CVE-2022-4510
published 2023-01-26CVE-2022-4510: A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file…
PriorityP260high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
21.84%
97.3th percentile
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins.
This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.
This issue affects binwalk from 2.1.2b through 2.3.3 included.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | binwalk | < binwalk 2.3.4+dfsg1-1 (bookworm) | binwalk 2.3.4+dfsg1-1 (bookworm) |
| microsoft | binwalk | >= 0 < 2.3.1+dfsg1-1+deb11u1 | 2.3.1+dfsg1-1+deb11u1 |
| microsoft | binwalk | >= 0 < 2.3.4+dfsg1-1 | 2.3.4+dfsg1-1 |
| microsoft | binwalk | >= 0 < 2.3.4+dfsg1-1 | 2.3.4+dfsg1-1 |
| microsoft | binwalk | >= 0 < 2.3.4+dfsg1-1 | 2.3.4+dfsg1-1 |
| microsoft | binwalk | 2.1.2b – 2.3.3 | — |
| microsoft | binwalk | >= 2.2.0 < 2.3.3 | 2.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e
- →Detect malicious PFS filesystem header prepended to a PNG file: look for the magic bytes 'PFS/0.9' (hex: 5046532f302e39) followed by a path traversal sequence targeting .config/binwalk/plugins/ ↗
- →Alert on creation of files under .config/binwalk/plugins/ during binwalk extraction (-e), especially Python (.py) files, which indicates path traversal exploitation of CVE-2022-4510 ↗
- →Monitor for binwalk spawning outbound nc (netcat) processes with '-e /bin/bash', which is the RCE payload delivered via the malicious plugin ↗
- →Monitor for creation of the sentinel file /tmp/.binwalk, which the exploit uses to track whether the payload has already executed ↗
- →Flag binwalk invocations in extraction mode (-e) on files dropped into monitored directories (e.g. /var/www/pilgrimage.htb/shrunk/) by privileged processes, as this is the trigger path for exploitation ↗
- ·The vulnerability only triggers when binwalk is run in extraction mode; passive scanning without -e is not exploitable ↗
- ·Affected version range is 2.1.2b through 2.3.3 inclusive; versions 2.3.4+dfsg1-1 and later are patched ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-4510: A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2
osv·2023-01-26·CVSS 7.8
CVE-2022-4510 [HIGH] CVE-2022-4510: A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.
GHSA
Path traversal in binwalk
ghsa·2023-01-26
CVE-2022-4510 [HIGH] CWE-22 Path traversal in binwalk
Path traversal in binwalk
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 inclusive. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through and including 2.3.3.
OSV
Path traversal in binwalk
osv·2023-01-26
CVE-2022-4510 [HIGH] Path traversal in binwalk
Path traversal in binwalk
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 inclusive. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through and including 2.3.3.
Debian
CVE-2022-4510: binwalk - A path traversal vulnerability was identified in ReFirm Labs binwalk from versio...
vendor_debian·2022·CVSS 7.8
CVE-2022-4510 [HIGH] CVE-2022-4510: binwalk - A path traversal vulnerability was identified in ReFirm Labs binwalk from versio...
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.
Scope: local
bookworm: resolved (fixed in 2.3.4+dfsg1-1)
bullseye: resolved (fixed in 2.3.1+dfsg1-1+deb11u1)
forky: resolved (fixed in 2.3.4+dfsg1-1)
sid: resolved (fixed in 2.3.4+dfsg1-1)
No detection rules found.
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Pilgrimage / README
ctf_writeups·CVSS 6.5
CVE-2022-44268 [MEDIUM] Pilgrimage / README
# Pilgrimage - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Discovered the presence of `/.git` on the main website, utilized `git-dumper` to clone it, and identified the application's utilization of `magick` for image conversion. Leveraged `CVE-2022-44268` to exploit a Local File Inclusion (LFI) vulnerability, thereby gaining access to the SQLite database. Extracted the password of `emily` from the database.
***Root***: Identified that the user `root` executes a script and employs the utility `binwalk`. Exploited the vulnerability `CVE-2022-4510` to establish a reverse shell.
## Pilgrimage Solution
### User
Let's begin by using `nmap` to scan the targe
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Pilgrimage / README
ctf_writeups
Pilgrimage / README
# Pilgrimage
> Write-up author: jon-brandy
## Lesson learned:
- ImageMagick LFI.
- git-dumper.
- binwalk RCE.
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.11.219 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-27 23:37 PDT
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.051s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
| 256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_ 256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open http nginx 1.18.0
| http-git:
| 10.10.11.219:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit th
2023-01-26
Published