Web


Fluffy's Adventure.

Challenges

🪤 Sticky Tar Pit

“Just upload your files—we'll take care of the rest!”

Welcome to FluffDrive™, your cozy little cloud storage friend. ☁️💼 Designed to make your life easier, we do all the heavy lifting for you! Our server automatically extracts archives upon upload, so you can view your files right away—no more fussing with command lines or decompressing tools.

Whether it's:

  • .zip
  • .tar
  • .tgz / .tar.gz
  • .tbz2 / .tar.bz2

...we’ll unwrap it for you, instantly and automatically. 📂✨

But lately, a few users have noticed something strange: Some files seem to disappear after upload. Or rather… they end up in very unexpected places.

One user reported:

“I uploaded my archive, but I don’t remember including a file called flag. Is it weird that I’m seeing strange files in my drive?”

Our engineers insist everything is working exactly as designed. But hey—maybe there’s something clever happening behind the scenes?

💧 Slippery Tar Pit

“They patched the pit... but something still slithers in the shadows.” - Fluffy 🦊

After the mysterious incident back at the tar pit, the engineers proudly stamped out the sticky tar bug; archives now unpack cleanly, and no files vanish..., or so they claim.

Yet Fluffy’s ears picked up a curious whisper in the server logs:

  • A mysterious vulnerability lurking where none should exist.
  • A core binary behaving just a bit... differently

Fluffy’s instincts tell him this isn’t random. There’s a subtle flaw waiting to be uncovered by the right archive.

“Follow the tails... but beware the slip you never see coming.”

Will you uncover the secret path that still eludes every patch?

💦 Leaky Tar Pit

“They thought dropping privileges would staunch the flow... but something is seeping through the cracks.” - Fluffy 🦊

After another tar pit fiasco, the engineers discovered the root cause: the extraction service was running with elevated rights.

In a hurry, they rolled back to the last known good version and dropped all extra privileges.

“No root, no problem” — The Engineers

Your mission, should you choose to accept it, is to leak the flag without elevated permissions. 🕵️

As always, should you or any of your hackers be caught or reverse shell'd, Fluffy will disavow any knowledge of your actions.

Good luck, hacker


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score