Funhxx17.zip (Bonus Inside)

Because the unzipping process often runs with high privileges (or as a user with write access to the webroot), you can create a malicious zip file containing a symbolic link .

Create a symlink to a sensitive file (like /root/root.txt or /etc/shadow ) or a directory. Compress the symlink using the --symlinks flag in zip . Upload it back to the server. FUNHXX17.zip

If you used a symlink, you can now read the linked file through the web server. Because the unzipping process often runs with high

Some versions of this challenge require you to crack the password of FUNHXX17.zip using fcrackzip or john with the rockyou.txt wordlist. The password is often found to be "p@ssword" or similar simple variations. 3. Initial Access Once unzipped by the system: Upload it back to the server

The machine runs a background cron job or script that automatically processes/unzips files placed in certain directories (like /var/www/html/uploads or the FTP upload folder).

After gaining a shell as a low-privileged user (often www-data or tom ): Check for binaries that can be run as root.

Most write-ups note that FTP allows Anonymous login . Inside the FTP directory, you will find FUNHXX17.zip among other files.