25 Apr 2022 | Reading time: ~5 min

Exploit Zip Slip vulnerability in python tarfile

slippy - HackTheBox

#HackTheBox #Challenge #Easy #Web #flask #RCE #__init__.py #path-traversal #python-tarfile #code-review #zip-slip

thumbnail.png


Table of contents

  1. Introduction
    1. Improved skills
    2. Used tools
  2. Video
  3. Notes
    1. Generate malicious tar.gz files containing relative path
    2. tarfile and zip slip vulneraiblity related articles and notes

Introduction

Slippy is an easy difficulty web challenge from HackTheBox vulnerable to Zip Slip because of the insecure use of the TarFile’s python module “extractall”. Due to the absence of file name checks it is possible to create a malicious archive containing path traversals in order to overwrite other files and obtain remote code execution.

Improved skills

  • Code review
  • Exploit Zip Slip vulnerability to get RCE

Used tools

  • burpsuite
  • tar

Video

Notes

Generate malicious tar.gz files containing relative path

tar -czvf files.tar.gz --absolute-names '../../../../../tmp/test.txt'

You can also use evilarc.py