Data science is old news, kids today are all about metadata science…
You’re given a flask app where you upload lots of types of types of files and it gives you the metadata for them. Some examples were pdfs, audio files, images, zips of cargo and node projects etc. I tried some sort of zip slip for a long time to no avail.
The next day i just uploaded a screenshot i had lying around mpv-shot-0001.jpg
and it just straight up gave me the flag in the metadata. wtf idk what happened
(i just tried again and it didn’t work) i have no idea what’s happening here but i wanted to show that screenshot so i wrote this
okay i guess mine was an unintended because of someone else’s zip slip. from the discord i saw two main attacks
- standard zip slip by creating a symlink and just visiting it with
/static/file - messing around with
Cargo.tomlby changing the path to rustc