webPromedium

Lab 224 — ModelVault — Path Traversal via OCI Manifest Digest

hackadvisor

Task: AI model registry with OCI manifest import and blob viewer. Digest parameter in /api/blobs/{digest} is split on colon and used to construct filesystem path without sanitization. Solution: Path traversal via ../../../.. in digest hash portion to read /proc/self/environ, which contains the flag in the FLAG environment variable.

$ ls tags/ techniques/

flask lfi path_traversal python nginx alpine_linux honeypot_decoy oci_registry blob_storage digest_validation environment_variable_leak

honeypot_flag_identificationpath_traversal_via_digest_parameteroci_manifest_digest_injectionproc_self_environ_leakenvironment_variable_extraction

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 159 — ShareVault — Path Traversal via Filter Bypass in File Download— hackadvisor
[web][Pro]Lab 404 — MindVault — RCE via eval() in Search Filter Expressions— hackadvisor
[web][Pro]Lab 237 — MailCraft — SSTI in Email Template Preview— hackadvisor
[web][Pro]Lab 168 — MetricFlow — Insecure Deserialization via Dashboard Import— hackadvisor
[web][Pro]Lab 209 — BuildForge — Path Traversal in Static File Serving— hackadvisor