CyberSpace2024 ZipZone CTF : ZipSlip Vulnerability

#$ubh@nk@r
3 min readSep 1, 2024

--

Hey Hackers! In this article, I'll guide you through the process of solving the "ZipZone" challenge from the Cyberspace CTF. This challenge revolves around the ZipSlip vulnerability, a classic directory traversal exploit within ZIP file handling. Let's dive right in and unravel the steps to conquer this challenge!

Challenge Link --> https://2024.csc.tf/challenges#Memory-60

Start :

As it is a web challenge they gave us a web page with zip file upload Functionality and server extract the content of the zip file and will show to you.

So make a zip file containing an image like this below.

Now upload it in that site and it will share u the location where you can access it.

Location : https://zipzone-web.challs.csc.tf/files/<given_uuid>/<file_name>

So the website works like this. There are some supported file also given like source code and I look into this.

This is a Python server and there is an app.py where the Vulnerability is located. If you read the code u will get under the vulnerable code under def upload(): section.

subprocess.call(["unzip", filename, "-d", f"{upload_dir}files/{upload_uuid}"])

When a ZIP file is uploaded, the above code unzips the file into a specific directory (f"{upload_dir}files/{upload_uuid}") without validating the contents of the ZIP file. An attacker can craft a malicious ZIP file that contains files with paths like ../../../../etc/passwd, which would allow the extracted files to be written outside of the intended directory.

Attack :

So I try to make a zip file (with a PDF) using symlink to read the /etc/passwd file.

Then I uploaded the zip file and when I try to access that file I got the content of passwd file.

So now the task is to get the Flag. From the given files we came to know the flag location. It was in /home/user/flag.txt but now in /tmp/flag.txt.

So again I make another payload with the Location /tmp/flag.txt.

Then I upload it in Upload section and try to access the solve.pdf file.

And boom I got the Final Flag.

So that is CTF solution. Hope you learn something new!!

THANKS FOR READING!

If you enjoy this don’t forget to Like it and Follow me for more Articles.

Happy Hacking~

--

--

#$ubh@nk@r
#$ubh@nk@r

Written by #$ubh@nk@r

CyberSecurity Learner, CTF Player, Noob Bug Hunter https://starlox0.github.io/

No responses yet