This writeup covers the challenge from Hack The Box , updated as of April 2026. This challenge focuses on exploiting Server-Side Request Forgery (SSRF) via a PDF generation service that uses a vulnerable version of wkhtmltopdf . Challenge Overview
Embed this as a PDF form submission action. pdfy htb writeup upd
The UPD for PDFY is typically located in the home directory of a low-privilege user. Let's enumerate. This writeup covers the challenge from Hack The
Using exiftool :
The HTTP service running on port 8080 appears to be a REST API for managing PDFs. pdfy htb writeup upd
The writeup could use more screenshots of the web interface, especially the PDF upload/generation page. A few diagrams of the privilege escalation flow would also help visual learners.