Pdfy Htb Writeup Upd

Because the application blindly trusts any URL submitted to /api/cache , we can force wkhtmltopdf to fetch and convert internal resources (such as file:///etc/passwd ) by embedding special directives in a crafted HTML page.

[Attacker] ---> Post URL (Exploit Server) ---> [PDFy Web Server] | Follows 302 Redirect v [Attacker Flag] <--- Generates PDF <--- Reads file:///etc/passwd 🔍 Step 1: Initial Reconnaissance & Code Review pdfy htb writeup upd

<img src="http://127.0.0.1:8080/">

The core vulnerability lies in how the application handles the conversion. Because the application blindly trusts any URL submitted