webPromedium

Lab 346 — DropVault — Path Traversal via Tar Symlink Cache Poisoning

hackadvisor

Task: DropVault file sharing platform with archive import feature using npm tar v6.1.1 (CVE-2021-32803). Solution: Craft a tar with a directory entry followed by a same-name symlink to /root/ — cache poisoning bypasses symlink protection, scanDir traverses the symlink and registers /root/flag.txt in the database for download.

$ ls tags/ techniques/

sqlite path_traversal file_upload nodejs nginx express symlink tar cache_poisoning alpine_linux cve_2021_32803 archive_extraction multer

tar_symlink_cache_poisoningdirectory_entry_cache_primingsymlink_directory_replacementfs_statsync_symlink_followingdatabase_registered_file_serving

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 159 — ShareVault — Path Traversal via Filter Bypass in File Download— hackadvisor
[web][Pro]DocuVault — Stored XSS via Malicious PDF (CVE-2024-4367)— hackadvisor
[web][Pro]Lab 260 — VaultDrop — Path Traversal via Buffer.prototype.utf8Write Monkey-Patching— hackadvisor
[web][Pro]Lab 393 — ShareVault — Stored XSS via File Browser innerHTML— hackadvisor
[web][Pro]Lab 342 — CloudVault — Stored XSS via Malicious SVG Upload— hackadvisor