Glacier CTF-2024
Application is vulnerable to zipslip(tarslip) vulnerability to get the command injection and SUID privilege to get the flag.
Last updated
Application is vulnerable to zipslip(tarslip) vulnerability to get the command injection and SUID privilege to get the flag.
Last updated
In Upload.php executing the /check_for_malicious_code.pyfile to check the uploaded file.
In check_for_malicious_code.py: application extracts the files from the tar and checking for any malicious content and after checking it will remove the file from the directory.
tar.extractall fuction is vulnerable to directory traversal attack.
POC:
Create the tar file:
Try our payload in local environment:
We have uploaded the file:
We have successfully traverse and put it in /var/www/html repository.
Successfully got a command execution:
But not able to read the flag.txt.
We don't have permission to read the /root/flag.txt
While checking for the SUID binaries we got tar .
So decided to zip the flag using the tar.
Uploaded the new payload and execute.
While checking the local directory we get the flag.tar
Got the flag in local.
and got the flag in the CTF
gctf{c0nGr4tZ_on_Z1p_sLiDinG_4nD_Tar_diving}
