CVE-2018-6574: go get RCE

This exercise covers a remote command execution in Golang's go get command.

< 1 Hr.
Orange Badge


This lab focuses on CVE-2018-6574, which affects the Golang `go get` command. The vulnerability allows an attacker to execute arbitrary code on a system by tricking a user into installing a malicious package. The exploit involves hosting a malicious package with a shared object file (`.so`) that executes a command when built by Golang.

To exploit this vulnerability, an attacker needs a website with TLS and a valid certificate chain to host the malicious package. Once the package is hosted, the attacker can direct the victim to install it, leading to code execution on the victim's machine. This exercise demonstrates how such vulnerabilities can be used to escalate privileges and compromise systems, emphasizing the importance of secure software practices.

Want to learn more? Get started with PentesterLab Pro! GO PRO