Zipper

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Very Hard

Enumeration & Reconnaissance

I started with the usual autorecon and found two open ports on the target:
- SSH (22)
- HTTP (80)

Browsing HTTP, I discovered a page with a file upload feature that lets you upload files and then download them as a zip archive. I played around with it, but without further clues, nothing really stood out.

It wasn’t until I clicked the home link that I noticed a "file" parameter in the URL, an obvious hint of an LFI vulnerability. I tried including /etc/passwd immediately, but it wasn’t that easy. I suspected the application was appending .php to the filename, and even using a null byte (%00) didn’t bypass it.

php://filter/convert.base64-encode/resource

192.168.201.229/index.php?file=php://filter/convert.base64-encode/resource=home

Returned a base64-encoded version of the page. Decoding it revealed the source code and confirmed that .php was indeed being appended. With that confirmed, I uploaded a shell and, using the zip wrapper, executed:

192.168.201.229/index.php?file=zip://uploads/upload_1741612267.zip%23shell

Once in, I ran linpeas.sh to check for privilege escalation vectors. Right away, I spotted a cron job that was running backup.sh every minute. Looking into the script, I found that it uses 7za to zip files in the uploads directory, and its logs are saved to a file I can access.

At first, I was stumped until I came across a neat trick from Hacktricks. The idea is simple: with 7za, if you add -- before the file list, it forces everything after to be treated strictly as file paths, not as options. This means if you can create files in the working directory, you can drop a marker file named @root.txt (telling 7za a file list is coming) along with a symlink called root.txt that points to the file you want to read. When 7za processes root.txt, it ends up reading the target file. Since the file content isn’t a valid list, 7za throws an error that ends up revealing the file’s content.
OffSec had already set up an enox.zip that exposed the root password using this technique, but to practice, I created my own zip file (root.zip), linked it directly to the flag, and after waiting a minute, the log file revealed both the root password and the flag. Cool new technique.

Click Everywhere: A seemingly innocuous “file” parameter can hide a serious vulnerability.
Check for LFI: Wrappers like php://filter and zip:// are useful for bypassing restrictions and revealing hidden code.
Cron Job Exploitation: The insecure cron job the path to root.
7za Trick: The 7za trick is a new technique that I learned and was crucial for privilege escalation.

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Very Hard

I started with the usual autorecon and found two open ports on the target:
- SSH (22)
- HTTP (80)

Browsing HTTP, I discovered a page with a file upload feature that lets you upload files and then download them as a zip archive. I played around with it, but without further clues, nothing really stood out.

It wasn’t until I clicked the home link that I noticed a "file" parameter in the URL, an obvious hint of an LFI vulnerability. I tried including /etc/passwd immediately, but it wasn’t that easy. I suspected the application was appending .php to the filename, and even using a null byte (%00) didn’t bypass it.

php://filter/convert.base64-encode/resource

192.168.201.229/index.php?file=php://filter/convert.base64-encode/resource=home

Returned a base64-encoded version of the page. Decoding it revealed the source code and confirmed that .php was indeed being appended. With that confirmed, I uploaded a shell and, using the zip wrapper, executed:

192.168.201.229/index.php?file=zip://uploads/upload_1741612267.zip%23shell

Once in, I ran linpeas.sh to check for privilege escalation vectors. Right away, I spotted a cron job that was running backup.sh every minute. Looking into the script, I found that it uses 7za to zip files in the uploads directory, and its logs are saved to a file I can access.

At first, I was stumped until I came across a neat trick from Hacktricks. The idea is simple: with 7za, if you add -- before the file list, it forces everything after to be treated strictly as file paths, not as options. This means if you can create files in the working directory, you can drop a marker file named @root.txt (telling 7za a file list is coming) along with a symlink called root.txt that points to the file you want to read. When 7za processes root.txt, it ends up reading the target file. Since the file content isn’t a valid list, 7za throws an error that ends up revealing the file’s content.
OffSec had already set up an enox.zip that exposed the root password using this technique, but to practice, I created my own zip file (root.zip), linked it directly to the flag, and after waiting a minute, the log file revealed both the root password and the flag. Cool new technique.

Click Everywhere: A seemingly innocuous “file” parameter can hide a serious vulnerability.
Check for LFI: Wrappers like php://filter and zip:// are useful for bypassing restrictions and revealing hidden code.
Cron Job Exploitation: The insecure cron job the path to root.
7za Trick: The 7za trick is a new technique that I learned and was crucial for privilege escalation.