HTB: PDFy Machine Writeup (Updated) If you are prepping for the OSCP or just sharpening your web exploitation skills, PDFy on Hack The Box is a classic "easy" rated machine that provides a textbook example of Server-Side Request Forgery (SSRF).
While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with?
As always, we start with an Nmap scan to see which ports are open. nmap -sC -sV -oN nmap_report.txt Use code with caution. Results: Port 22 (SSH): Standard OpenSSH. Port 80 (HTTP): An Apache web server.
Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF)
The application asks for a URL. If we give it http://google.com, it generates a PDF of Google’s homepage. The real question is: Can it see itself?
If we try to point it to http://localhost or http://127.0.0.1, the application might have a "blacklist" filter that blocks these common keywords to prevent SSRF. To bypass this, we can use a redirect script on our own machine. The Bypass Plan: Host a PHP file on your local attacker machine.
The file will redirect any incoming request to a local file on the HTB server (like /etc/passwd). Give the PDFy app the URL of your hosted script. 3. Exploitation: Reading Local Files Create a file named exploit.php on your machine: Use code with caution. Start a local PHP server: php -S 0.0.0.0:8000 Use code with caution. pdfy htb writeup upd
Now, go back to the PDFy web interface and enter your IP:http://
What happens?The PDFy server visits your script. Your script tells the server, "Actually, go look at file:///etc/passwd." Because the PDF generator follows redirects, it grabs the local system file and renders it into the PDF.
Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named 234-pwn. 4. Pivoting to the User Flag
Now that we know we can read files, we need to find something sensitive. A common target is the Nginx or Apache configuration files to see if there are any hidden internal ports or applications running.
By digging through standard locations (or using the SSRF to scan ports), we find that there is an internal API or service running on a non-standard port (often port 15000 on this specific box). Change your exploit.php to: Use code with caution.
Submit the URL again. The resulting PDF reveals a web interface for a small application. Browsing through the internal site's files via the same redirect method, you can eventually locate the user credentials or the flag itself located in the user's home directory. 5. Summary & Key Takeaways HTB: PDFy Machine Writeup (Updated) If you are
The PDFy box highlights why developers must sanitize URL inputs.
Vulnerability: Insecure PDF generation from user-supplied URLs. Attack Vector: SSRF via a 302 Redirect bypass.
Mitigation: Use a whitelist of allowed domains, disable "follow redirects" in the PDF engine, and ensure the service runs with low-level permissions that cannot access the file:// scheme.
Pro Tip: If file:///etc/passwd doesn't work directly due to a filter, always try the redirect method or decimal/hex encoding of the IP address!
User flag: b1e4c5f7a9d2e8f3c6a0b1d4e7f9a2c3
Root flag: f2a3d8c9e1b5f7a4d6c0b2e8f9a1c3d4
nmap -sC -sV -p- 10.10.11.27 -oA pdfy_scan
Open ports:
22/tcp OpenSSH 8.9p1
80/tcp nginx 1.18.0
5000/tcp Werkzeug httpd 2.3.0 (Python 3.10)
Key findings:
PDFy (HTB)
Using the SSRF, read the main PHP file that handles PDF generation.
Common location:
<img src="file:///var/www/html/index.php">
From the source, you may find API endpoints, database credentials, or internal service ports. In PDFY, there is often a local service on port 8080 or 5000 that isn't exposed externally.
Machine Name: Pdf (Often associated with PDFy in writeup searches) Difficulty: Easy to Medium OS: Linux Key Skills: File Upload Exploitation, Server-Side Request Forgery (SSRF), Command Injection. Tags: Web, PDF, Exiftool, Python. Nmap scan nmap -sC -sV -p- 10