webPromedium

InkDrop

hackadvisor

Task: Flask blogging platform with Pillow-based image thumbnail generation; Ghostscript processes EPS content regardless of file extension. Solution: Upload EPS payload with .jpg extension exploiting CVE-2018-16509 (-dSAFER bypass via failed restore) to achieve RCE and exfiltrate /root/flag.txt.

$ ls tags/ techniques/

command_injection flask rce file_upload pillow nginx image_processing ghostscript postscript eps thumbnail_generation cve_2018_16509 safer_bypass

honeypot_flag_detectionghostscript_safer_bypass_via_failed_restoreeps_content_in_jpg_extension_bypassputdeviceprops_pipe_command_executiondynamic_path_discovery_for_exfiltrationpillow_eps_autodetection_abuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 126 — AssetForge — RCE via Ghostscript Pipe Device Bypass (CVE-2023-36664)— hackadvisor
[web][Pro]Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import— hackadvisor
[web][Pro]Lab 324 — ImageMagick RCE (PixelForge)— hackadvisor
[web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor
[web][Pro]Photo Storage— miptctf