GO DIRECTLY TO JAIL DO NOT PASS GO, DO NOT COLLECT $200.

Category: misc

Solver: sohn123

Flag: GPNCTF{AlMI6h7Y_GLob_oP3R4ToR_s7RIKe5_AgAin!}

Writeup

Understanding where we are

We have no files for this challenge we can just connect via netcat. When we enter random input we sometimes get error messages. For example when entering d we get for example dc: stack empty. When googling that error we found out that we are in the linux tool dc which is a calculator. The relevant documentation with all commands can be found here. We ssee that we can execute system commands using !.

Using the command execution

We start by exploring the file system using !ls.

Get Flag              install               showkey
Get out of Jail Free  ipcrm                 shred
[                     ipcs                  shuf
[[                    killall               socat
awk                   last                  socat1
basename              ldd                   sort
bc                    less                  split
beep                  logger                ssl_client
blkdiscard            lsof                  strings
bunzip2               lsusb                 sum
bzcat                 lzcat                 tac
bzip2                 lzma                  tail
cal                   lzopcat               tee
chvt                  md5sum                test
cksum                 mesg                  time
clear                 microcom              timeout
cmp                   mkfifo                top
comm                  mkpasswd              tr
cpio                  nc                    traceroute
crontab               nl                    traceroute6
cryptpw               nmeter                tree
cut                   nohup                 truncate
dash                  nproc                 tty
dc                    nsenter               ttysize
deallocvt             nslookup              udhcpc6
diff                  od                    unexpand
dirname               openvt                uniq
dos2unix              passwd                unix2dos
du                    paste                 unlink
eject                 pgrep                 unlzma
env                   pkill                 unlzop
expand                pmap                  unshare
expr                  printf                unxz
factor                procan                unzip
fallocate             pscan                 uptime
filan                 pstree                uudecode
find                  pwdx                  uuencode
flock                 readlink              vi
fold                  realpath              vlock
free                  renice                volname
fuser                 reset                 wc
getconf               resize                wget
getent                scanelf               which
groups                seq                   who
hd                    setkeycodes           whoami
head                  setsid                whois
hexdump               sha1sum               xargs
hostid                sha256sum             xxd
iconv                 sha3sum               xzcat
id                    sha512sum             yes

When we try to execute !'./Get Flag' we get permission denied, so we probably have to use the Get out of Jail Free binary. We see that this binary can change the user using set uid 495015270 20.0K -r-sr-xr-- 1 root jail0 18.2K Jun 20 10:44 Get out of Jail Free so we can become root. However when we run this binary we just get back \x07 (bell character) when entering something. We think that our input is somehow filtered. Our idea is to directly pipe the commands we want to execute to the binary. We can create files in /tmp. So we run !echo '"/usr/bin/Get Flag"' > /tmp/test and then !'./Get out of Jail Free' < /tmp/test. This way there is no input filtering and we get the flag GPNCTF{AlMI6h7Y_GLob_oP3R4ToR_s7RIKe5_AgAin!}