If you input a standard website like http://google.com , the app grabs the page and makes a PDF.
When the application successfully processes a standard external URL (such as a public web server), look closely at the generated PDF metadata. You can download the PDF and inspect it using command-line utilities like pdfinfo or by checking how the elements are structured.
Use code with caution. Step 2: Spin Up a Web Server
This method uses a simple HTML page hosted on your own machine to redirect wkhtmltopdf to the target local file. pdfy htb writeup upd
Bookmark it, practice each step in your own lab, and try to explain the exploit to a friend. That’s how you’ll know you’ve truly mastered PDFy.
To successfully exploit this, we need a server that is accessible from the internet. The PDFy application must be able to reach our server to fetch our malicious HTML file.
First, start a simple PHP web server on your local machine: If you input a standard website like http://google
The Pdfy box on HTB is a medium-level difficulty box that requires exploitation of a vulnerable PDF upload service to gain access to the system. The system can be fully exploited to gain root access by leveraging command injection, a vulnerable PDF upload service, and weak sudo privileges.
Web Vulnerability Scanning, Command Injection, Privilege Escalation
Create a simple PHP script named redirect.php on your attack machine. This script will force any visiting client to redirect to a local file or service on the target machine: Use code with caution. Use code with caution
sudo /usr/bin/pdftex --shell-escape
Read local configuration files on the target server to capture the hidden flag. Step 1: Reconnaissance & Source Code Analysis
Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI) Target Binary Component: wkhtmltopdf 1. Initial Reconnaissance & Enumeration