- Comment
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
- Privacy
The application will generate a PDF. Download it and open it. You will see the contents of the /etc/passwd file rendered directly inside the PDF. Your flag will be within this content.
The scan reveals that the target system has several open ports, including:
Ngrok will provide you with a public URL (e.g., https://abc123.ngrok.io ). This is the URL you will enter into the PDFy application. pdfy htb writeup upd
An SSRF vulnerability allows an attacker to trick a server into making arbitrary HTTP requests on their behalf. This means an attacker can use the vulnerable server as a proxy to interact with internal systems, resources, and files that are not accessible directly from the public internet.
If we try to point it to http://localhost or http://127.0.0.1 , the application might have a "blacklist" filter that blocks these common keywords to prevent SSRF. To bypass this, we can use a redirect script on our own machine. The Bypass Plan: Host a PHP file on your local attacker machine. The application will generate a PDF
# Close the socket s.close()
The internal wkhtmltopdf parser catches the redirect and fetches the contents of /etc/passwd from its own local filesystem. Your flag will be within this content
Official PDFy Discussion - Challenges - Hack The Box :: Forums
Checking the PDF’s Document Properties (available via the “More Actions” menu) often exposes the software used for conversion. In this challenge, the metadata reveals wkhtmltopdf 0.12.5 as the conversion engine.
Fingertips