Pdfy Htb Writeup Upd ~upd~

Output prints the root flag.

Next, we proceed to enumerate the web server on port 80. We access the website using our browser and notice that it appears to be a simple web application with a search functionality. We also observe that the website uses a .pdf extension for its pages, which could indicate that the PDF converter service on port 8080 might be related to the web application.

Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF) pdfy htb writeup upd

Then, use ngrok to create a TCP tunnel to this port. This is an important nuance.

The backend returns the newly generated PDF filename. When you open or view the document in the provided , you will see a text printout of the server’s /etc/passwd configuration file right on your screen. Output prints the root flag

We use the pdftotext command to overwrite the /etc/passwd file:

Nothing interesting, but the /uploads directory stores converted PNGs. We also observe that the website uses a

The challenge presents a web application designed to take a user-supplied URL and convert that web page into a downloadable PDF document. By understanding how the backend PDF rendering engine processes redirects, you can bypass local restrictions to read sensitive system files and capture the flag.

: Because PDF generators often execute underlying system commands to create the PDF, injecting command characters like backticks ( ) or piping ( |`) can lead to Remote Code Execution (RCE) .

Enter a public URL (e.g., http://google.com ) to confirm it generates a PDF.