Lab 345 — PrintForge — RCE via Ghostscript Command Injection

hackadvisor

Task: Document conversion platform using Ghostscript with -dNOSAFER to convert EPS/PS to PDF. Solution: craft a malicious EPS file using PostScript's %pipe% read operator to execute shell commands and render flag file contents as text in the generated PDF.

command_injection rce file_read pdf ghostscript postscript eps pipe_operator document_conversion nosafety

honeypot_flag_detectionghostscript_pipe_command_executionpostscript_file_operator_rcenosafety_misconfiguration_exploitpdf_conversion_pipeline_abuse

$ ls tags/ techniques/

command_injection rce file_read pdf ghostscript postscript eps pipe_operator document_conversion nosafety

honeypot_flag_detectionghostscript_pipe_command_executionpostscript_file_operator_rcenosafety_misconfiguration_exploitpdf_conversion_pipeline_abuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 126 — AssetForge — RCE via Ghostscript Pipe Device Bypass (CVE-2023-36664)— hackadvisor
[web][Pro]Lab 324 — ImageMagick RCE (PixelForge)— hackadvisor
[web][Pro]InkDrop— hackadvisor
[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor