Disclaimer: This repository is intended for demonstration and education purposes only. The author does not assume any responsibility for the potential misuse of techniques presented herein.
This repository contains several Docker containers hosting web instances vulnerable to zip attacks.
There are currently two containers to play with.
01-playground. This is a simplified playground with a basic upload interface and codebase for testing various zip payloads. New players are recommended to start here!02-juice. This is the original challenge for Firebird CTF 2024; complete with slick turntable interface, slightly more complex codebase, slightly stronger defenses, and a friendly blobcat.
These containers host a C++ web application built with the Drogon web framework and the Juce audio processing library (v6.1.4) for unzipping files. The frontend contains a file upload form, accepting .mscz files—a zip file format for MuseScore music scores. (You don't need to download MuseScore to get the flag. Just rename your .zip to .mscz.)
In the original challenge, Juce was used for audio synthesis. But to keep things simple, I've minimised the code to only unzip files—a mere shell of its former glory.
-
Build the containers.
cdto the appropriate directory and rundocker compose.# Example cd 01-playground docker compose up -d --build
Grab a drink while the container is being built.
-
Access the container at http://localhost:8080.
-
Debug the container state by (1) opening Docker Desktop and navigating to the container's terminal OR (2) by using
docker exec -it.- This is useful when you want to figure out what was unzipped. Or what location your file was unzipped to.
- Upload a file.
- ???
- Try to read
/app/flag.txt.
Good luck.
Exercises for the reader!
Some guiding questions for 01-playground and 02-juice.
- Drogon will load configuration options from ______ (which file?).
- Static files are served from ______ (which directory?).
- Explore the source code in
src/main.cpp. What endpoints exist?
- Exploit the app with a directory traversal and null-byte injection to read
/app/flag.txt.- Which line(s) of code is/are to blame for this vulnerability?
- Suggest one check to guard against a null-byte injection.
- Exploit the app with a zip symlink attack to read
/app/flag.txt.- How many different payloads can you find? (There are at least 3.)
- Here, "different" means the structure of the zip (and perhaps other things) are significantly different. Simply changing the filename or adding directories isn't considered different.
Things are a lot more challenging!
The app now requires two files to be uploaded: a .mp3 (audio file) and a .mscz (score file). The backend will synthesise the score onto the audio. Samples have been included in /02-juice/samples/.
The app now guards against null-byte injection in the /audio endpoint. More scarily, it also adds a suffix to any unzipped file, so that...
app/
└── uploads/
└── a731c562f49d948e7ebbaa8749f6cb96/
└── evil.mscz/
└── foo.txt
unzipped becomes...
app/
└── uploads/
└── a731c562f49d948e7ebbaa8749f6cb96/
└── evil.mscz/
└── foo.txt
└── foo_a731c562f49d948e7ebbaa8749f6cb96.txt
where foo_a731c562f49d948e7ebbaa8749f6cb96.txt is the unzipped file with the added suffix.
- Exploit the app with directory traversal and a zip symlink attack.
- (You may need to rely on other hidden mechanisms. By hidden, I mean not in the code. Google is your friend.)
- You can still try the other zip symlink attacks to read
/app/flag.txt.- If you figured out multiple payloads... which ones work and which don't?
- Why do they not work now?
One thing I'd like to point out. Here, I used a vulnerable Juce version for the purpose of demonstration/education. It is not my intention to discourage using Juce. After all, these bugs have been fixed more than two years ago.
The playgrounds here wouldn't have been possible without the shoulders of the following frameworks and examples.
- The Juce Framework
- The Drogon Web Framework
- pimskie's Turntable Codepen
- nuhmanpk's Neon Button Animation Codepen
- Various StackOverflow contributors.