🇬🇧 PicoCTF 2023 - misc/specialer :: conflict

Note

Specialer was an even funnier challenge from the general skills category (which is PicoCTF’s misc category).

It was based on the same principle as the Special challenge, bypassing a bash shell filter to read the flag.

Let’s dive into it !

Description

Reception of Special has been cool to say the least. 
That's why we made an exclusive version of Special, called Secure Comprehensive Interface for Affecting Linux Empirically Rad, or just 'Specialer'. 
With Specialer, we really tried to remove the distractions from using a shell. 
Yes, we took out spell checker because of everybody's complaining. 
But we think you will be excited about our new, reduced feature set for keeping you focused on what needs it the most. 
Please start an instance to test your very own copy of Specialer.

ssh -p 53888 ctf-player@saturn.picoctf.net. The password is *****

Poking around

2023-03-28-202047_139x26_scrot

Same as for the previous challenge, this indicates that we are not on a typical shell.

Let’s start poking around to see what we can and can’t do. We’ll start by trying whoami, pwd and ls:

2023-03-28-202313_340x142_scrot

As you can see, only pwd works. This command is not useful but it shows that there is no filter, some commands are just not available.

To list all the available commands, we can use the compgen -c command.

<...>
alias
bg
bind
break
builtin
caller
cd
command
compgen
complete
compopt
continue
declare
dirs
disown
echo
enable
eval
exec
exit
export
<...>

Bypassing the filter

Among all of these, we can see one very interesting command: echo.

Indeed, we can use echo to act as a ls by doing echo *:

2023-03-28-202552_177x43_scrot

Fun fact: Since we have access to the alias command, we can make an alias for ls to artificially make it work again:

2023-03-28-202627_284x68_scrot

We see three folders: abra, ala and sim.

Since we have access to the cd command, we can use it to go into them and list their content.

Let’s try to list the content of the ala folder:

2023-03-28-202910_197x67_scrot

There are two text files and we don’t have access to cat, head or tail… but that’s ok, because we have access to echo !

Here is the trick to read a file with the echo command: echo "$(<kazam.txt)"

2023-03-28-203032_681x44_scrot

As you can see, it worked ! GGs

There are other text files in the other directories, but they’re just rabbit holes