Zipper
Source: Proving Grounds OS: Linux Community Rating: Very Hard
Enumeration & Reconnaissance
I started with the usual autorecon and found two open ports on the target:
SSH (22)
HTTP (80)
Service Analysis
Browsing HTTP, I discovered a page with a file upload feature that lets you upload files and then download them as a zip archive. I played around with it, but without further clues, nothing really stood out.

It wasn’t until I clicked the home link that I noticed a "file" parameter in the URL, an obvious hint of an LFI vulnerability. I tried including /etc/passwd immediately, but it wasn’t that easy. I suspected the application was appending
.php
to the filename, and even using a null byte (%00
) didn’t bypass it.

Gaining Initial Access
Using the wrapper:
php://filter/convert.base64-encode/resource
192.168.201.229/index.php?file=php://filter/convert.base64-encode/resource=home
Returned a base64-encoded version of the page. Decoding it revealed the source code and confirmed that
.php
was indeed being appended. With that confirmed, I uploaded a shell and, using the zip wrapper, executed:

192.168.201.229/index.php?file=zip://uploads/upload_1741612267.zip%23shell

Privilege Escalation
Once in, I ran linpeas.sh to check for privilege escalation vectors. Right away, I spotted a cron job that was running backup.sh every minute. Looking into the script, I found that it uses
7za
to zip files in the uploads directory, and its logs are saved to a file I can access.


At first, I was stumped until I came across a neat trick from Hacktricks. The idea is simple: with
7za
, if you add--
before the file list, it forces everything after to be treated strictly as file paths, not as options. This means if you can create files in the working directory, you can drop a marker file named @root.txt (telling 7za a file list is coming) along with a symlink called root.txt that points to the file you want to read. When 7za processes root.txt, it ends up reading the target file. Since the file content isn’t a valid list, 7za throws an error that ends up revealing the file’s content.OffSec had already set up an enox.zip that exposed the root password using this technique, but to practice, I created my own zip file (root.zip), linked it directly to the flag, and after waiting a minute, the log file revealed both the root password and the flag. Cool new technique.


Lessons Learned
Click Everywhere: A seemingly innocuous “file” parameter can hide a serious vulnerability.
Check for LFI: Wrappers like
php://filter
andzip://
are useful for bypassing restrictions and revealing hidden code.Cron Job Exploitation: The insecure cron job the path to root.
7za Trick: The 7za trick is a new technique that I learned and was crucial for privilege escalation.
Last updated