Htb Writeup Upd | Pdfy

The server responds with a PDF file, which is placed at /static/pdfs/<random_hash>.pdf . This flow shows that the backend fetches the provided URL, converts the content into a PDF, and stores it for retrieval.

Copy the public URL provided by Serveo (or use your direct VPN IP if reachable). Paste this URL into the input field on the web app.

sudo /usr/local/bin/pdf_convert.py "$(python3 -c 'print("A"*100 + ";chmod 777 /root")')"

Resubmit your script's URL into the target application form to render the updated contents, opening the newly created PDF to capture the final Hack The Box flag. 3. Remediation & Hardening Strategies pdfy htb writeup upd

<!DOCTYPE html> <html> <body> <object data="file:///etc/passwd" width="100%" height="800px"></object> </body> </html>

The application asks for a URL. If we give it http://google.com , it generates a PDF of Google’s homepage. The real question is:

Using the path traversal vulnerability, we can read arbitrary files on the server. Our next step is to look for sensitive files that might aid us in escalating privileges. One such file is the /etc/shadow file, which contains hashed passwords for system users. The server responds with a PDF file, which

Intercepting the traffic reveals that the application uses a POST request to the /api/cache endpoint, containing a JSON payload with the submitted URL:

Craft payload:

This guide explains how to exploit the on Hack The Box. This easy-rated web challenge features an vulnerable Server-Side Request Forgery (SSRF) vector paired with a Local File Inclusion (LFI) flaw in a PDF-rendering utility. Paste this URL into the input field on the web app

Then, we create a new file ( /tmp/passwd ) with the following contents:

With the pdfy user's credentials, we can establish a foothold on the system using SSH: