If the remote target is behaving unexpectedly, try running wkhtmltopdf locally with various inputs to understand how it handles redirects and local file protocols.
Create a PHP file (e.g., exploit.php ) on an external server or a listening platform controlled by you. The code instructs any visiting client—including the vulnerable wkhtmltopdf binary—to look directly at a local file path:
The critical vulnerability in this scenario lies in .
The script transmits a JSON payload to the /api/cache endpoint. The server stores the resulting document in /static/pdfs/ using a uniquely generated filename. 3. Probing for Local SSRF Filters pdfy htb writeup upd
http://10.10.10.187/?file=../../../../etc/passwd
cat /usr/local/bin/pdf2txt
The challenge on Hack The Box is an Easy-rated Web Challenge designed to test your understanding of Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) when dealing with automated PDF generation engines. If the remote target is behaving unexpectedly, try
wkhtmltopdf uses the Qt WebKit rendering engine to convert HTML pages into PDF documents. The vulnerability arises from how it handles certain HTML elements when processing a page. Specifically, wkhtmltopdf does not adequately sanitize certain URLs, making it possible to load local file:// resources. This is a classic SSRF attack vector.
Now, go back to the PDFy web interface and enter your IP: http:// :8000/exploit.php
Use the SSRF to read local files (LFI) from the server and retrieve the flag. 1. Initial Enumeration The script transmits a JSON payload to the
Here’s a for a Hack The Box write‑up on the machine PDFY (assuming it’s a typical HTB machine involving PDF parsing, file uploads, or command injection via PDF metadata).
: Server-Side Request Forgery (SSRF) triggered via PDF generation. 1. Initial Reconnaissance