sudo /usr/bin/pdftex -shell-escape exploit.tex

We can inject via filename if we control it.

Enter your ngrok URL (e.g., https://abc123.ngrok.io/index.html ) into the PDFy application.

The exploitation path usually pivots on identifying the specific tool generating the PDFs.

Create symlink to root’s SSH key? Not possible. Instead:

Review how to perform when a PDF preview is not explicitly shown. Share public link

Happy hacking. Remember: Always root legally and ethically.

Use SSRF to interact with this internal service:

Traditional injections (like HTML tags) might not directly validate, but the server must query the provided URL to render it.

Craft an HTML payload that causes the internal PDF generator to execute system commands.

: Strictly validate user input using strict criteria that only permits standard http:// or https:// schemas, and reject responses from servers that attempt downstream redirection steps.

The first breakthrough came from testing the boundaries of that URL input. By pointing the tool toward a local loopback address, the researcher confirmed a Server-Side Request Forgery (SSRF) vulnerability. The server wasn't just fetching public websites; it was willing to talk to itself. : Lack of input validation on the submitted URL.

This revealed several open ports, with notable services including an HTTP server running on port 80 and a PDF-related service on port 8080.