Something slippery is happening here, this virus scan website smells fishy, thats why its slippy, I need to get to the control panel and see whats going on.

Here we have a website that claims to scan zip files that we upload. It also mentions that zip files will be uploaded to /files/ directory and the files inside the zip archive will be extracted using the unzip command. Let’s check the source code first.

There is a comment that says admin page is at /admin. Still, let’s check the /files/ first.

Alright, let’s see what we have at /admin.

Again, there is a comment at the end of the source code and it says if we have a key.txt file which contains the short ssid in the ./admin directory, then we don’t need username and password to login to the admin panel. Let’s think about it a little bit. If there exists a key.txt file, how can it know that we are the real admin and not an ordinary user or even a hacker? Let’s see if we have cookies which are already set. As expected, there is a shortssid cookie.

Next, I created a key.txt file that contains my short ssid value.

Now, we know that if we put this key.txt in a zip file and upload it, it will be extracted to /files/ directory. However, we need that file to be under /admin directory. I remembered that it was possible to create malicious zip files that contain directory traversal characters and found a tool called evilarc that claims to create evil zip archives with directory traversal characters embedded into it.

Let’s create our malicious zip archive using evilarc.

After uploading the zip file, I visited the /admin page again.

It looks like a base64 encoded string. Let’s decode it.

It seems the page checks our User-Agent and expects it to be AdminPanel/0.1. Let’s modify the User-Agent header and try again.

Here we got the flag noxCTF{Z1p_Fil3s_Ar3_Fun_H4ha}.