Compressor

I really spent some time here and went in to the rabbit hole of trying to exploit GTFObin as well as different escape options, but thing here is the zip.

Here I try to get out from "Head" and from "zaJT82AcPdConDgYmqTD1PI1oWwFzDDx" to get in to the /home/ctf folder. Attempt to get out from ctf folder and do anything will say "Permission denied"

So lets execute command above and see what we have. I went long way to get here.

Now, question is, how to get the flag. I can add it to archive but there is no way, externally, by hitting full URL to download zip and view content. Should mean that there is some kind of another workaround of how to get the file, how to view it, I suppose.

Back to "man zip" digging and testing.

If I could do -r ../../ cat flag.txt - would be amazing, or echo flag.txt for now let's do -so to see all supported options:

Played around with different options and ended up with this

Next step potentially would be a full system compromise with persistence and remote control. This can be achieved in different ways.