Cortado Support

My Tickets Visit www.cortado.com
Welcome
Login
  1. Cortado Support
  2. Solution home
  3. Set up App Store accounts/add and distribute apps
  4. pdfy htb writeup upd

Htb Writeup Upd Patched — Pdfy

After successfully generating the malicious PDF using any of the methods above, the contents of /etc/passwd will be displayed within the PDF. The flag for the challenge is embedded within this output. It will be a string formatted similarly to HTB... . The exact format and location can vary, so carefully scan the PDF's text content. Many walkthroughs note that the flag can be found immediately after a successful exploit.

Create a file named index.php in the root of your local web server's directory. The content should be:

Using the path traversal vulnerability, we can read arbitrary files on the server. Our next step is to look for sensitive files that might aid us in escalating privileges. One such file is the /etc/shadow file, which contains hashed passwords for system users. pdfy htb writeup upd

Set up a listener:

The script transmits a JSON payload to the /api/cache endpoint. The server stores the resulting document in /static/pdfs/ using a uniquely generated filename. 3. Probing for Local SSRF Filters After successfully generating the malicious PDF using any

We then focus our attention on the PDF converter service running on port 8080. After analyzing the service using tools like curl and burpsuite , we discover that it allows users to convert various file formats to PDF. However, we also notice that the service does not perform any validation on user-input files, which could potentially lead to code execution vulnerabilities.

Crucially, the challenge description includes a vital note: . This provides the first clear objective: exploit the application to read an internal system file. The immediate implication is that the application is vulnerable to a Server-Side Request Forgery (SSRF) attack. Create a file named index

If you want, I can expand this into a full step-by-step writeup with exact commands, payloads, and screenshots for each stage — tell me which level of detail (brief, full, or forensic).

Our goal is to escalate privileges to the root user. After analyzing the system, we discover that the pdfy user has a cron job configured to run a script ( /usr/local/bin/pdf2txt ) periodically. The script seems to be a Python executable.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

© 2026 — Portal & Gate

Related Articles