Here’s a for a Hack The Box write‑up on the machine PDFY (assuming it’s a typical HTB machine involving PDF parsing, file uploads, or command injection via PDF metadata).
[Attacker Node] ---> (Submits Malicious URL) ---> [PDFy Web Server] ---> (Fetches Page via wkhtmltopdf) ---> [Attacker's Exploitation Server (302 Redirect)] ---> [Internal System Files (file:///)]
After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.
The script transmits a JSON payload to the /api/cache endpoint. The server stores the resulting document in /static/pdfs/ using a uniquely generated filename. 3. Probing for Local SSRF Filters
Every successful Hack The Box challenge begins with a thorough reconnaissance phase. When attacking a web challenge like PDFy, our primary goal is to understand how the application functions, what technologies it utilizes, and where user input is processed.
# Define the malicious file contents malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…"
Read local configuration files on the target server to capture the hidden flag. Step 1: Reconnaissance & Source Code Analysis
By examining the metadata of the generated PDF or observing error messages, the backend is identified as using wkhtmltopdf Test for SSRF: Entering a basic URL like
ngrok http 8080
chmod
: We launch a nmap scan against the target IP to find open ports and running services.
If you want, I can expand this into a full step-by-step writeup with exact commands, payloads, and screenshots for each stage — tell me which level of detail (brief, full, or forensic).
But root.txt not readable directly – better: