Rating: 4.0
Uglybash was in the Misc *category*, which means these task are for the lazy people and doesnt require much programming skills.
In the challenge we get a cmd.sh file, which is a bash script file with the contents:
```
${*%c-dFqjfo} e$'\u0076'al "$( ${*%%Q+n\{} "${@~}" $'\160'r""$'\151'$@nt"f" %s ' }~~@{$ ") }La?cc87J##@{$ ; } ; }8CC3vD/qX$t/*{$ }~~*{$ "}] "}^@{$" y4R2SV$ "}cIqe[\(\%@{$" "}xk:W=Y2##@{$" [JzbY6E{$" s% ft'"'"'n'"'"''"'"'i'"'"'r\p { ; }*!{$ ] )e#22+)2}8Kr6>#*{$#82*01#3}^*{$(( [$ "};(\S-[\/@{$" "},@{$" ] )71}|$1+d/$_dj/*{$#8+)2#16*1"}xp.{\$Z~[\%@{$"#}~*{$7"1"-(( [$ "@$" "}oMAHn%%@{$" )) )0"1"01"}^@{$"#4}]\oh>-%%@{$+)"a"1#21"-"+l#"1""5"-})\+{\$rMTE%%@{$(( (($ }Omm"\V#*{$ }8z<TPr/*{$ ] ))11"#"2+)"2""#""7""5"-"}qJ)\)\!\{\#/Ije>VU//@{$"-2}_axM-*/*{$#"7""3"(-(-( [$ }f9~U//*{$ }#Jgkvc#@{$ )) )1#}7e[\Trh{\//@{$4+)0#62*0#}*{$"9"(( (($ }S(\{\0)\##@{$ ] )21"}jAVg1-%%@{$""#"5+)"1"1#}*{$4}*{$-*"0"1#"}~~@{$""3"-(( [$ }^^*{$ ] )11#}*!{$"3"+)1*$#93*2#"6"5"@$"(( [$ }0c;x]\^Y//*{$ })\mei/b6B1atD)\//*{$ ] )1"1"0001#2"}fhF`\x/s77vTa[\/@{$"+)0*$#}R"\>(\/RTS8//*{$"6"+l"#"03-(( [$ }^^@{$ )) ))31"#"5+)11#7--00"}&*]\7//@{$"1#2}`\g]\<Roj/}\~(\<Qq/*{$(-(-( (($ }~@{$ )) )"1""#"5}mR&<7r/}\dC!\s*k/*{$3+)i#65-6"1"#}NojyN70T##*{$92}@!{$(( (($ },,*{$ ] )i}Ym5{\y##@{$#}!\a.8/*{$"0"2},,*{$+)01#4+"b"#94}*{$-(( [$ }@{$ }~*{$ )) )52#8+)0#62*0#05(( (($ })\C62X/*{$ }mibf/*{$ )) )"4"2"#"6}~f`\^/@{$1}3NKi^FgW/*{$+)2}="\ulQ;/*{$"#"7}@!{$3-+k#35-(( (($ }*{$ }*{$ ] )i#16+)01#3*11#2}?L7X>/~^MeZH/@{$-(( [$ *$ }@{$ )) )222#3+)11},,@{$#"2"*1"1"#4-(( (($ "}@{$" }*!{$ ] )d#53}e~+uz61###@{$+)0}~~*{$01#2--2"1""#"3(( [$ }~~*{$ )) )j"}^^@{$"#"},@{$"0}~*{$3+)11#4-}ml;.##@{$+"1"#8}"\r"\>cohJ/*{$4(( (($ }*!{$ )) )"a"1"#""1"5+)03#7-e}^^*{$#12-(( (($ "}~@{$" )) ))22"1"#3+)2#"}Y9cefj9%%@{$"41-*$-"y"#84(-(-( (($ }^^@{$ )) )011}~~@{$1},,*{$#2+)"1"#52*11#3-}^^*{$(( (($ }*{$ ] ))0#"1"1+)0#04*0"#"2"},,@{$"1}*!{$(-(-( [$ }~~@{$ )) )43#2"}gC@u/@{$"1+)"1"1}pQCP//*{$#2-}^@{$*01#*$8(( (($ }dlz"\T%%*{$ },h]\rj`\}\/RPQto"\/*{$ )) ))1#2}Vf}\]\Nu##@{$1+)11"#"2--0})\HIZ/*{$#05(-(-( (($ },,*{$ }~~@{$ )) )"a"#"6"3"}TIP]\@V##@{$"+)2}`\.\%Qxt/?:4,/@{$#02-*01#3-}{\Di6HUx@%@{$(( (($ "}~@{$" }34v@##*{$ ] ))11#"5"+)h"}BdoI#@{$"1#1}t*f+fWlA//*{$2+2}~~*{$"1"#},,*{$5-(-(-( [$ };y$!\M8##@{$ )) )1#"7""1"+)0*$"#""1"3*0#5}*{$1"}Rw6a//@{$"(( (($ }Q-Vf9d%%*{$ )) )1},,*{$#15+)0}+lDQf%@{$#"2"*0#74(( (($ }_%$KT9f/iTW~$_/*{$ @$ ] )"m"#3},@{$"3"+)1"1"#2-*0#"5"1(( [$ "},@{$" }TX`\`\%%@{$ ] )"1"1#5"}FE=UU=W./&<"\8l7/@{$"+)0#3*01#3-(( [$ }*{$ }aO;R"\w/9jJF1//*{$ ] )"2"1#"}9uT]\j1f;##@{$""6"+)j#"7"4-"}^^@{$"-b#14-(( [$ }^^*{$ }~~*{$ )) ))1"#"34+)"0"1#}exP"\/TG!\)\T!\?//@{$6+1}*!{$#0}<7V&/*{$6-(-(-( (($ }Mi@S<]\Q#*{$ }^^*{$ ] )2}}\2jz]\G49/#dn>8/*{$2#"}<FTeK&n,//@{$"3"},,@{$"+)1#3-+00}I3cO.O;Z%%@{$"1"#"2"-},*{$(( [$ }B;h_1VnC%%*{$ "}@{$" ] )01}*{$#3+)1#*$8"3"--02#4(( [$ }.\np,/?{\~b03//*{$ "},@{$" )) ))02#4+)"n"#}SPKP8tw##@{$45--1"#"03(-(-( (($ "}@{$" ] ))n"#"14+)s#44+2}@{$2#}~*{$8}7Qq~iq%%*{$(-(-( [$ *$ ] )21"#"4+)n"}~@{$"#}\\@<f$4/*{$45--"1"2"#"3-(( [$ }@{$ }*{$ )) )41#"3"1+)0"#"15*11#"6"(( (($ },,@{$ ] )d#}t_=_//*{$8}ha5]\78/*{$"1"+)01#3"-"*1"}G2T~wh2##@{$""#"64-(( [$ }^^@{$ }.T9P_8Gv//*{$ ] )2"#"73"}$oE?##@{$"+)1},,*{$"1"#}K.o%o$t/uR@fekB#/@{$2-"0""1"#}@bCU%*{$4(( [$ "}3nB?u8fG//@{$" )) )"3""2""#"11"@$"+)0"}~@{$"1#4-+a#5"4"-(( (($ }~y?mRx/BM"\H]\//*{$ "}4^4rR/@{$" ] )"G"#74}~@{$+)2#52}@!{$"-"*a#7"1"(( [$ }@!{$ }~~*{$ ] ))1#84+)31#5+h#03(-(-( [$ }&+?82EU%%*{$ }@!{$ ] )l"#""3"2+)1}~*{$#21*0"}4[\P!\/|Ec{\e/@{$"1}*{$"#"5-(( [$ }:p-c^h+/:r#lsa//*{$ }*{$ )) )00}@!{$1#}BFcS!\%@{$2+)1#"0"6*1#}~~*{$71-(( (($ }~~*{$ }"\&`\QS*%*{$ ] )z"#"44+)11"#""5"-*2#4"2"(( [$ "}^^@{$" }RU*x9!\22/ySk%Ir/@{$ )) )e"#"0"5"+)2#7"2"*"1"1#2"-"(( (($ }*{$ }LNt)\,//@{$ )) ))0#}}\TMHUEV//*{$0}{\^WK!\##*{$6+)11#6-}ahZD^2~/:C,Io\C/*{$-"1"#65-"}H@zpzY8%@{$"(-(-( (($ "}QrL2J\~%%@{$" "}n(\7?)\)\J%%@{$" ] )0"1""#"11+)0#"8"2-11}*{$"#"4(( [$ }(\L-.D:/.41yxK]\//*{$ ] ))21"#"7+)2#24--"f""#"32(-(-( [$ },*{$ }@!{$ ] )22#81}^*{$+)1"1"#4}~*{$"-"*001#}*{$2(( [$ }^^@{$ },,@{$ ] )j},,*{$#"}u7=$6]\/o43H//@{$"2"5"+)1"1""1""#"2-101#2-(( [$ }$Wil##@{$ }l=:G>(\-#@{$ ] ))0#75}~~@{$+)1"#""9"+1"}JZ2I7=&/@{$""1"#}~~*{$3(-(-( [$ ni y4R2SV rof && },,@{$ ) }^*{$ g }^^*{$ y }g$U-b9%@{$ j }*!{$ n }~@{$ *$ u "}(\whfI/@{$" "}@{$" z }RH|<=z##@{$ }~~@{$ '"'"'ax\'"'"'$ }^^@{$ a }~*{$ }dS^Db6G}\%*{$ h }@{$ }^*{$ r "}m&Jk:b?/WBG02h}\_/@{$" \ }T|qd//*{$ }OM`\6.o%@{$ {\ }H%ynnO(\u//*{$ }g8Gv|R~/*{$ _\ }-:zfUz%%*{$ }\ })\#?1{\OK/@{$ *$ i }__b5W:RE//@{$ s }%<Oy{\I//*{$ }"\-iPfz]\g/ug|0w8/*{$ l }L#vh$/{\wLz8/@{$ }60-tI0<%%*{$ 3 "}^@{$" o }euc*##@{$ c }~~*{$ }~~*{$ d }_h)\)\{\/i$V2/@{$ e *$ }(\&`\C?*3%%@{$ ,\ "}@{$" }~@{$ t "},@{$" }^^*{$ #\ }*^RXtV##*{$ m "}@{$" f "},@{$" (=JzbY6E ($" <<< },,*{$ }C0#Y%%*{$ HSAB$ "}|=1SW.//@{$" "@$" ' ${*,} ${@/;mO4/qc~&y} | ${@/a\{oy_BGF/*:wJ} ${@##~@pBeI} "r"""ev ${*~} ${*%K^vf&^3<} ; ${*#SBvLg=k\[} ${*^} )" ${!@} > file
```
Which looks like a lot of obfuscation.
On running, it prints out the string:
```
dont just run it, dummy
```
From this, we can assume two things:
1. There is a carriage symbol '\r' which prints the flag and then overwrites it.
2. The flag is commented out inside the script
But how can we solve it.
A little research tells us that it uses [Bashfuscator](https://github.com/Bashfuscator/Bashfuscator)
I tried to find a deobfuscator for this but didnt found any, so lets take our first assumption that it uses a carriage symbol and overwrites out the flag.
We can use this command to set a breakpoint after every instruction and sleeps for 5 seconds
```
trap "set +x; sleep 5; set -x" DEBUG
```
And then run our script and save it to a file to check its contents
```
./cmd.sh > output
```
On analyzing the file, there are a lot of printf so we can filter through it.
```
type output | findstr -i printf
```
Which gives us the output
```
+++ printf %s e
+++ printf %s c
+++ printf %s h
+++ printf %s o
+++ printf %s ' '
+++ printf %s d
+++ printf %s o
+++ printf %s n
+++ printf %s t
+++ printf %s ' '
+++ printf %s j
+++ printf %s u
+++ printf %s s
+++ printf %s t
+++ printf %s ' '
+++ printf %s r
+++ printf %s u
+++ printf %s n
+++ printf %s ' '
+++ printf %s i
+++ printf %s t
+++ printf %s ,
+++ printf %s ' '
+++ printf %s d
+++ printf %s u
+++ printf %s m
+++ printf %s m
+++ printf %s y
+++ printf %s ' '
+++ printf %s #
+++ printf %s ' '
+++ printf %s f
+++ printf %s l
+++ printf %s a
+++ printf %s g
+++ printf %s {
+++ printf %s u
+++ printf %s s
+++ printf %s 3
+++ printf %s _
+++ printf %s z
+++ printf %s s
+++ printf %s h
+++ printf %s ,
+++ printf %s _
+++ printf %s d
+++ printf %s u
+++ printf %s m
+++ printf %s m
+++ printf %s y
+++ printf %s }
```
And it gives out the flag
```
flag{us3_zsh,_dummy}
```
Also available on my [Github](https://github.com/DaBaddest/CTF-Writeups/tree/master/RedPwn2020/uglybash)