(Related search suggestions prepared.)

PDFy is a retired Web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) to read local files.

Here is a solid, step-by-step walkthrough to master this challenge. 🔍 Challenge Overview Name: PDFy Category: Web Difficulty: Easy pdfy htb writeup upd

Core Vulnerability: Server-Side Request Forgery (SSRF) triggered via PDF generation. 1. Initial Reconnaissance

When you launch the target instance and navigate to the provided IP address, you will find a simple web application. The Functionality: The app prompts you to input a URL.

The Behavior: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.

The Goal: Leverage this behavior to trick the server into accessing its own internal files. 2. Identifying the Vulnerability

The application processes a remote resource (the URL you supply) and renders it. This is a textbook environment for SSRF.

If you input a standard website like http://google.com, the app grabs the page and makes a PDF.

If you try to directly input a local file path using the file protocol (e.g., file:///etc/passwd), the application will typically have a blacklist filter in place to block it. 3. Exploiting the SSRF (Bypassing the Filter) Port 5000 is not directly accessible from outside (filtered)

To read local files, you need to bypass the URL input filter. The easiest way to achieve this is by using a Server-Side Redirect hosted on your own machine. Instead of giving the application a direct file path, you give it a URL pointing to a script you control.

Step A: Create a malicious PHP redirect scriptSave the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard

This script instructs anyone (or any bot) visiting it to immediately redirect to the local /etc/passwd file of the machine reading it.

Step B: Host the scriptStart a local PHP server on your machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Copied to clipboard

Step C: Expose your server (If necessary)If you are playing on a cloud instance and the HTB box cannot route directly to your local IP, use a tool like Serveo to expose your local port 80 to the public internet: ssh -R 80:localhost:80 serveo.net Use code with caution. Copied to clipboard 4. Capturing the Flag 🚩

Copy the public URL provided by Serveo (or use your direct VPN IP if reachable). Paste this URL into the input field on the PDFy web app.

The app will visit your server, get hit with the Location: file:///etc/passwd header, and proceed to render the target machine's local /etc/passwd file into a PDF. If you want, I can expand this into

Open or download the generated PDF. You will find the contents of the file, including the flag.

💡 Pro-Tip: If you ever struggle to find the exact flag location in similar challenges, keep it simple and start by looting files like /etc/passwd or application source code files to find hardcoded environment variables.

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

Here’s a detailed draft for a Hack The Box write‑up on the machine PDFY (assuming it’s a typical HTB machine involving PDF parsing, file uploads, or command injection via PDF metadata).

If PDFY is not an actual retired HTB machine, consider this a template/reference for a realistic PDF‑related challenge.

| Flag Type | Location | Method | |-----------|----------|--------| | UPD (User Proof Data) | /home/robert/user.txt | LFI via SSRF in PDF generator | | RPD (Root Proof Data) | /root/root.txt | pdftex with -shell-escape sudo misconfiguration |

In /home/john/user.txt

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.