Calle de Sevilla, 3, Madrid, Madrid 28014
Calle de Sevilla, 3, Madrid, Madrid 28014

Pdfy Htb Writeup Upd

While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with?

Inputting standard external domains like http://google.com succeeds, yielding a downloadable PDF showing the rendered page.

Start a lightweight development web server inside the directory where your script resides: php -S 0.0.0.0:8000 Use code with caution. 4. Execution & Retrieving the Flag

Go back to the PDFy web interface. In the input box, enter the URL of your malicious script: pdfy htb writeup upd

<!DOCTYPE html> <html> <body> <h1>Leak /etc/passwd</h1> <iframe src="file:///etc/passwd" height="800px" width="100%"></iframe> </body> </html>

Inputting a standard public URL (such as http://google.com ) and submitting the form triggers an asynchronous backend request. The server visits the site, captures the layout, converts it into a PDF asset, and loads it within an inline frame ( iframe ) on the dashboard. 2. Inspecting the Front-End Code

Since the server uses a command-line tool (like wkhtmltopdf or similar libraries) to convert web pages to PDFs, we can abuse the command substitution features native to the underlying shell. While the box is straightforward, many beginners get

The challenge on Hack The Box (HTB) is an easy-rated web challenge focusing on Server-Side Request Forgery (SSRF) and exploiting vulnerable third-party components—specifically the HTML-to-PDF engine wkhtmltopdf .

If you are running this locally, you must expose your server to the internet so the HTB challenge instance can reach it. Using a Reverse Proxy or tools like Serveo is recommended over ngrok for this specific challenge to avoid browser warning screens that might break the automated PDF rendering.

: Because PDF generators often execute underlying system commands to create the PDF, injecting command characters like backticks ( ) or piping ( |`) can lead to Remote Code Execution (RCE) . Enumeration: What are we working with

This script, if accessed via http://our-server.com/axura.php?x=/etc/passwd , will send an HTTP 302 redirect to file:///etc/passwd .

Submit the URL of your hosted script (e.g., http://your-vps-ip/exploit.php ) into the PDFy input field. 4. Retrieving the Flag

]

Email Signup

Please check errors in the form above
Thank you for signing up for email updates!
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Reservations

Please check errors in the form above
Thanks!
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.