webPromedium

Lab 324 — ImageMagick RCE (PixelForge)

hackadvisor

Task: Digital art gallery platform (PixelForge) processes EPS uploads via ImageMagick 7.x + GhostScript with -dNOSAFER. Solution: Exploited CVE-2023-36664 by uploading a malicious EPS file with PostScript %pipe% operator to execute shell commands, writing the flag to a web-accessible path.

$ ls tags/ techniques/

command_injection flask imagemagick rce file_upload nginx decoy_flag ghostscript postscript eps pipe_operator nosafety thumbnail_generation cve_2023_36664

honeypot_flag_detectionghostscript_pipe_command_executionnosafety_misconfiguration_exploitpostscript_rce_via_thumbnailblind_file_write_to_webroot

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 126 — AssetForge — RCE via Ghostscript Pipe Device Bypass (CVE-2023-36664)— hackadvisor
[web][Pro]Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)— hackadvisor
[web][Pro]Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import— hackadvisor
[web][Pro]InkDrop— hackadvisor
[web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor