Zipper Proving Grounds Write-Up
SUMMARY
This write-up covers the Zipper machine from Offsec’s Proving Grounds, a Linux machine where a file upload portal’s automatic zip behavior was chained with a PHP wrapper to achieve code execution.
Port 80 hosted a file upload service that automatically converted uploaded files to ZIP archives and returned a download path. A Local File Inclusion vulnerability was found in the home URL, and testing with a Base64 PHP wrapper confirmed it could read source files. Since uploads were auto-zipped, a PHP webshell was uploaded directly, and the known ZIP path was passed to the phar:// wrapper via the LFI parameter to access the PHP file inside the archive — bypassing the zip container. Command execution as www-data was confirmed, and a BusyBox reverse shell followed.
Privilege escalation was discovered via pspy, which showed a root cronjob running a backup script every minute. The backup log at /opt/backups/backup.log contained a cleartext root password. SSH as root with that password completed the machine.
PATH TO FOLLOW
- Reconnaissance & Auto-Zip Upload Portal Discovery
- LFI Identification in Home URL
- PHP Webshell Upload &
phar://Wrapper Execution - Reverse Shell as
www-data - Root Cronjob Discovery via
pspy - Backup Log Read for Cleartext Root Password
- SSH as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.