This is the write up for the Misc challenge “babybash” during the Junior CTF at the 34C3.
When connected to the box via netcat, you were presented with a babybash prompt. A simple
ls
threw an error message. It stated that illegal characters were used, and to run help
help
This printed the illegal characters:
and the hint to run /get_flag
to retrieve the flag. The use of upper case letters was allowed, and therefore access to environment varaiables was possible. With clever use of the builtin substring feature in bash(1)
the command could be assemble.
For solving the challenge I used the following variables:
> $HOSTNAME
/bin/bash: 28e32c6defa5: command not found
> $PATH
/bin/bash: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory
> $TERM
/bin/bash: xterm: command not found
> $SHELLOPTS
/bin/bash: braceexpand:hashall:interactive-comments: command not found
> $OSTYPE
/bin/bash: linux-gnu: command not found
> $PWD
/bin/bash: /tmp/4a7ddec13b10a2414e458491a00a37b275679ed2: Is a directory
The final solution:
/${OSTYPE:6:1}${TERM:2:1}${TERM:1:1}_${HOSTNAME:9:1}${SHELLOPTS:17:1}${SHELLOPTS:2:1}${OSTYPE:6:1} ${OSTYPE:6:1}${OSTYPE:1:1}${PWD:2:1}${PWD:2:1}${HOSTNAME:2:1}_FLAG_${PWD:3:1}${OSTYPE:0:1}${HOSTNAME:2:1}${SHELLOPTS:2:1}${SHELLOPTS:14:1}${HOSTNAME:2:1}