This walkthrough demonstrates that the most effective way to learn penetration testing is by doing. PDFy is a perfect starting point for beginners to understand the attack surface of web applications and internal services, bridging the gap between theory and practice in a fun, gamified way.
Next, we access the web application hosted on port 80. The website appears to be a simple PDF converter, allowing users to upload PDF files and convert them to other formats. However, upon closer inspection, we notice that the website uses a peculiar URL parameter, file , which seems to be vulnerable to path traversal attacks.
PDFy (HTB)
The PDFy challenge is an excellent, practical introduction to the world of Server-Side Request Forgery (SSRF) in a controlled environment. It takes a simple concept—a PDF converter—and twists it into a powerful lesson on how trusting user input can lead to a severe security breach.
: In PDFy, the goal is often to read local files or reach internal services. pdfy htb writeup upd
The Hack The Box PDFy challenge involves exploiting Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerabilities within a PDF generation service using an outdated wkhtmltopdf version. By utilizing a redirect or iframe injection, attackers can force the application to read sensitive local files, such as /etc/passwd , allowing for the retrieval of the final flag. For a detailed walkthrough of the writeup, visit Blog Manh Tuong . Exploitation of PDF Generation Vulnerabilities - Academy
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http nginx 1.14.2 This walkthrough demonstrates that the most effective way
If you intended a different machine name, feel free to clarify.
Enter your ngrok URL (e.g., https://abc123.ngrok.io/index.html ) into the PDFy application. The website appears to be a simple PDF
We use the pdftotext command to overwrite the /etc/passwd file:
The reverse shell is received, and the system is exploited.