# UTCTF 2021 Tar Inspector Write Up

### (Web) Tar Inspector [994 pts]

Tar Inspector challenge is get the shell using RCE and read the flag

Many people asked for a hint and the contest provided the code for the secure_filename() function. So first, I’ll see secure_filename().

You can see that the secure_filename() function gets the file name excluding the extension, escapes all special characters, and creates a new file name by including a random value between the file names.

Go into the challenge and you can will see the file upload function.

If you upload any file, you can see that only the .tar extension can be uploaded. Probably I need to make RCE happen when i unpack the tar file. When unpack the tar file, I can execute file using --to-command option :)

• Scenario
1. I compress the reverse shell code to tar file and I upload in server.
2. If you upload the tar file, you can see the newly created file name.
3. If you upload the created file again by name, it will be unpack and the file will be executed. Obviously, you need to add the --to-command option at this time.
4. And since the last in the file must be .tar, you can bypass it using the --exclude option.

After uploading the tar file, you can see a file named pocas__bf9d0.tar was created :) Now, When you unpack the pocas__bf9d0.tar file, you can execute the reverse shell file.

I used the --to-command/--exclude option as above.

You can see that it is unpacked, and the file is executed to get the shell :)