Rating: 4.0
The homepage shows us a monitor with a few options.
![image](https://user-images.githubusercontent.com/80063008/144765112-cc140c22-4ebb-4153-825f-04331c76f67c.png)
Clicking on them we can see they are commands being executed.
![image](https://user-images.githubusercontent.com/80063008/144765162-19be83f7-f559-43f6-88a8-45bb01219dc2.png)
The source code /config/santa_mon.sh shows us how these commands are executed.
If we try our own command, like ```id``` we can see it is executed.
However if we try a command that has a space like ```ls -la``` for example. We do not get an output.
Looking at the source code in /models/MonitorModel.php, we can see why. There's sanitization in place to replace the space with nothing thus making our commands invalid.
A quick google to bypass bash space restrictions we can find multiple suggestions on hacktricks.
https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions#bypass-forbidden-spaces
We know where to look for our flag thanks to the source code in /config/ups_manager.py
I tried with ${IFS} and it worked. I had to make sure to use the semicolon ```;``` bash operator to separate the command that it was expecting from the bash script and my own.
HTB{54nt4_i5_th3_r34l_r3d_t34m3r}