Your server responds with a 302 Redirect to file:///etc/passwd .
Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration pdfy htb writeup upd
Always validate and sanitize user-provided URLs. Blacklisting "localhost" or "file://" is rarely sufficient, as redirects can often bypass these filters. Your server responds with a 302 Redirect to
By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: . By inspecting the metadata of the generated PDF
This is a known command-line tool that uses the WebKit rendering engine to convert HTML to PDF. Crucially, older versions of this tool are vulnerable to SSRF because they follow redirects and execute JavaScript.
Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server.