PDFy is an on Hack The Box (HTB) that centers on exploiting a Server-Side Request Forgery (SSRF) vulnerability in a web-to-PDF conversion service. The goal is to exfiltrate the contents of the /etc/passwd file from the server to retrieve the flag. Challenge Overview Difficulty: Easy Category: Web Primary Objective: Leak the /etc/passwd file. Core Vulnerability: SSRF via a PDF generation library. Walkthrough & Exploitation Steps
Example (depending on the generator):
gobuster dir -u http://10.10.10.XXX -w /usr/share/wordlists/dirb/common.txt pdfy htb writeup upd
Steps: