Rating: 0

The task was solved by Vesim and b3niup from our team.

The flag was owned by the user but it had chmods of 000.
Because of that `read < /flag` didn't work.
So, you had to fire a chmod or fchmod syscall somehow to make the file readable.

If you do man bash and read a lot, you can find an interestinng feature/command: enable. This let's you load plugins to bash in a form of` .so` files. So:

Prepare a shared library that would do chmod syscall on the flag file:
```
#include <sys/stat.h>
__attribute__((constructor)) void foo(void) {
chmod("/flag", S_IRUSR | S_IRGRP | S_IROTH);
}
```

Build it: `gcc -shared -nostdlib -fPIC -static -o libtest.so -fPIC test.c`

Send the shared library to the server - afaik we used http://eusebeia.dyndns.org/bashcp

Enable plugin and name it foo: enable -f /libtest.so foo (afaik it will warn/error out that it lack some struct - as we didn't conform the bash plugin API or sth - but the chmod will occur)

Read the flag - either with` echo $(