Now SSH as root:
This machine is an excellent bridge between "Easy" and "Medium" difficulty. It teaches that trusted tools (like PDF converters) can become vulnerabilities if they accept untrusted input. It reinforces the importance of sanitizing URL inputs and restricting the protocols ( http/https only) that a backend server is allowed to request. pdfy htb writeup upd
\write18cat /root/root.txt
Note: There is no retired machine officially named "Pdfy" on Hack The Box as of early 2024. It is highly likely you are referring to the machine named , or potentially a mix-up with a similar challenge. However, the following review covers the typical "PDF Upload" exploitation scenario found on HTB machines like "Pdf" or similar challenges involving PDF generation. Now SSH as root: This machine is an
When you input a standard website (e.g., http://google.com ), the application processes the request for a few seconds and then returns a PDF document showing a rendered snapshot of the Google homepage. Phase 2: Vulnerability Analysis (SSRF Discovery) \write18cat /root/root
: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.