XMAS CTF 2018 Super Secure Siberian Vault

less than 1 minute read

XMAS CTF 2018 Super Secure Siberian Vault

Super Secure Siberian Vault by Johannes

The challenge description implies that we need to upload a zip archive in order to bypass the security.

The first thing, we need to do is to find paths that execute php script and these path are the ./ and ./img

The second step is to identify the vulnerability. I have tried to do the zip symlink attack, which did not work; however, I found another exploitation vector.

What I did was to creata php file containing

<?php echo file_get_contents('../flag.txt'); ?> 

Then rename the file to ..AimgAtintinmotaf and zip it.

Secondly, I did hexedit of the zip file and changed the A-s into / (https://pasteboard.co/HT1L7MM.png)

After uploading the zip uncompressed into the image path, and we can successfully execute it.