Tags: misc shell 

Rating: 5.0

# Shjail
**Category: Misc**

This challenge allows us to run a shell command on the remote system. The catch is that there is a character blacklist, and the output from commands you submit is hidden.

The source was provided:


while :
echo "What would you like to say?"
if [[ "$USER_INP" =~ ['&''$''`''>''<''/''*''?'txcsbqi] ]]; then
echo -e "${RED}Hmmmm, what are you trying to do?${END}"
OUTPUT=$($USER_INP) &>/dev/null
echo -e "${GREEN}The command has been executed. Let's go again!${END}"

The first thing I realized was that stdout is blocked, but stderr is actually available. For example:

What would you like to say?
The command has been executed. Let's go again!
Notice how `pwd` returns no output.

What would you like to say?
./shjail.sh: line 13: fake: command not found
But this nonexistant command does, since the output is written to stderr. Unfortunately, the operator to redirect stdout to stderr is blacklisted.

## Finding the flag
Next, we need to try and find where the flag file is. It is probably just `./flag.txt`, but this needs to be confirmed. We can't open it with `cat` since `t` is blocked, but we can use `od`. We can't write the `txt` part of `flag.txt`, or even use `flag.*`. We can write it out using bracket glob characters though. All together:

What would you like to say?
od flag.[a-z][a-z][a-z]
The command has been executed. Let's go again!

Since no file not found error was reported, we know the flag file is in the local directory.

## Opening the flag
From here we need a way to open the flag file in a way that prints the result to stderr. We can try and execute the file with a program that produces a verbose error message:

What would you like to say?
perl flag.[a-z][a-z][a-z]
Can't locate object method "flag" via package "w3ll_th1s_f1l3_sh0uldnt_h4v3_fl4g_1n_2738372131" (perhaps you forgot to load "w3ll_th1s_f1l3_sh0uldnt_h4v3_fl4g_1n_2738372131"?) at flag.txt line 1.

Perfect! This reveals the flag to be `flag{w3ll_th1s_f1l3_sh0uldnt_h4v3_fl4g_1n_2738372131}`.

Original writeup (https://github.com/ryan-cd/ctf/tree/master/2021/0x41414141/shjail).