🇬🇧 PicoCTF 2023 - misc/special :: conflict

Note

Special was a very fun challenge from the general skills category (which is PicoCTF’s misc category).

I always enjoy bypassing these weird bash filters. It was not different from the previous ones I did, but it was still cool.

Let’s dive into it !

Description

Don't power users get tired of making spelling mistakes in the shell? 
Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. 
Now, every word is properly spelled and capitalized... automatically and behind-the-scenes! 
Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. 
When your co-workers see your amazing shell interface, just tell them: That's Special (TM) Start your instance to see connection details. 

ssh -p 59874 ctf-player@saturn.picoctf.net
The password is ******

Poking around

We’re given a username, a password and a port so we can ssh to the machine, so let’s do it

Once we’re connected, the first thing we notice is this:

2023-03-28-192950_150x64_scrot

Instead of the classic username@hostname:~$, it’s written Special$. That indicates that we’re not on a typical bash shell.

Let’s start poking around to see what we can and can’t do. We’ll start by trying whoami, pwd and ls:

2023-03-28-193349_239x233_scrot

As you can see, there is some kind of spell checker that prevents us from executing commands (pwd becomes Pod, whoami becomes Whom etc…).

Bypassing the filter

Let’s try executing ls again but inside of a command substitution:

2023-03-28-193630_257x73_scrot

This time, it says that blargh wasn’t found… weird, did our ls become blargh ?

No, since command subsitution returns the output of the command, blargh is actually the first folder returned by the ls.

Alright, the next step is knowing what’s inside of it, let’s try the same trick:

2023-03-28-193844_370x70_scrot

And that didn’t work… It seems that the space messed up the command, but hopefully there is a trick to avoid putting spaces in the command: The IFS environment variable

Let’s see if it works when we replace our space by $IFS:

To prevent the variable from becoming $IFSblargh when we call it, we can put it in brackets

2023-03-28-194235_278x69_scrot

Alright, it worked and we now know where the flag is !

The last step is reading the content of flag.txt, which shouldn’t be a problem since we now know how to avoid using spaces:

2023-03-28-194430_611x77_scrot

And we got it ! GGs