Tags: unix shell 



> I love cats! PS: This is NOT a web challenge. Just find the cats.
> http://cats.2018.teamrois.cn:1337


At the address we see:


And the linked dockerfile:

FROM ubuntu:latest
ENV TZ=Asia/Shanghai
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get update && apt-get install -y php python3 nodejs ruby && mkdir /app

# build: docker build -t rctf_cats .
# judge: docker run -it --rm --network none -v /tmp/yourCatFood:/app/food:ro rctf_cats bash -c "timeout 5 diff -Z <(cat food) <(eachCatNameYouProvided food)"

So, without bothering to actually set up Docker, we see that it runs the command `timeout 5 diff -Z <(cat food) <(eachCatNameYouProvided food)`. Whatever we put into the textarea will be the contents of the file `food`. Then the command compares the output of `cat food`, i.e. the contents we provided, with 15 commands we provide in the second input invoked with the argument `food`.

Some other details – `cat` doesn't count as a cat (too obvious I guess!), and thanks to the regex we cannot provide any commandline arguments, just the names of commands that we want to run. Finally, the content of the file has to be at least 2 bytes, but no more than 1337 bytes, so an empty file is unfortunately not possible.

The solution was obtained by using a basic Ubuntu VM. In the shell I typed `a`, then presed tab twice to get a listing of commands that start with `a`, then looked for anything that might work. Same for every other letter.

The most important thing to realise for this part of the challenge was probably that we need to have 15 commands that will output the same thing as `cat food` *in this particular* setup. We don't actually need to find 15 commands that do the same thing as `cat` (why would they even exist then?).

So, the commands I provided fall into two categories:

- ones which treat the argument `food` as a path or filename (e.g. `ls`)
- ones which treat the argument `food` as a string (e.g. `echo`)

Thinking of `echo food` and `cat food`, I decided the best choice for the contents of the `food` file was the literal string `food`. Then `cat food` simply outputs `food`. Useful.

And so finally, the list of commands I chose:

- `ls` - normally lists directories, but given a path to a file it simply outputs its name (this is more useful when combined with other arguments)
- `dir` - basically the same as `ls` as far as I can tell
- `more` - normally provides an interactive terminal viewer for file contents, but when piped into a command like `diff` it behaves just like `cat`
- `php` - by default, PHP copies file contents to stdout, unless it finds the tag ` Wew, you've found 15 cats! Here is your flag: RCTF{you_love_cats_dont_you}. If you can find at least 4 out of 5 cats whose names in (python3, bash, php, node, ruby), I will give you another flag ._.

Original writeup (https://github.com/Aurel300/empirectf/blob/master/writeups/2018-05-19-RCTF/README.md#256-misc--cats).