PatriotCTF 2024 — Really Only Echo
Hey, I have made a terminal that only uses echo, can you find the flag?
nc chal.competitivecyber.club 3333
We're given a Python server that looks like this:
Code (py):
1#!/usr/bin/python3
2
3import os,pwd,re
4import socketserver, signal
5import subprocess
6
7listen = 3333
8
9blacklist = os.popen("ls /bin").read().split("\n")
10blacklist.remove("echo")
11#print(blacklist)
12
13def filter_check(command):
14 user_input = command
15 parsed = command.split()
16 #Must begin with echo
17 if not "echo" in parsed:
18 return False
19 else:
20 if ">" in parsed:
21 #print("HEY! No moving things around.")
22 req.sendall(b"HEY! No moving things around.\n\n")
23 return False
24 else:
25 parsed = command.replace("$", " ").replace("(", " ").replace(")", " ").replace("|"," ").replace("&", " ").replace(";"," ").replace("<"," ").replace(">"," ").replace("`"," ").split()
26 #print(parsed)
27 for i in range(len(parsed)):
28 if parsed[i] in blacklist:
29 return False
30 return True
31
32def backend(req):
33 req.sendall(b'This is shell made to use only the echo command.\n')
34 while True:
35 #print("\nThis is shell made to use only the echo command.")
36 req.sendall(b'Please input command: ')
37 user_input = req.recv(4096).strip(b'\n').decode()
38 print(user_input)
39 #Check input
40 if user_input:
41 if filter_check(user_input):
42 output = os.popen(user_input).read()
43 req.sendall((output + '\n').encode())
44 else:
45 #print("Those commands don't work.")
46 req.sendall(b"HEY! I said only echo works.\n\n")
47 else:
48 #print("Why no command?")
49 req.sendall(b"Where\'s the command.\n\n")
50
51class incoming(socketserver.BaseRequestHandler):
52 def handle(self):
53 signal.alarm(1500)
54 req = self.request
55 backend(req)
56
57
58class ReusableTCPServer(socketserver.ForkingMixIn, socketserver.TCPServer):
59 pass
60
61
62def main():
63 uid = pwd.getpwnam('ctf')[2]
64 os.setuid(uid)
65 socketserver.TCPServer.allow_reuse_address = True
66 server = ReusableTCPServer(("0.0.0.0", listen), incoming)
67 server.serve_forever()
68
69if __name__ == '__main__':
70 main()We're given a shell, but all binaries in /bin except echo are banned (and indeed, we're forced to have at least one echo in our input).
We can run an equivalent of ls with echo * to see our target, flag.txt in the same directory:
At first glance, we can try using echo $(<flag.txt) to concatenate and print the flag file with echo, but unfortunately $(<) is a bash-exclusive construct which won't work on Python's default shell sh.
Still, a clue lies in the way the server checks our input for banned commands:
Code (py):
1 parsed = command.replace("$", " ").replace("(", " ").replace(")", " ").replace("|"," ").replace("&", " ").replace(";"," ").replace("<"," ").replace(">"," ").replace("`"," ").split()
2 #print(parsed)
3 for i in range(len(parsed)):
4 if parsed[i] in blacklist:
5 return FalseWhile they seemingly account for trying to escape the plaintext blacklist check using characters like (, &, and ;, they don't account for }.
Thus, we can run any command by using shell variable expansion and $IFS a la
Code (bash):
1echo *;${IFS}command(remembering to have at least one echo in the command to satisfy the filter).
Finally, we can run
Code (bash):
1echo *;${IFS}cat flag.txtto cat the flag.