34C3 Junior CTF - babybash

This is the write up for the Misc challenge “babybash” during the Junior CTF at the 34C3.

When connected to the box via netcat, you were presented with a babybash prompt. A simple


threw an error message. It stated that illegal characters were used, and to run help


This printed the illegal characters:

and the hint to run /get_flag to retrieve the flag. The use of upper case letters was allowed, and therefore access to environment varaiables was possible. With clever use of the builtin substring feature in bash(1) the command could be assemble.

For solving the challenge I used the following variables:

/bin/bash: 28e32c6defa5: command not found
/bin/bash: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory
/bin/bash: xterm: command not found
/bin/bash: braceexpand:hashall:interactive-comments: command not found
/bin/bash: linux-gnu: command not found
> $PWD
/bin/bash: /tmp/4a7ddec13b10a2414e458491a00a37b275679ed2: Is a directory

The final solution:

/${OSTYPE:6:1}${TERM:2:1}${TERM:1:1}_${HOSTNAME:9:1}${SHELLOPTS:17:1}${SHELLOPTS:2:1}${OSTYPE:6:1} ${OSTYPE:6:1}${OSTYPE:1:1}${PWD:2:1}${PWD:2:1}${HOSTNAME:2:1}_FLAG_${PWD:3:1}${OSTYPE:0:1}${HOSTNAME:2:1}${SHELLOPTS:2:1}${SHELLOPTS:14:1}${HOSTNAME:2:1}