Pdfy Htb Writeup Upd Direct

"url": "https://example.com"

PDFy is an easy-rated web challenge that focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion tool [26]. 1. Enumeration

Create a file named index.php in the root of your local web server's directory. The content should be: pdfy htb writeup upd

Many users struggle by overcomplicating the attack with complex reverse proxies. The most straightforward path is often a basic redirect to a file:// URI.

Navigate to http://TARGET_IP in your web browser. You are greeted by a simple web interface titled "PDFy". The page contains a single input field asking for a URL and a "Submit" button. "url": "https://example

Generate the PDF, and the flag appears.

The core functionality—fetching a remote URL and rendering it—is a textbook indicator for potential . The content should be: Many users struggle by

Enter your ngrok URL into the PDFy web form (or send a POST request to /api/cache with the URL). The wkhtmltopdf backend will fetch your page, follow the iframe directive, and attempt to render file:///etc/passwd .

The wkhtmltopdf tool will process this HTML, see the <iframe> , and make a request to the URL within it ( http://our-server.com/axura.php?... ). Our script, axura.php , will then respond with a redirect to file:///etc/passwd . The wkhtmltopdf tool will faithfully follow this redirect as well, and attempt to include the content of the local file into the PDF.

Input the URL of your hosted script: http:// :8000/exploit.php . Submit the form.