Menu
This effectively bypasses the application’s external URL filter because the initial input url looks completely safe and external to the application's validator. 3. Exploit Strategy & Setup
If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology
Use the SSRF to read local files (LFI) from the server and retrieve the flag. 1. Initial Enumeration
You might wonder, "Why not just input file:///etc/passwd directly into the website's URL field?" The application's backend likely has validation in place to check the entered URL. It may only accept http or https protocols, rejecting file:// , ftp:// , or other internal schemes at the application level. By having the server fetch a remote page first, we bypass this client-side or basic server-side validation. The vulnerability lies within wkhtmltopdf itself, not the PDFy application's URL validator. pdfy htb writeup upd
Create a file named index.php in the root of your local web server's directory. The content should be:
This discovery is the key to the entire challenge. We have identified that the application is using wkhtmltopdf , an open-source command-line tool, to render web pages into PDFs.
If you are playing on a cloud instance and the HTB box cannot route directly to your local IP, use a tool like Serveo to expose your local port 80 to the public internet: ssh -R 80:localhost:80 serveo.net Use code with caution. Copied to clipboard 4. Capturing the Flag 🚩 With the initial reconnaissance complete
The final payload in our index.html file will be:
The PDFY challenge serves as a valuable learning experience for cybersecurity enthusiasts, highlighting the importance of thorough vulnerability assessment, creative exploitation, and strategic privilege escalation.
To execute the exploit successfully, you must orchestrate a controlled redirect. 1. Set Up the Malicious Payload you must orchestrate a controlled redirect.
By hosting a simple script on a public Virtual Private Server (VPS) or an internet-accessible tunnel, you can input your public URL into PDFy. When the backend engine requests your page, your server commands it to redirect internally to a local system resource. 🚀 Step 3: Weaponization and Flag Retrieval
Download the resulting PDF. Inside, you will see the text content of the server's password file. Scroll through the entries to find the HTB flag, which is typically appended as a comment or a user entry.
With the initial reconnaissance complete, the path to exploitation becomes clear. The application is vulnerable to SSRF and uses an outdated, vulnerable version of wkhtmltopdf . These two facts form the foundation of our attack plan.
challenge on Hack The Box (HTB) is an easy-rated web challenge that focuses on identifying and exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. Challenge Summary Vulnerability: Server-Side Request Forgery (SSRF). Target Component: wkhtmltopdf (a command-line tool used to render HTML into PDF).