Craft an HTML payload that causes the internal PDF generator to execute system commands.
This updated technical article breaks down the entire lifecycle of the PDFy challenge—from initial discovery to successful file exfiltration. 🗺️ High-Level Attack Chain
ls -la /home/
: We navigate to the user's home directory (e.g., /home/username ) and read the user.txt file. pdfy htb writeup upd
To bypass filters, you need to point the service to a server you control, which then redirects the request back to an internal resource.
While the application may block simple attempts like providing file:///etc/passwd directly in the url parameter, the vulnerability can be exploited indirectly by hosting a malicious HTML page that instructs wkhtmltopdf to fetch the internal file.
PDFy is an easy-level web challenge on Hack The Box (HTB) that simulates a realistic black‑box penetration test. The web application allows users to submit any URL, which is then used to generate a PDF version of the target webpage. The goal of the challenge is to leak the server’s /etc/passwd file to retrieve the flag. Craft an HTML payload that causes the internal
The system will bypass front-end controls, hit your server, follow the 302 Redirect , load the target internal file, and embed its contents right into the generated document. 3. Read the Flag
challenge on Hack The Box (HTB) is an easy-rated web challenge that focuses on identifying and exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. Challenge Summary Vulnerability: Server-Side Request Forgery (SSRF). Target Component: wkhtmltopdf (a command-line tool used to render HTML into PDF).
The PDFY challenge serves as a valuable learning experience for cybersecurity enthusiasts, highlighting the importance of thorough vulnerability assessment, creative exploitation, and strategic privilege escalation. To bypass filters, you need to point the
is an easy-difficulty web challenge featured on Hack The Box (HTB) . The challenge tests a player's ability to recognize a Server-Side Request Forgery (SSRF) vulnerability and leverage it alongside an underlying component flaw to achieve Local File Inclusion (LFI).
After executing the exploit, we gain a reverse shell as the user pdfy . We then proceed to explore the machine and gather more information about the user and its privileges.
Analyze like CVE-2022-25765
sudo /usr/local/bin/pdf_convert.py "test; echo '$(cat id_rsa.pub)' >> /root/.ssh/authorized_keys;"