To keep sharpening your offensive capabilities, check out other walk-throughs in the official .
Checking the PDF’s Document Properties (available via the “More Actions” menu) often exposes the software used for conversion. In this challenge, the metadata reveals wkhtmltopdf 0.12.5 as the conversion engine.
Official PDFy Discussion - Page 2 - Challenges - Hack The Box
Upon launching the challenge, you are greeted with a simple web interface that prompts for a URL. The application’s stated purpose is to "turn your favorite web pages into portable PDF documents".
The reverse shell is received, and the system is exploited. pdfy htb writeup upd
This walk-through covers the discovery, exploitation, and resolution of the vulnerability to grab the hidden flag. Challenge Overview
Upload payload.pdf → Observe ICMP echo requests on listener.
Host a PHP file ( exploit.php ) on a public VPS or via a tunneling service. The script uses the file:// protocol to read local files, for example, using header redirection as shown on ja-errorpro.codes:
: We navigate to the user's home directory (e.g., /home/username ) and read the user.txt file. To keep sharpening your offensive capabilities, check out
./bin/bash
Inspecting the front-end JavaScript source code reveals a listener processing the form submission: javascript
If you want to modify this process for your current deployment, let me know: What you are using (VPS, Ngrok, or Serveo?) Whether you are getting a blank PDF or a connection error The specific server OS you are running the script from
The internal API has a /debug/exec endpoint (found via fuzzing). Official PDFy Discussion - Page 2 - Challenges
Use URL encoding or redirects to evade basic string filters.
This writeup was updated to reflect changes made to the PDFY machine on Hack The Box. The machine was re-released with additional challenges and vulnerabilities, which were addressed in this updated writeup. Users are encouraged to revisit the machine and attempt to exploit it using the techniques described in this writeup.
Craft payload:
From the source, you may find API endpoints, database credentials, or internal service ports. In PDFY, there is often a local service on port 8080 or 5000 that isn't exposed externally.
This comprehensive article breaks down the entire process from initial reconnaissance to flag retrieval. Challenge Overview