Since this one came out with no hints. it was very hard to solve becuase we do not know the filtering character list. So it would be a long guessing game.
# creates a secured version of the filename
def secure_filename(filename):
# strip extension and any sneaky path traversal stuff
filename = filename[:-4]
filename = os.path.basename(filename)
# escape shell metacharacters
filename = re.sub("(!|\\$|#|&|\\"|\\'|\\(|\\)|\\||<|>|`|\\\\\\|;)", r"\\\\\\1", filename)
filename = re.sub("\\n", "", filename)
# add extension
filename += '__'+hex(randrange(10000000))[2:]+'.tar'
return filename
Thankfully, the next day I checked, they have posted the snippet of the filtering source code.
if you checked man page of Tar, you will see flag --to-command, at first, I thought of it, but I couldn't get my tar uploaded to the inspector.
The workflow somehow has to be tuned according to the sanatization you are implementing.
Noticed they are not filtering wildcard * . and they are appending random hex at the end of the tar file before they run tar xvf against it.
So in order for the tar xvf to run the 'malicious tar file which contains our "commands.txt" which has cat /flag.txt inside of it. we need to add the wildcard * at the end of our 'malicious tar file. So it would be 'malicious*.tar'.
now the command will become tar xvf malicious*.tar --to-command=bash --exclude=.tar
