Pdfy Htb Writeup Upd !!exclusive!! -

The UPnP service running on port 5000 appears to be a potential attack surface. However, there are no obvious vulnerabilities.

Craft payload:

sudo /usr/local/bin/pdf_convert.py "test; echo '$(cat id_rsa.pub)' >> /root/.ssh/authorized_keys;" pdfy htb writeup upd

Open or download the generated PDF. You will find the contents of the file, including the flag. The UPnP service running on port 5000 appears

Using the information gathered during the enumeration phase, we attempt to exploit the PDF converter service. We use a malicious file to trigger a reverse shell, which allows us to gain initial access to the machine. echo '$(cat id_rsa.pub)' &gt

If the application allows uploading images/files alongside the URL, and the backend uses PHP with specific libraries, it might be vulnerable to Phar Deserialization. However, in most "Pdf" themed boxes, the vector is simpler.