zpr

zpr is a web challenge from the Nullcon Berlin HackIM 2023 CTF

download this challenge zip file

3KB

zpr.zip

archive

after reading the code it looks like the first website is for uploading zip files and the second one to view the the files uploaded (such as the files are in the path /tmp/data/hash) where the hash is the md5 hash of the zip filename

let's create a simple zip file and upload it

to upload this zip file we will use a simple request script

and this is the second website where we can view our files that we have uploaded in the first website

Exploitation

we know that the flag is in the root directory but we can view only files that exist in the /tmp/data/ path, to exploit this we will create a symlink to the flag that exists in the root directory and upload it once it's extracted it will point to the flag and get its content

now let's zip it using --symlink to store the symbolic link we have created

let's upload this zip that stores the symbolic link

let's open the link

let's open this flag file and BOOM we've got the flag

so the idea here is upload a symlink that points to the flag file