Pdfy Htb Writeup Upd !!exclusive!! Jun 2026

By examining the metadata of the generated PDF or observing error messages, the backend is identified as using wkhtmltopdf Test for SSRF: Entering a basic URL like

Ports open:

# Send the malicious file s.send(malicious_file.encode())

Browsing to the target IP on the assigned port reveals a small input box asking for a URL. pdfy htb writeup upd

Your server responds with a 302 Redirect to file:///etc/passwd .

The system prints the content of /etc/passwd inside the newly generated PDF document. Step 4: Exfiltrating the Flag

Upon reading config.php , we discover potential hardcoded credentials or a path to a web shell. In this scenario, we find the application allows uploading files, which we can leverage. 4. Gaining Initial Foothold By examining the metadata of the generated PDF

Web applications and their associated conversion tools should run under service accounts with the minimum necessary permissions to limit the impact of a potential compromise.

Read local configuration files on the target server to capture the hidden flag. Step 1: Reconnaissance & Source Code Analysis

Use code with caution. Step 2: Spin Up a Web Server Step 4: Exfiltrating the Flag Upon reading config

: Use the server as a proxy to peek into the internal network. The Redirect Maneuver

Alternative: The script runs as root, so we can write an SSH key into /root/.ssh/authorized_keys .