Pdfy Htb Writeup Upd Jun 2026

"url": "http://0.tcp.us-cal-1.ngrok.io:19086/index.html"

HTB PDFy Challenge Walkthrough: Exploiting SSRF to Arbitrary File Read

If you are developing a PDF generation service, how can you prevent this vulnerability? pdfy htb writeup upd

We start with an Nmap scan to identify open ports and services. nmap -sC -sV -oA nmap/pdfy 10.10.10.x Use code with caution. Port 22/tcp (SSH): Likely for final access. Port 80/tcp (HTTP): The primary web application. Web Application Analysis (Port 80)

Create a file named index.html in the root of your local web server's directory. "url": "http://0

That’s rare in HTB writeups.

While the frontend validator blocks you from typing a file:// scheme directly into the text field, it only evaluates the URL. It does not validate subsequent locations if the target server issues an HTTP redirection status code (like 302 Found ). Port 22/tcp (SSH): Likely for final access

The PDF generator accepts HTML input. If you embed an <img> tag with a src pointing to a local file or internal service, the server will fetch it during PDF rendering.

The UPD for PDFY is typically located in the home directory of a low-privilege user. Let's enumerate.

Start a temporary PHP web server on your attack machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Step 3: Triggering the Exploit

Looking at the basic frontend JavaScript code, the application intercepts the form submission and passes the input URL via a POST request to an API endpoint ( /api/cache ): javascript