Utilizing local listeners and reverse shells to establish initial access.
The challenge presents a web application designed to take a user-supplied URL and convert that web page into a downloadable PDF document. By understanding how the backend PDF rendering engine processes redirects, you can bypass local restrictions to read sensitive system files and capture the flag.
is a challenge focused on Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) via a PDF generation tool. HacktheBox Writeup: Paper - InfoSec Write-ups
Upon accessing the HTTP service on port 80, I found a default Apache web server page. However, further investigation revealed a peculiar directory listing at /pdfs/ , which seemed to host various PDF files.
Create a file named index.php in the root of your local web server's directory. The content should be:
nmap -sC -sV -oA pdfy 10.10.11.xx
<img src="http://127.0.0.1:8080/generate?html=<iframe src='file:///etc/passwd' />">
To successfully exploit this, we need a server that is accessible from the internet. The PDFy application must be able to reach our server to fetch our malicious HTML file.
Use SSRF to interact with this internal service:
Now, go back to the PDFy web interface and enter your IP: http:// :8000/exploit.php
Inputting a standard public URL (such as http://google.com ) and submitting the form triggers an asynchronous backend request. The server visits the site, captures the layout, converts it into a PDF asset, and loads it within an inline frame ( iframe ) on the dashboard. 2. Inspecting the Front-End Code
Save the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard
Kindly Update According To Your Necessities And Requirements And also Do A upd of Information For Accurate Representation Regards
Input the URL of your hosted script: http:// :8000/exploit.php . Submit the form.
The SSRF vulnerability in wkhtmltopdf can be triggered by inserting an iframe that points to an internal asset’s IP address or a local file, causing the tool to fetch the embedded resource.
The scan reveals that the target system has several open ports, including:
Utilizing local listeners and reverse shells to establish initial access.
The challenge presents a web application designed to take a user-supplied URL and convert that web page into a downloadable PDF document. By understanding how the backend PDF rendering engine processes redirects, you can bypass local restrictions to read sensitive system files and capture the flag.
is a challenge focused on Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) via a PDF generation tool. HacktheBox Writeup: Paper - InfoSec Write-ups
Upon accessing the HTTP service on port 80, I found a default Apache web server page. However, further investigation revealed a peculiar directory listing at /pdfs/ , which seemed to host various PDF files.
Create a file named index.php in the root of your local web server's directory. The content should be: pdfy htb writeup upd
nmap -sC -sV -oA pdfy 10.10.11.xx
<img src="http://127.0.0.1:8080/generate?html=<iframe src='file:///etc/passwd' />">
To successfully exploit this, we need a server that is accessible from the internet. The PDFy application must be able to reach our server to fetch our malicious HTML file.
Use SSRF to interact with this internal service: Utilizing local listeners and reverse shells to establish
Now, go back to the PDFy web interface and enter your IP: http:// :8000/exploit.php
Inputting a standard public URL (such as http://google.com ) and submitting the form triggers an asynchronous backend request. The server visits the site, captures the layout, converts it into a PDF asset, and loads it within an inline frame ( iframe ) on the dashboard. 2. Inspecting the Front-End Code
Save the following code as index.php on your local attacker machine: Use code with caution. Copied to clipboard
Kindly Update According To Your Necessities And Requirements And also Do A upd of Information For Accurate Representation Regards is a challenge focused on Server-Side Request Forgery
Input the URL of your hosted script: http:// :8000/exploit.php . Submit the form.
The SSRF vulnerability in wkhtmltopdf can be triggered by inserting an iframe that points to an internal asset’s IP address or a local file, causing the tool to fetch the embedded resource.
The scan reveals that the target system has several open ports, including: