Pdfy Htb Writeup Upd Jun 2026

Visiting the website on port 80 reveals a simple webpage with a link to a PDF file.

Common avenues on Windows PDFy-like boxes:

If you closely look at the metadata generated within the output PDF or notice error codes triggered by invalid page parameters, you can identify the backend generation engine: .

We can use John the Ripper to crack the hashed password: pdfy htb writeup upd

PDFY IP Address: 10.10.11.27 Difficulty: Medium OS: Linux Release Date: May 2024 (approx.)

By hosting a simple script on a public Virtual Private Server (VPS) or an internet-accessible tunnel, you can input your public URL into PDFy. When the backend engine requests your page, your server commands it to redirect internally to a local system resource. 🚀 Step 3: Weaponization and Flag Retrieval

The PDFy challenge is an excellent, practical introduction to the world of Server-Side Request Forgery (SSRF) in a controlled environment. It takes a simple concept—a PDF converter—and twists it into a powerful lesson on how trusting user input can lead to a severe security breach. Visiting the website on port 80 reveals a

You can use a or, for a more convenient solution for CTF challenges, ngrok . Ngrok creates a secure tunnel to your local machine, exposing a local web server to the public internet.

If the direct file:// approach is blocked or yields errors, a server‑side redirect can be used.

The application will generate a PDF. Download it and open it. You will see the contents of the /etc/passwd file rendered directly inside the PDF. Your flag will be within this content. When the backend engine requests your page, your

During our enumeration, we usually discover the application relies on an underlying HTML-to-PDF generation library (such as wkhtmltopdf ). Understanding the technology stack is half the battle; it allows us to look for known Common Vulnerabilities and Exposures (CVEs) or configuration flaws specific to that software.

Create a file named index.php in the root of your local web server's directory. The content should be:

Crucially, the challenge description includes a vital note: . This provides the first clear objective: exploit the application to read an internal system file. The immediate implication is that the application is vulnerable to a Server-Side Request Forgery (SSRF) attack.

Alternatively, if we want to read local system files, we can use the file:// protocol wrapper, which wkhtmltopdf often supports: Use code with caution. Step 2: Launching a Local Web Server

Since the front-end input filter blocks local IP strings, we can bypass it by hosting a malicious script on our local attack machine (e.g., HTB VPN IP ATTACKER_IP ) and submitting our remote URL to the PDFy engine.