Pdfy Htb Writeup Upd ((top)) Jun 2026

The application allows users to input a URL, which it then visits and converts into a downloadable PDF document. By testing the input with a local listener or a tool like Webhook.site , you can confirm that the server makes outbound HTTP requests, indicating a potential SSRF entry point.

Upload the shell (if possible) or use the LFI to include it. Execute commands via: http://10.10.10.x/shell.php?cmd=id Launch a netcat listener: nc -lvnp 4444

When the application successfully processes a standard external URL (such as a public web server), look closely at the generated PDF metadata. You can download the PDF and inspect it using command-line utilities like pdfinfo or by checking how the elements are structured. pdfy htb writeup upd

: We further analyze the system configurations and search for misconfigurations to escalate our privileges to root . Finally, we navigate to /root/root.txt to capture the final flag. 📝 Summary of Key Takeaways

$ curl -s 10.10.11.206:8080

Next, we proceed to enumerate the web server on port 80. We access the website using our browser and notice that it appears to be a simple web application with a search functionality. We also observe that the website uses a .pdf extension for its pages, which could indicate that the PDF converter service on port 8080 might be related to the web application.

A logical first step for any attacker interacting with a URL parser is to check if the server allows internal system requests directly. Try submitting internal loopback paths: The application allows users to input a URL,

Common avenues on Windows PDFy-like boxes:

User pdfy may run the following commands on pdfy: (ALL) NOPASSWD: ALL Execute commands via: http://10

We need to trick the wkhtmltopdf tool into visiting our redirector script. For this, we create a minimal HTML page that contains an <iframe> pointing to our script with the target file as a parameter. This is the actual payload we will give to the PDFy application.