Interfacing between technophile and technophobe

NACTF2020 – Zip Madness

This is my solution to the NACTF2020 Challenge “Zip Madness”.

Challenge Text:

Evan is playing Among Us and just saw an imposter vent in front of him! Help him get to the emergency button by following the directions at each level.

The challenge also requires download of a zip file from the challenge page (which I cannot host here).

The challenge is solved with the following Python code, which extracts all nested zip files into a single folder. It’s then a simple task to dig out the flag.txt file from the extract_path folder:

from zipfile import ZipFile

def unpack_zip(zipfile='', path_from_local=''):
    filepath = path_from_local+zipfile
    extract_path = "C:\\NACTF\\flag\\"
    parent_archive = ZipFile(filepath)
    namelist = parent_archive.namelist()
    for name in namelist:
            if name[-4:] == '.zip':
                unpack_zip(zipfile=name, path_from_local=extract_path)
            print('failed on', name)
    return extract_path

flag = open("C:\\NACTF\\flag\\flag.txt", "r")

This spits out the flag:


Credit where credit is due: I found the nested zip extraction code on GitHub, then edited the extract_path variable so that everything got dumped into the same folder. Worth mentioning that with significantly more nests, this might possibly be similar to a “ZipBomb” piece of malware, so above code should only be run on trusted files – or a hard limit added to number of recursions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: