Pdfy Htb Writeup Upd Jun 2026

All that's left is to deliver the payload. We use Burp Suite or the application's interface to send a POST request to /api/cache with our crafted URL:

Because the application blindly trusts any URL submitted to /api/cache , we can force wkhtmltopdf to fetch and convert internal resources (such as file:///etc/passwd ) by embedding special directives in a crafted HTML page.

Before diving into automated tools, a manual interaction is crucial. Here’s the initial thought process and the observations that set the stage for the entire engagement: pdfy htb writeup upd

Submit your payload URL: http:// /exploit.php .

The backend returns the newly generated PDF filename. When you open or view the document in the provided , you will see a text printout of the server’s /etc/passwd configuration file right on your screen. All that's left is to deliver the payload

: Configure your underlying PDF utilities to ignore HTTP redirection headers so they do not follow unexpected third-party paths.

Inputting a direct internal scheme or local IP loopback address (e.g., http://127.0.0.1 or file:///etc/passwd ) results in an error message. The application implements a basic script validation layer to prevent users from requesting internal resources directly. 3. Identifying the Rendering Engine Here’s the initial thought process and the observations

./dirty_pipe

<!DOCTYPE html> <html> <body> <h1>Leak /etc/passwd</h1> <iframe src="file:///etc/passwd" height="800px" width="100%"></iframe> </body> </html>