Review how to perform when a PDF preview is not explicitly shown. Share public link
The Hack The Box PDFy challenge involves exploiting Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerabilities within a PDF generation service using an outdated wkhtmltopdf version. By utilizing a redirect or iframe injection, attackers can force the application to read sensitive local files, such as /etc/passwd , allowing for the retrieval of the final flag. For a detailed walkthrough of the writeup, visit Blog Manh Tuong . Exploitation of PDF Generation Vulnerabilities - Academy
Review how to to completely mitigate SSRF vectors Share public link pdfy htb writeup upd
: Use the server as a proxy to peek into the internal network. The Redirect Maneuver
The exploited user has limited privileges. However, it is possible to escalate privileges to root. Review how to perform when a PDF preview
PDFy is an on Hack The Box (HTB) that centers on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. The goal is to exfiltrate the contents of the /etc/passwd file from the server to retrieve the flag. Challenge Overview Difficulty: Easy Category: Web Primary Objective: Leak the /etc/passwd file. Core Vulnerability: SSRF via a PDF generation library. Walkthrough & Exploitation Steps
Submit a benign live website (e.g., http://google.com ) to check if the app functions properly. For a detailed walkthrough of the writeup, visit
The "Aha!" moment occurred when the generated PDF arrived. Inside the document wasn't a webpage, but the raw response from an internal service. By manipulating the SSRF, the researcher could now "read" internal files and services by proxy, effectively turning the PDF generator into a remote file viewer. Key Takeaways for Developers
We find an unusual script or a cron job running as root. In the case of Pdfy, there is often a customized script in /var/www/html/ or a cron job that interacts with the files we can control.
