University (HTB) Exploiting ReportLab CVE‑2023‑33733 to gain...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/09/htb-university.html
• Blog Title: University (HTB): Exploiting ReportLab CVE‑2023‑33733 to gain RCE and pivot into AD
• Suggested Section: Python Sandbox Escape & Pyscript -> Bypass Python sandboxes (new subpage: ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE, CVE-2023-33733)

🎯 Content Summary

Engagement Summary: Exploiting xhtml2pdf/ReportLab on DC.university.htb

Target: HackTheBox Windows Domain Controller host “DC.university.htb” running nginx → Django app “University”. Goal: abuse PDF export to gain code execution, pivot to data exfiltration and AD reconnaissance.

External Recon

Full-port scan and service enumeration:

nmap -p- -vvv --min-rate 10000 10.10.1...
🔧 Technical Details
ReportLab/xhtml2pdf attribute‑evaluation RCE (CVE‑2023‑33733): When user‑controlled HTML is rendered to PDF, attributes supporting [[[...]]] are evaluated server‑side. Craft an attribute like <font color="[[[ ... ]]]"> that returns a valid color and, during evaluation, pivots to os.system using Python builtins (e.g., getattr(pow,'__globals__')). Place it in any field later rendered into a PDF (e.g., profile Bio) and trigger expo...
🤖 Agent Actions
I analyzed the target blog and the HackTricks repo, and implemented the following updates to capture the ReportLab/xhtml2pdf rl_safe_eval sandbox escape and exploitation technique (CVE-2023-33733):
What I added

New subpage in Python Sandbox Escape section detailing the rl_safe_eval triple-bracket expression evaluation RCE:

File: src/generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
Content includes:

How ReportLab’s rl_safe_eval evaluates [[[...]]] inside certain attributes (e.g., ).
Bypass via recovering real type using type(type(1)) and defining transient Word class to evade denylist and access 'globals'.
RCE primitive: getattr(pow, Word('__gl...






This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
📚 Repository Maintenance

MD files processed: 874
MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).
🗑️ File Cleanup

searchindex.js removed: This auto-generated file has been removed to prevent conflicts

The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/09/htb-university.html

Content Categories: Based on the analysis, this content was categorized under "Python Sandbox Escape & Pyscript -> Bypass Python sandboxes (new subpage: ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE, CVE-2023-33733)".

Repository Maintenance:

• MD Files Formatting: 874 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge