Rating: 5.0

**Category**: Misc

The only clue we get is the problem description:

> Do you want to file a formal complaint? Use this address and we'll take care of redirecting it to /dev/null.

When I connect to the port I'm prompted for some input, and it seems that with almost anything I type nothing happens.

![enter image description here](https://i.imgur.com/2EZ7BKY.png)

That's appropriate. Operations are commonly redirected to */dev/null* to test if it has succeeded, regardless of output. In fact it discards the output entirely.

The shell program would look something like this:

[any user input] > /dev/null
Which explains why I've been getting no response.

To get around this I would need to block the redirection. If I type in `[command] #` I could get a command of my choice to run, while commenting out `> /dev/null` so that the result continues to print in stdout.

Now I still can't type in anything - it will be treated as a regular string and discarded. But I can use`eval` to parse and run other shell commands I'll need, like `ls` and `cd`. Let's try it with `ls`:

![enter image description here](https://i.imgur.com/c4V3pj1.png)

I can see `flag.txt` - the goal is to open it of course. But my options are limited: common tools like `more` and `cat`have been removed from this machine's binaries. Inspecting `bin` confirms this.

![enter image description here](https://i.imgur.com/61iConD.png)

What I can also see though, is `bash`. Running the host's bash shell directly would allow me to read the contents of `flag.txt` by redirection. This is actually unique to bash, and wouldn't work with dash or sh, which also exist in the host's machine.

When I run bash the program prompts me again, signalling that I've entered the shell. This also means I no longer need `eval` to run commands. I can run them directly, but now have to redirect to output to stdout myself using the appropriate [file descriptors](https://www.brianstorti.com/understanding-shell-script-idiom-redirect/).

![enter image description here](https://i.imgur.com/wepkbMw.png)
![enter image description here](https://i.imgur.com/x7MeEP4.png)

Now I can trick bash into letting me read the file:

![enter image description here](https://i.imgur.com/pwhkYvq.png)

Original writeup (https://github.com/bobschiffer/X-MAS-CTF-2020-Writeups/blob/master/complaint/complaints.md).