# Glacier CTF-2024

By
Sibivasan
In 
Published 2024-11-24

Application is vulnerable to zipslip(tarslip) vulnerability to get the command injection and SUID privilege to get the flag.

# Fuzzybytes:

# Static analysys:

In Upload.php executing the /check_for_malicious_code.pyfile to check the uploaded file.

In check_for_malicious_code.py: application extracts the files from the tar and checking for any malicious content and after checking it will remove the file from the directory.

For Extracting the .tar application uses the tar.extractall and for removing shutil.rmtree once the file uploded and scanned it will deleted by the application.

tar.extractall fuction is vulnerable to directory traversal attack.

POC:

# Dynamic analysys:

Create the tar file:

Try our payload in local environment:

We have uploaded the file:

We have successfully traverse and put it in /var/www/html repository.

Successfully got a command execution:

But not able to read the flag.txt.

We don't have permission to read the /root/flag.txt

While checking for the SUID binaries we got tar .

So decided to zip the flag using the tar.

Uploaded the new payload and execute.

While checking the local directory we get the flag.tar

Got the flag in local.

and got the flag in the CTF

Flag: gctf{c0nGr4tZ_on_Z1p_sLiDinG_4nD_Tar_diving}