This writeup explores , a web-based Hack The Box (HTB) challenge categorized as "Easy." This challenge is a classic introduction to Server-Side Request Forgery (SSRF) , demonstrating how an application that renders web pages into PDFs can be coerced into leaking sensitive internal files. Challenge Overview Category: Web Difficulty: Easy
Entering a standard URL like http://google.com confirms the functionality—the application fetches the page and returns a PDF version of it.
Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server.
If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology
Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read.
Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration
Official PDFy Discussion - Page 2 - Challenges - Hack The Box
By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: .
This writeup explores , a web-based Hack The Box (HTB) challenge categorized as "Easy." This challenge is a classic introduction to Server-Side Request Forgery (SSRF) , demonstrating how an application that renders web pages into PDFs can be coerced into leaking sensitive internal files. Challenge Overview Category: Web Difficulty: Easy
Entering a standard URL like http://google.com confirms the functionality—the application fetches the page and returns a PDF version of it.
Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server. pdfy htb writeup upd
If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology
Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read. This writeup explores , a web-based Hack The
Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration
Official PDFy Discussion - Page 2 - Challenges - Hack The Box The PDFy server sends a request to your server
By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: .