Upon logging in, we find ourselves in a restricted shell environment. However, we can still perform basic file operations and execute commands.
ngrok http 8080
Create a file named index.php in the root of your local web server's directory. The content should be: pdfy htb writeup upd
The application allows external URLs. If we host a basic PHP script or configuration script on a public Virtual Private Server (VPS) or an exposed local port, we can make the PDFy backend visit our server. Our server will then immediately issue an HTTP redirect header instructing the wkhtmltopdf engine to load a local system resource. Setting up the Exploit Payload Upon logging in, we find ourselves in a
Common findings:
$ sudo bash root@pdfy:/#