By experimenting with the input fields, we determine the server uses a backend tool like wkhtmltopdf or a similar HTML-to-PDF converter. Testing for Command Injection/File Read
: PDFy enforces basic input validation. Entering a direct path like file:///etc/passwd into the web interface or attempting to point directly to http://127.0.0.1 triggers an error or block mechanism.
The first step in any penetration test or Capture the Flag (CTF) challenge is gathering information about the target. Start by deploying the machine and capturing its IP address. For this walkthrough, we will represent the target IP as TARGET_IP . Step 1: Port Scanning pdfy htb writeup upd
The wkhtmltopdf tool will render the main HTML page and, while processing it, it will attempt to load the <iframe> . The src="file:///etc/passwd" will cause it to read the local file and embed it into the generated PDF.
It’s clear the author revisited the machine to ensure relevance, which is a breath of fresh air compared to outdated walkthroughs that leave you stuck. By experimenting with the input fields, we determine
Navigating to the web application, we find a simple interface aimed at converting HTML content into PDF files. This functionality—a "PDF Generator"—immediately flags a high potential for or Command Injection . We explore the pages: index.php about.php contact.php
If you are developing or maintaining applications that generate PDFs from web inputs, you can protect your systems with the following defensive practices: The first step in any penetration test or
Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI) Target Binary Component: wkhtmltopdf 1. Initial Reconnaissance & Enumeration
Older or default configurations of wkhtmltopdf are highly susceptible to SSRF because they execute JavaScript and follow HTTP redirects seamlessly. Phase 3: Exploitation and Bypass