By hosting a simple script on a public Virtual Private Server (VPS) or an internet-accessible tunnel, you can input your public URL into PDFy. When the backend engine requests your page, your server commands it to redirect internally to a local system resource. 🚀 Step 3: Weaponization and Flag Retrieval
This review will break down the writeup’s structure, technical depth, accuracy, and overall value for beginners and intermediate hackers alike.
: Isolate the PDF rendering service to a highly restricted network zone or container with no access to local internal subnets ( 127.0.0.1 , 169.254.169.254 ) or loopback interfaces. pdfy htb writeup upd
Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server.
Now, submit the address of your malicious script to the PDFy input field via the web UI or an API POST request: By hosting a simple script on a public
The application takes a user-supplied URL, processes the webpage found at that URL, saves it, and outputs a downloadable PDF copy.
Since the front-end input filter blocks local IP strings, we can bypass it by hosting a malicious script on our local attack machine (e.g., HTB VPN IP ATTACKER_IP ) and submitting our remote URL to the PDFy engine. : Isolate the PDF rendering service to a
If the backend successfully processes the URL, it returns a JSON response containing a unique filename, which is then rendered on the screen inside an under the path /static/pdfs/ . The Core Vulnerability Hypothesis
After gaining an initial foothold on the system through the web application, I needed to escalate my privileges. This involved enumerating the system to find potential vulnerabilities or misconfigurations that could be exploited for privilege escalation.
: Before triggering the payload, we set up a listener on our local machine (e.g., using nc -lvnp 4444 ) to catch the incoming connection.
This means the application implements a blocklist or a basic validation filter to prevent standard local lookups. To bypass this restriction, we need to look at how the application handles redirects. Inspecting the PDF Metadata