Micro Storage

Technical Walkthrough

Writeup

Challenge

• Name: Micro-Storage
• Category: Misc
• Difficulty: Easy
• Mode: remote

Summary

Micro Storage is a remote temporary file-store service. The vulnerable path is its “compress and download” feature: uploaded filenames are passed to GNU tar unsafely, so filenames beginning with --checkpoint are interpreted as tar options. This allows command execution through --checkpoint-action.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• Remote service: <TARGET>:30254.
• No local challenge files were provided.
• The service exposes upload, list, delete, print, compress/download, and quit menu actions.

Analysis

Benign probing showed that uploads take a filename and content terminated by EOF, and option 5 returns a base64-encoded tar archive. Direct traversal attempts using / or .. are rejected, and the print feature only accepts numeric file identifiers.

The useful gap is in archive creation. Filenames such as --checkpoint=1 and --checkpoint-action=exec=sh a are accepted by upload/list, but they do not appear as archive members when option 5 runs. That indicates tar is parsing them as options rather than treating them as ordinary filenames.

Uploading a short script named a then triggering compression executes the script through GNU tar checkpoint action. Running cat /flag.txt from that script reflects the flag in the service transcript before normal archive output.

Solve

Run:

python3 solve/solve.py

The solver connects to the service, uploads:

• --checkpoint=1
• --checkpoint-action=exec=sh a
• a, containing the command to print /flag.txt
• a harmless seed file

It then triggers compression and extracts the HTB-format flag from the returned transcript.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Archive creation can be dangerous when filenames are passed to tar without -- or safe argument handling.
• Rejections for path traversal do not rule out option injection.
• For remote menu services, first map benign behavior, then test one narrow parser surface at a time.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Micro-Storage
• Category: Misc
• Difficulty: Easy
• Mode: remote
• Remote instance: none
• Start time: 2026-06-10T09:18:18Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote target: <TARGET>:30254.
• Initial banner confirms a temporary Micro Storage service with upload, list, delete, print, compress/download, and quit actions.
• Upload flow asks for a filename, then multiline content terminated by EOF.
• Normal upload/list behavior was confirmed with hello.txt.
• Print flow asks for a numeric file identifier from 0 - 9, not a filename.
• The objective is to leak /flag.txt, so the likely exploit surface is unsafe uploaded filename handling, path traversal, archive construction, or link/file-following behavior.
• Simple traversal and slash-containing filenames are rejected by the service.
• Filenames beginning with --checkpoint are accepted and are not included as archive members, proving they are interpreted as GNU tar options during compression.
• Uploading --checkpoint=1, --checkpoint-action=exec=sh a, and script file a creates command execution when option 5 compresses files.
• The final solver uses the checkpoint action to run cat /flag.txt; stdout is reflected in the service transcript and captured by the harness.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Misc
• Challenge: Micro-Storage
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Mapped the remote menu protocol: upload, list, delete, print-by-index, compress/download, quit.
2. Confirmed upload uses filename plus EOF-terminated content and option 5 returns a base64 tar archive.
3. Confirmed direct slash/path traversal and command-substitution-style filenames are blocked.
4. Found that filenames beginning with GNU tar options such as --checkpoint=1 are accepted and then interpreted by tar during compression.
5. Uploaded a short script file and used --checkpoint-action=exec=sh a to execute it during compression.
6. Used the checkpoint action to print the target file and captured the HTB-format flag from the service transcript.

Reusable Lessons

• File upload filters that block path traversal can still be vulnerable to option injection.
• GNU tar wildcard/argument misuse is exploitable with --checkpoint and --checkpoint-action.
• For remote menu challenges, keep harmless protocol probes separate from exploit probes and preserve transcripts.

Dead Ends

• Numeric print identifier injection failed; non-numeric payloads returned the service's rejection message.
• Simple .. and slash-containing filenames are rejected.
• Trying to overwrite an already tracked file during archive creation caused compression to fail and was not needed.

Tool Quirks

• Option 5 may take several seconds before returning the base64 archive.
• Raw transcripts from successful flag attempts must be sanitized if stored under analysis/; raw flags stay in loot/.

Evidence Paths

• analysis/initial-probe.txt
• analysis/benign-upload-read-probe-2.txt
• analysis/identifier-edge-probe.txt
• analysis/filename-edge-probe-2.txt
• analysis/tar-option-harmless-proof-2.txt
• analysis/stdout-flag-attempt.txt (sanitized)
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Misc
• Challenge: Micro-Storage
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Mapped the remote menu protocol: upload, list, delete, print-by-index, compress/download, quit.
2. Confirmed upload uses filename plus EOF-terminated content and option 5 returns a base64 tar archive.
3. Confirmed direct slash/path traversal and command-substitution-style filenames are blocked.
4. Found that filenames beginning with GNU tar options such as --checkpoint=1 are accepted and then interpreted by tar during compression.
5. Uploaded a short script file and used --checkpoint-action=exec=sh a to execute it during compression.
6. Used the checkpoint action to print the target file and captured the HTB-format flag from the service transcript.

Reusable Lessons

• File upload filters that block path traversal can still be vulnerable to option injection.
• GNU tar wildcard/argument misuse is exploitable with --checkpoint and --checkpoint-action.
• For remote menu challenges, keep harmless protocol probes separate from exploit probes and preserve transcripts.

Dead Ends

• Numeric print identifier injection failed; non-numeric payloads returned the service's rejection message.
• Simple .. and slash-containing filenames are rejected.
• Trying to overwrite an already tracked file during archive creation caused compression to fail and was not needed.

Tool Quirks

• Option 5 may take several seconds before returning the base64 archive.
• Raw transcripts from successful flag attempts must be sanitized if stored under analysis/; raw flags stay in loot/.

Evidence Paths

• analysis/initial-probe.txt
• analysis/benign-upload-read-probe-2.txt
• analysis/identifier-edge-probe.txt
• analysis/filename-edge-probe-2.txt
• analysis/tar-option-harmless-proof-2.txt
• analysis/stdout-flag-attempt.txt (sanitized)
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Micro-Storage
• Category: Misc
• Difficulty: Easy
• Mode: remote
• Remote instance: none
• Start time: 2026-06-10T09:18:18Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote target: <TARGET>:30254.
• Initial banner confirms a temporary Micro Storage service with upload, list, delete, print, compress/download, and quit actions.
• Upload flow asks for a filename, then multiline content terminated by EOF.
• Normal upload/list behavior was confirmed with hello.txt.
• Print flow asks for a numeric file identifier from 0 - 9, not a filename.
• The objective is to leak /flag.txt, so the likely exploit surface is unsafe uploaded filename handling, path traversal, archive construction, or link/file-following behavior.
• Simple traversal and slash-containing filenames are rejected by the service.
• Filenames beginning with --checkpoint are accepted and are not included as archive members, proving they are interpreted as GNU tar options during compression.
• Uploading --checkpoint=1, --checkpoint-action=exec=sh a, and script file a creates command execution when option 5 compresses files.
• The final solver uses the checkpoint action to run cat /flag.txt; stdout is reflected in the service transcript and captured by the harness.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.