This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. 【HTB Challenge】PDFy - ErrorPro
: We launch a nmap scan against the target IP to find open ports and running services.
root::0:0:root:/root:/bin/bash
I can provide custom server configurations or troubleshooting steps based on your setup. Share public link
is an easy-rated web challenge on Hack The Box that tests your ability to exploit Server-Side Request Forgery (SSRF) via a PDF generation service. 🛠️ Step 1: Reconnaissance pdfy htb writeup upd
Bookmark it, practice each step in your own lab, and try to explain the exploit to a friend. That’s how you’ll know you’ve truly mastered PDFy.
To execute the exploit successfully, you must orchestrate a controlled redirect. 1. Set Up the Malicious Payload
The wkhtmltopdf tool will render the main HTML page and, while processing it, it will attempt to load the <iframe> . The src="file:///etc/passwd" will cause it to read the local file and embed it into the generated PDF.
You might wonder, "Why not just input file:///etc/passwd directly into the website's URL field?" The application's backend likely has validation in place to check the entered URL. It may only accept http or https protocols, rejecting file:// , ftp:// , or other internal schemes at the application level. By having the server fetch a remote page first, we bypass this client-side or basic server-side validation. The vulnerability lies within wkhtmltopdf itself, not the PDFy application's URL validator. This public link is valid for 7 days
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
fetch("/api/cache", method: "POST", body: JSON.stringify( url: url.value ), headers: "Content-Type": "application/json" , ) Use code with caution.
Web Vulnerability Scanning, Command Injection, Privilege Escalation
While the application may block simple attempts like providing file:///etc/passwd directly in the url parameter, the vulnerability can be exploited indirectly by hosting a malicious HTML page that instructs wkhtmltopdf to fetch the internal file. Can’t copy the link right now
This educational value makes it more than just a solution — it’s a .
If you are developing a PDF generation service, how can you prevent this vulnerability?
: In many HTB "PDF" challenges, common engines include wkhtmltopdf , dompdf , or PDFKit . 🚀 Step 2: Identification & Exploitation