The tool uses wkhtmltopdf to perform the conversion.
Checking the frontend JavaScript source code (often found directly embedded or inside an attached asset) shows that when a submission occurs, the app sends a POST request to /api/cache with a JSON payload: "url": "http://example.com" Use code with caution. Probing for Basic SSRF pdfy htb writeup upd
To circumvent the direct URL filter (which blocks paths like file:// or internal IP addresses), we must leverage a . The tool uses wkhtmltopdf to perform the conversion
Look closely at the bottom of the system user definitions or within specific configuration outputs exposed inside the document frame to capture your HTB... flag. 5. Remediation Strategies Look closely at the bottom of the system
This script, if accessed via http://our-server.com/axura.php?x=/etc/passwd , will send an HTTP 302 redirect to file:///etc/passwd .
The PDFy challenge exposes a web application designed to take a user-supplied URL, browse to that page, take a screenshot or render its content, and output the result as a downloadable PDF document. Web Difficulty: Easy
Result: Obtain a service file containing credentials or an internal URL exposing an admin panel.