### What we can use
* `$$` - bash process id.
* `$((1+2))` - 3.
### Variables
It can not contain any lower case aphebat, but only `echo`.
* `$a` - `$echo`
* `$b` - `$echoecho`
* `$c` - `$echoechoecho`
* `echo=$$; echo $echo` -> `8`
### Bypass the limited number of use
We can store the special character in the variable by using backslash. The payload `echo=\=; echo echoecho$echo$$` will output `echoecho=8`. Then we can pass it to `bash` with `|bash`. Other example: `echo=\'; echo echo $echo$$$echo` -> `echo '8'`.
### Generate any number
In the seccond `bash`, `$$` is equal to `10` and we can generate `1` by `$(($$==$$))`,`$((10==10))`.For now, we can use `1` and `10` to caculate any number.
### To char
* `echo $'\154\163'` -> `ls`

[Full write-up](https://github.com/yuawn/CTF/tree/master/2019/insomnihack/echoechoechoecho)

Original writeup (https://github.com/yuawn/CTF/tree/master/2019/insomnihack/echoechoechoecho).