Lab 155 — DataCraft — Path Traversal via Archive Import (Zip Slip)

hackadvisor

Task: analytics platform with tar.gz dataset import that extracts archives without path sanitization, and EJS report templates rendered server-side. Solution: craft a malicious tar.gz with path traversal (../../) to overwrite an EJS report template with RCE payload, then trigger template rendering to read /root/flag.txt.

rce path_traversal arbitrary_file_write ssti nodejs ejs express template_injection decoy_flag zip_slip tar_archive

decoy_flag_recognitionejs_ssti_to_rcetemplate_file_overwritechild_process_execzip_slip_tar_path_traversal

$ ls tags/ techniques/

rce path_traversal arbitrary_file_write ssti nodejs ejs express template_injection decoy_flag zip_slip tar_archive

decoy_flag_recognitionejs_ssti_to_rcetemplate_file_overwritechild_process_execzip_slip_tar_path_traversal

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 158 — PageCraft — Twig Template Path Traversal via Namespace Bypass— hackadvisor
[web][Pro]Lab 159 — ShareVault — Path Traversal via Filter Bypass in File Download— hackadvisor
[web][Pro]Lab 218 — InsightDash — Web Cache Deception via URL Parser Discrepancy— hackadvisor
[web][Pro]Lab 237 — MailCraft — SSTI in Email Template Preview— hackadvisor
[web][Pro]Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import— hackadvisor