Ngrok will provide you with a public URL (e.g., https://abc123.ngrok.io ). This is the URL you will enter into the PDFy application.
Mastering PDFy on Hack The Box: A Deep Dive SSRF Writeup The challenge on Hack The Box stands out as an excellent, realistic lab designed to teach the fundamentals of Server-Side Request Forgery (SSRF). Categorized under web challenges, it simulates a common real-world application feature: taking a user-supplied URL, processing it on the server, and converting the target webpage into a downloadable PDF document.
The search is common because many players struggle with two things: pdfy htb writeup upd
If you’re looking for a single resource to conquer PDFy and actually learn from the process, this updated writeup is your best bet. Pair it with the official HTB forum discussion for extra context, and you’ll own the box — and the knowledge — in no time.
The scan results reveal that the machine is running a web server on port 80, an SSH server on port 22, and a PDF converter service on port 8080. We also notice that the machine has a firewall configured, but it seems to be allowing incoming traffic on port 80. Ngrok will provide you with a public URL (e
Start a temporary PHP web server on your attack machine on port 80: sudo php -S 0.0.0.0:80 Use code with caution. Step 3: Triggering the Exploit
Download the generated PDF, and you will see the contents of the /etc/passwd file. Looking through the users, you should notice a user named . 4. Pivoting to the User Flag Categorized under web challenges, it simulates a common
crontab -e
The application asks for a URL. If we give it http://google.com , it generates a PDF of Google’s homepage. The real question is:
Since the front-end input filter blocks local IP strings, we can bypass it by hosting a malicious script on our local attack machine (e.g., HTB VPN IP ATTACKER_IP ) and submitting our remote URL to the PDFy engine.
Navigating to the website, we find a simple web application that takes a URL and converts the webpage into a PDF document. This is a massive "low-hanging fruit" indicator for SSRF. Whenever an application fetches content from a remote URL you provide, you should immediately test if it can fetch internal resources. 2. Identifying the Vulnerability (SSRF)