: Configure your rendering library explicitly to deny local file access. For wkhtmltopdf , always include flags like --disable-local-file-access in the execution string.
The HTTP service running on port 8080 appears to be a REST API for managing PDFs.
Looking at the basic frontend JavaScript code, the application intercepts the form submission and passes the input URL via a POST request to an API endpoint ( /api/cache ): javascript pdfy htb writeup upd
sudo /usr/local/bin/pdf_convert.py "test; cp /root/root.txt /tmp/root_copy.txt;"
The file will redirect any incoming request to a local file on the HTB server (like /etc/passwd ). Give the PDFy app the URL of your hosted script. 3. Exploitation: Reading Local Files Create a file named exploit.php on your machine: Use code with caution. Start a local PHP server: php -S 0.0.0.0:8000 Use code with caution. : Configure your rendering library explicitly to deny
The wkhtmltopdf tool will process this HTML, see the <iframe> , and make a request to the URL within it ( http://our-server.com/axura.php?... ). Our script, axura.php , will then respond with a redirect to file:///etc/passwd . The wkhtmltopdf tool will faithfully follow this redirect as well, and attempt to include the content of the local file into the PDF.
import sys import os
If you intended a different machine name, feel free to clarify.
Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration Looking at the basic frontend JavaScript code, the