TJCSC
PresentationsCTFWriteups

Table of Contents

picoGym - Specialer

by Brian Ho on 2/20/2024

Specialer is a challenge from picoCTF 2023. It is in the ‘General Skills’ category and worth 400 points.

Description

Reception of Special has been cool to say the least. That’s why we made an exclusive version of Special, called Secure Comprehensive Interface for Affecting Linux Empirically Rad, or just ‘Specialer’. With Specialer, we really tried to remove the distractions from using a shell. Yes, we took out spell checker because of everybody’s complaining. But we think you will be excited about our new, reduced feature set for keeping you focused on what needs it the most. Please start an instance to test your very own copy of Specialer. Additional details will be available after launching your challenge instance.

Provided in my challenge instance:

  • ssh -p 49322 ctf-player@saturn.picoctf.net
  • password: 483e80d4

Exploration

After connecting to the challenge, I first ran some basic commands to see what was going on.

Specialer$ ls bash: ls: command not found

Command not found. Alright, let’s run compgen -c to list all the commands available to us. I actually found out about this command from a Linux commands video. Never thought that would come in handy.

Specialer$ compgen -c if then else elif fi case esac for select while until do done in function time { } ! [[ ]] coproc . : [ alias bg bind break builtin caller cd command compgen complete compopt continue declare dirs disown echo enable eval exec exit export false fc fg getopts hash help history jobs kill let local logout mapfile popd printf pushd pwd read readarray readonly return set shift shopt source suspend test times trap true type typeset ulimit umask unalias unset wait bash

There are quite a few commands available, but what is significant are the echo and cd comamnds. Let’s run echo * to list the files, since we can’t use ls.

Specialer$ echo * abra ala sim

Ok, let’s cd into abra.

Specialer$ cd abra Specialer$ pwd /home/ctf-player/abra

Great. It worked.

Let’s run echo * to list the files agian.

Specialer$ echo * cadabra.txt cadaniel.txt

Ok. Some txt files. Now to open the contents without the availability of cat, with some research I found about the structure echo "$(<filename)" which substitutes the cat command.

Specialer$ echo "$(<cadabra.txt)" Nothing up my sleeve!

Solution

After going through all of the directories and files, I found the flag in the ala directory.

Specialer$ cd ala Specialer$ pwd /home/ctf-player/ala Specialer$ echo * kazam.txt mode.txt Specialer$ echo "$(<kazam.txt)" return 0 picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_d5ef8b71}

Nice!

Flag

picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_d5ef8b71}
TJCSC FacebookTJCSC CTFTJCSC Discord