The zip slip assignment appears to be broken.

The goal is to somehow override /WebGoat/images/account.png when looking at the requests.
The current location where the zip is extracted is /home/webgoat/.webgoat-8.2.1/PathTraversal/<NAME>/<INJECT_ME/FILENAME>.png

Uploading a zip with just containing an image, e.g., hack.png, marks the lesson as completed.
However, the info message is Zip file extracted successfully, failed to copy image. Please contact our helpdesk.

It is also unclear from inspecting the Docker container where the image should be put. The source seems to always call getProfilePicture, which fetches it from this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName(), which is where the image is already extracted?