| Flag Type | Location | Method | |-----------|----------|--------| | | /home/robert/user.txt | LFI via SSRF in PDF generator | | RPD (Root Proof Data) | /root/root.txt | pdftex with -shell-escape sudo misconfiguration |
$ curl -X POST -F "file=@shell.pdf" 10.10.11.206:8080/upload
As the pdfy user, we examine the user's groups and privileges. We notice that the user is a member of the pdfy group and has read/write access to the /var/www/pdfy directory. However, we also discover that the user has limited privileges and cannot execute system commands.
