Pdfy Htb Writeup Upd |top|

The wkhtmltopdf tool will follow the Location header and generate a PDF from the local /etc/passwd file, once again leaking the flag inside the PDF.

Alternatively, get a root shell:

As always, we start with an Nmap scan to see which ports are open. nmap -sC -sV -oN nmap_report.txt Use code with caution. Port 22 (SSH): Standard OpenSSH. Port 80 (HTTP): An Apache web server. pdfy htb writeup upd

Standard attempts to load local files using protocols like file:///etc/passwd are typically blocked by the application's filters. To bypass this, you must host a malicious file on your own server (e.g., using a Python HTTP server or Serveo ) that the PDFy service will visit.

$ curl -s 10.10.11.206:8080

The modified PDF file is then uploaded to the system.

PDFY is a web application that allows users to upload PDF files, extract metadata, and convert them to images. The application uses an unsafe system call to pdftotext and pdfimages , allowing command injection via crafted PDF metadata or filenames. Privilege escalation involves a misconfigured sudo permission for a custom PDF processing script. The wkhtmltopdf tool will follow the Location header

Here is a full review and walkthrough-style analysis of a PDF-based Hack The Box machine (often identified simply as ).

If you closely look at the metadata generated within the output PDF or notice error codes triggered by invalid page parameters, you can identify the backend generation engine: . Port 22 (SSH): Standard OpenSSH