Pdfy Htb Writeup Upd [exclusive]

The application will generate a PDF. Download it and open it. You will see the contents of the /etc/passwd file rendered directly inside the PDF. Your flag will be within this content.

When wkhtmltopdf converts a web page, it acts like a full-fledged browser. It parses HTML, executes JavaScript (to some extent), and resolves all referenced resources like images, stylesheets, and iframes. The core of the vulnerability is that wkhtmltopdf processes file:// URIs by default without proper restrictions. While modern versions may have additional sandboxing, version 0.12.5 is known to be susceptible to this attack.

Read local files (like /etc/passwd ) using the server's internal access. Step-by-Step Walkthrough Reconnaissance & Identification The web interface accepts a URL to convert to PDF. The backend often uses wkhtmltopdf to render the content. pdfy htb writeup upd

: It takes that URL, visits it, and converts the webpage's contents into a downloadable PDF file.

: Ensure the application server cannot reach sensitive internal metadata or management IPs. Response Validation The application will generate a PDF

Take note of the public URL (e.g., https://abc123.ngrok.io ).

: Use the server as a proxy to peek into the internal network. The Redirect Maneuver Your flag will be within this content

Navigate to http://TARGET_IP in your web browser. You are greeted by a simple web interface titled "PDFy". The page contains a single input field asking for a URL and a "Submit" button.

There are several effective ways to craft the malicious HTML page. All of them achieve the same goal: forcing wkhtmltopdf to read the /etc/passwd file. Here are three reliable methods.

Create a simple PHP script named redirect.php on your attack machine. This script will force any visiting client to redirect to a local file or service on the target machine: Use code with caution.

(ALL) NOPASSWD: /usr/bin/pdftex