Pdfy Htb Writeup Upd -

: We navigate to the user's home directory (e.g., /home/username ) and read the user.txt file.

Check sudo rights:

To successfully exploit this, we need a server that is accessible from the internet. The PDFy application must be able to reach our server to fetch our malicious HTML file. pdfy htb writeup upd

Use .

If you closely look at the metadata generated within the output PDF or notice error codes triggered by invalid page parameters, you can identify the backend generation engine: . : We navigate to the user's home directory (e

This reveals a or Node.js API that generates PDFs without sanitization. The internal service is vulnerable to command injection.

: Download a successfully generated PDF from a public URL and look at its metadata, or purposely trigger a verbose error. The engine responsible for converting the webpage to a document is wkhtmltopdf . 2. Deep Dive into wkhtmltopdf Vulnerabilities The internal service is vulnerable to command injection

Every successful Hack The Box challenge begins with a thorough reconnaissance phase. When attacking a web challenge like PDFy, our primary goal is to understand how the application functions, what technologies it utilizes, and where user input is processed.

If the backend server does not strictly validate or restrict the URLs it receives, an attacker can input internal IP addresses (like 127.0.0.1 or localhost ) or private cloud metadata endpoints to access restricted resources. Testing Simple SSRF Payloads

<img src="http://127.0.0.1:8080/generate?html=<iframe src='file:///etc/passwd' />">