Lhfs_1zip -

If the extraction tool doesn't sanitize filenames, you can use ../ to write files outside the intended directory (e.g., overwriting .ssh/authorized_keys or /etc/passwd ).

If you are writing the "defense" side of this write-up, the fix is to the extraction process or strictly sanitize filenames to remove any .. or leading / characters. g., PicoCTF, SECCON, or HTB) where this challenge appeared? lhfs_1zip

If the goal is to read a flag located at /flag.txt , the exploit usually involves crafting a malicious .1zip file: Manually create a file with the 1ZIP header. Payload: Set the filename field to ../../../../flag.txt . If the extraction tool doesn't sanitize filenames, you