Pdfy Htb Writeup Upd 【2025】
<img src="http://your-ip:8000/test">
Check your netcat listener. If you receive a request, SSRF is confirmed.
In many HTB PDF challenges, the application processes the metadata of images embedded in the submitted page.
Using the SSRF, read the main PHP file that handles PDF generation. pdfy htb writeup upd
Common location:
<img src="file:///var/www/html/index.php">
From the source, you may find API endpoints, database credentials, or internal service ports. In PDFY, there is often a local service on port 8080 or 5000 that isn't exposed externally. <img src="http://your-ip:8000/test">
The core vulnerability lies in how the application handles the conversion.
user.txt flag.find / -perm -4000 2>/dev/null
Look for pdftex or tex. If pdftex is SUID root or you can run it as sudo, exploit it. Check your netcat listener
Check sudo rights:
sudo -l
You might see:
(ALL) NOPASSWD: /usr/bin/pdftex
PDFY is a web application that allows users to upload PDF files, extract metadata, and convert them to images. The application uses an unsafe system call to pdftotext and pdfimages, allowing command injection via crafted PDF metadata or filenames. Privilege escalation involves a misconfigured sudo permission for a custom PDF processing script.
The critical vulnerability in this scenario lies in how the PDF generator renders the input.
file:// protocol, attackers can read the source code of the web application (e.g., file:///var/www/html/app.py). This reveals the libraries used and potential logic flaws.