The homepage shows us a monitor with a few options.

Clicking on them we can see they are commands being executed.

The source code /config/santa_mon.sh shows us how these commands are executed.


If we try our own command, like ```id``` we can see it is executed.


However if we try a command that has a space like ```ls -la``` for example. We do not get an output.


Looking at the source code in /models/MonitorModel.php, we can see why. There's sanitization in place to replace the space with nothing thus making our commands invalid.


A quick google to bypass bash space restrictions we can find multiple suggestions on hacktricks.

https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions#bypass-forbidden-spaces

We know where to look for our flag thanks to the source code in /config/ups_manager.py


I tried with ${IFS} and it worked. I had to make sure to use the semicolon ```;``` bash operator to separate the command that it was expecting from the bash script and my own.


HTB{54nt4_i5_th3_r34l_r3d_t34m3r}

Original writeup (https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Cyber%20Santa%20is%20Coming%20to%20Town%202021/Web/Gadget%20Santa.md).