To find the flag, look for the unique root paths or user home directories exposed in the /etc/passwd dump. Modify the exploit.php file on your server to target the specific flag file destination (commonly /flag.txt or /root/flag.txt ): Use code with caution.
wkhtmltopdf is a popular open-source tool that uses the Qt WebKit rendering engine to convert HTML pages into PDFs. A quick search for wkhtmltopdf 0.12.5 vulnerability leads directly to (and also the related CVE-2022-25765). The vulnerability stems from the fact that wkhtmltopdf does not properly handle <iframe> tags. An attacker can inject an <iframe> tag with a src attribute pointing to an arbitrary location. The tool will faithfully follow that link and include the rendered content in the final PDF. Our goal is to use this to make the server fetch a local file instead of a remote website.
Tip: If the direct file:// protocol is blocked or fails, you can host a simple redirect script on your own server (using Serveo to expose it) that redirects the HTB bot to the local file. pdfy htb writeup upd
"endpoints": [
The Pdfy box on HTB is a medium-level difficulty box that requires exploitation of a vulnerable PDF upload service to gain access to the system. The system can be fully exploited to gain root access by leveraging command injection, a vulnerable PDF upload service, and weak sudo privileges. To find the flag, look for the unique
Crucially, the challenge description includes a vital note: . This provides the first clear objective: exploit the application to read an internal system file. The immediate implication is that the application is vulnerable to a Server-Side Request Forgery (SSRF) attack.
PDFy is an easy-rated web challenge that focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion tool [26]. 1. Enumeration A quick search for wkhtmltopdf 0
Port 5000 is not directly accessible from outside (filtered). However, the main web app on port 80 makes requests to localhost:5000 during PDF processing.
: Check the content type and size of the fetched data before processing it. Security Checklist 🛡️ Identify the PDF generation engine (e.g., wkhtmltopdf). Test for local file inclusion using file:///etc/passwd