Pdfy Htb Writeup Upd ((hot)) Link

The application allows inputting text or a URL to generate a PDF. 3. Vulnerability Research and Exploitation

Submit the URL of your hosted script (e.g., http://your-vps-ip/exploit.php ) into the PDFy input field. 4. Retrieving the Flag

User-controlled input should never be passed directly to backend rendering engines or system commands without rigorous sanitization and validation.

Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json . We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents. pdfy htb writeup upd

Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

The web application provides a simple tool where users submit a URL to receive a downloadable PDF screenshot. Behind the scenes, the server fetches the user-provided webpage and converts it into a PDF format using an automated backend utility.

The tool wkhtmltopdf is a widely known open-source command-line tool used to render HTML into PDF using the WebKit rendering engine. Historically, older versions of this library are highly susceptible to and SSRF through embedded HTML objects, frames, or scripts. The application allows inputting text or a URL

The Pdfy box on HTB is a medium-level difficulty box that requires exploitation of a vulnerable PDF upload service to gain access to the system. The system can be fully exploited to gain root access by leveraging command injection, a vulnerable PDF upload service, and weak sudo privileges.

The server returns the contents of the /etc/shadow file, which includes the hashed password for the user pdfy .

Now SSH as root:

Enter your ngrok URL into the PDFy web form (or send a POST request to /api/cache with the URL). The wkhtmltopdf backend will fetch your page, follow the iframe directive, and attempt to render file:///etc/passwd .

Using exiftool :