Next, we perform a system enumeration using tools like linpeas and systemd-analyze . The results reveal that the machine uses a SystemD service called pdfy-converter to manage the PDF converter service on port 8080.
nmap -sC -sV -oA initial_scan 10.10.11.232 The scan results reveal that the machine is running a web server on port 80, an SSH server on port 22, and a PDF converter service on port 8080. We also notice that the machine has a firewall configured, but it seems to be allowing incoming traffic on port 80. pdfy htb writeup upd
We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities. Next, we perform a system enumeration using tools
# Create a socket object s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) We also notice that the machine has a
# Send the malicious file s.send(malicious_file.encode())
./bin/bash