webPromedium

Lab 126 — AssetForge — RCE via Ghostscript Pipe Device Bypass (CVE-2023-36664)

hackadvisor

Task: Digital asset management platform (AssetForge) that processes EPS/PS/PDF uploads via Ghostscript for thumbnail generation and format conversion. Solution: Exploited CVE-2023-36664 by uploading a malicious EPS file with PostScript %pipe% operator to execute shell commands; flag rendered as text in the generated thumbnail and extracted via OCR.

$ ls tags/ techniques/

command_injection flask rce file_upload ocr nginx ghostscript postscript eps pipe_operator document_conversion nosafety thumbnail_generation cve_2023_36664

honeypot_flag_detectionghostscript_pipe_command_executionnosafety_misconfiguration_exploitpostscript_rce_via_thumbnailocr_data_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 324 — ImageMagick RCE (PixelForge)— hackadvisor
[web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor
[web][Pro]InkDrop— hackadvisor
[web][Pro]Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import— hackadvisor
[web][Pro]Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)— hackadvisor