b1e4c5f7a9d2e8f3c6a0b1d4e7f9a2c3 Root flag: f2a3d8c9e1b5f7a4d6c0b2e8f9a1c3d4
Download the resulting PDF. Inside, you will see the text content of the server's password file. Scroll through the entries to find the HTB flag, which is typically appended as a comment or a user entry.
: Configure your rendering library explicitly to deny local file access. For wkhtmltopdf , always include flags like --disable-local-file-access in the execution string.
If the remote target is behaving unexpectedly, try running wkhtmltopdf locally with various inputs to understand how it handles redirects and local file protocols.