Web on 万屋猫Labshttps://yn-labs.com/en/tags/web/Recent content in Web on 万屋猫LabsHugoenSun, 29 Mar 2026 00:00:00 +0900KalmarCTF 2026 RootBabyKalmarCTF Writeup — Zip Slip (CVE-2026-30345) for CTFd Roothttps://yn-labs.com/en/writeups/ctf/kalmarctf-2026-rootbabykalmarctf-zip-slip/Sun, 29 Mar 2026 00:00:00 +0900https://yn-labs.com/en/writeups/ctf/kalmarctf-2026-rootbabykalmarctf-zip-slip/<h2 id="overview">Overview</h2> <p>KalmarCTF 2026 Web challenge &ldquo;RootBabyKalmarCTF&rdquo; (170pts).<br> A CTFd 3.8.1 instance is provided with admin credentials for the management panel.<br> The goal is to read <code>/flag2-&lt;random&gt;.txt</code> as <strong>root</strong>, not admin.</p> <h2 id="vulnerability">Vulnerability</h2> <p><strong>CVE-2026-30345: CTFd 3.8.1 Zip Slip (Path Traversal)</strong></p> <p>The <code>/admin/import</code> backup import function checks if ZIP file entry names contain <code>..</code>.<br> However, the check can be bypassed using the <code>uploads//absolute/path</code> format (double slash).</p> <h3 id="the-check">The Check</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> members: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> f<span style="color:#f92672">.</span>startswith(<span style="color:#e6db74">&#34;/&#34;</span>) <span style="color:#f92672">or</span> <span style="color:#e6db74">&#34;..&#34;</span> <span style="color:#f92672">in</span> f: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> zipfile<span style="color:#f92672">.</span>BadZipfile </span></span></code></pre></div><h3 id="the-bypass">The Bypass</h3> <p>Entry name: <code>uploads//opt/CTFd/manage.py</code></p>