Rating: 4.0
The homepage shows us a monitor with a few options.
Clicking on them we can see they are commands being executed.
The source code /config/santa_mon.sh shows us how these commands are executed.
If we try our own command, like id we can see it is executed.
However if we try a command that has a space like ls -la for example. We do not get an output.
Looking at the source code in /models/MonitorModel.php, we can see why. There's sanitization in place to replace the space with nothing thus making our commands invalid.
A quick google to bypass bash space restrictions we can find multiple suggestions on hacktricks.
https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions#bypass-forbidden-spaces
We know where to look for our flag thanks to the source code in /config/ups_manager.py
I tried with ${IFS} and it worked. I had to make sure to use the semicolon ; bash operator to separate the command that it was expecting from the bash script and my own.
HTB{54nt4_i5_th3_r34l_r3d_t34m3r}
