Rating:

## smartcat3 (web)

This task was another web ping utility, similar to one from the teaser. We were able to submit a text, which would then
be passed to ping command, like so: ping -c 1 OUR_TEXT. This asks for shell command injection - it was not that easy
though, since server filtered most metacharacters, such as $&| and others. Some special characters were allowed though - in particular, <>(). Using those, and bash's so called "process substitution" (which we found in man bash), we were able to execute commands like ping -c 1 <(ls). Note that this did not give us any output on the web interface - the server returned only whether the command succeeded or not. First problem we had to deal with, was filtering of spaces. With $ disallowed too, we were not able to use \${IFS} or similar
constructs, but we could still redirect any text to any file, for example:

<(python<<<"print'%c%c'%(108,115)">/tmp/p4Rocks)

This command, when used in process substitution context, should create file /tmp/p4Rocks with ls in it (from ASCII codes).
Later, we could simply execute this script using `<(python

Original writeup (https://github.com/p4-team/ctf/tree/master/2016-03-18-insomnihack-final/web_smartcat3).