tool is known to be vulnerable to SSRF if it renders user-controlled HTML or follows redirects to local files [1, 26]. : Read the /etc/passwd file to find the flag [13, 14]. The Technique : Since direct file paths (like file:///etc/passwd ) may be blocked by a basic filter, you can use a PHP redirect script hosted on your own server (or a service like ) [1, 11]. redirect.php
The scan reveals that the target system has several open ports, including: pdfy htb writeup upd
Example RPD format: HTBr00t_pr00f_d4t4_456abc tool is known to be vulnerable to SSRF
Visit http://10.10.10.XXX in a browser. You’ll see a simple website that converts HTML to PDF. redirect
After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access.
The engine follows the redirect from your server and, because it is running on the local HTB machine, it successfully accesses file:///etc/passwd . The resulting PDF generated by the application will contain the contents of the /etc/passwd file, where the flag is typically located. 【HTB Challenge】PDFy - ErrorPro