Visitor Count
Home Pico CTF (Special)
Post
Cancel

Pico CTF (Special)

Special

AUTHOR: LT ‘SYREAL’ JONES

Description Don’t power users get tired of making spelling mistakes in the shell? Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. Now, every word is properly spelled and capitalized… automatically and behind-the-scenes! Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. When your co-workers see your amazing shell interface, just tell them: That’s Special (TM) Start your instance to see connection details. ssh -p 51065 ctf-player@saturn.picoctf.net The password is d8819d45

Solution

This was a real rollercosta I have to say. The hint guided me on this challenge hint:Experiment with different shell syntax

  1. ssh to the server ssh -p 51065 ctf-player@saturn.picoctf.net image
  2. After logging in, I realized we can’t run normal commands as they are jumbled somehow. image
  3. I immedietely run to google and I had a chance to learn a lot about shell syntax, my friend @noamgariani11 really did come up to my rescue on this one.
  4. I followed a syntax noamgariani11 had suggested ${parameter?ls} ${parameter={command}}

The syntax ${parameter='command_here'} is used for parameter expansion in shell scripting. It assigns a default value to the variable parameter if it is not already set. Learning about this new syntax , I jumped back to the challenge.

  1. I started with listing available folders or files and sequentially followed the following table
CommandOutput
${parameter?ls}parameter: ls
${:ls}Bad substitution
${parameter=ls}blargh
${parameter=cat blargh}cat: blargh: Is a directory
${parameter=cd blargh}${parameter=cd blargh}
${parameter=ls blargh}flag.txt
${parameter=cat < blargh/flag.txt}This gave the flag

image

Special thanks to noamgariani11 for helping me solve this one. I learnt alot from the challenge.

This post is licensed under CC BY 4.0 by the author.

-

SOAP

Comments powered by Disqus.