By inspecting the metadata of the generated PDF files (using tools like exiftool or by looking at the PDF's properties), you can identify the backend engine: .
Input the URL of your hosted redirect script into the PDFy web form (e.g., http://your-server-ip/index.php ). The PDFy server sends a request to your server. pdfy htb writeup upd
This is a known command-line tool that uses the WebKit rendering engine to convert HTML to PDF. Crucially, older versions of this tool are vulnerable to SSRF because they follow redirects and execute JavaScript. By inspecting the metadata of the generated PDF
Leak the contents of /etc/passwd to retrieve the hidden flag. Primary Vulnerability: SSRF via the wkhtmltopdf tool. 1. Initial Enumeration This is a known command-line tool that uses
If using wkhtmltopdf in production, ensure it is updated and configured with --disable-local-file-access to prevent this exact type of leak.
