webPromedium

Lab 312 — BuildStream — Zip Slip Path Traversal in Artifact Upload

hackadvisor

Task: CI/CD platform with ZIP artifact upload that extracts archives without path sanitization. Solution: craft a malicious ZIP with path traversal (../) to write a Node.js plugin to /tmp/, trigger the build pipeline to execute it, and read the FLAG environment variable from build logs.

$ ls tags/ techniques/

docker rce path_traversal file_upload nodejs express zip_slip ci_cd artifact_upload plugin_execution

arbitrary_file_writeenvironment_variable_exfiltrationzip_slip_path_traversalremote_code_execution_via_pluginbuild_log_data_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 122 — BuildStream — RCE via Expression Sandbox Escape— hackadvisor
[web][Pro]Lab 380 — BuildStream — RCE via Malicious npm Package Preinstall Script— hackadvisor
[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
[web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor
[web][Pro]Lab 209 — BuildForge — Path Traversal in Static File Serving— hackadvisor