Pdfy Htb Writeup Upd !!top!! -

By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: .

If the application can fetch external web pages, can it fetch internal resources? Inputting file:///etc/passwd or http://localhost directly often results in a "URL not allowed" or similar error message, indicating a basic blacklist or security filter is in place. 2. Identifying the Technology

If using wkhtmltopdf in production, ensure it is updated and configured with --disable-local-file-access to prevent this exact type of leak. pdfy htb writeup upd

Official PDFy Discussion - Page 2 - Challenges - Hack The Box

You need a way to serve a 302 Redirect . You can use a simple PHP script or a Python server to achieve this. Use code with caution. Step B: Expose Your Server By inspecting the metadata of the generated PDF

Upon launching the challenge, you are greeted with a simple web interface that prompts for a URL. The application’s stated purpose is to "turn your favorite web pages into portable PDF documents".

Your server responds with a 302 Redirect to file:///etc/passwd . You can use a simple PHP script or

The wkhtmltopdf engine follows the redirect and reads the local file. The content of /etc/passwd is rendered into the PDF.

Since the application blocks direct file:// or localhost inputs, the standard bypass is to host a malicious script on your own server. This script will redirect the wkhtmltopdf engine to the local file you want to read.

Always validate and sanitize user-provided URLs. Blacklisting "localhost" or "file://" is rarely sufficient, as redirects can often bypass these filters.