php -S 127.0.0.1:8000
"endpoint": "/download", "methods": ["GET"]
Download one of the successfully generated PDFs (such as the Google snapshot) and analyze its metadata using exiftool . This helps identify the backend engine processing the HTML-to-PDF conversion: exiftool downloaded_file.pdf Use code with caution. pdfy htb writeup upd
: In PDFy, the goal is often to read local files or reach internal services.
If you are playing on a cloud instance and the HTB box cannot route directly to your local IP, use a tool like Serveo to expose your local port 80 to the public internet: ssh -R 80:localhost:80 serveo.net Use code with caution. Copied to clipboard 4. Capturing the Flag 🚩 php -S 127
Inspecting the frontend source code reveals a basic JavaScript handler processing the submission: javascript
The pdf_file.pdf uploaded earlier can be modified to contain a reverse shell. If you are playing on a cloud instance
A web application that converts provided URLs into PDF documents. Vulnerability: Insecure URL handling during PDF generation.
Nothing interesting, but the /uploads directory stores converted PNGs.