/assets/wp-content/uploads/2016/04/sc_bf2.png

Bash is always awesome. As a CTF player, I’ve tasted some jail-challenges based on bash shell.

Last night, my friend asked me to help solving a pwnable.kr problem - another jail.

We can input a string, if it passes the filter function, then it’ll execute in rbash (restricted bash) with no init environment. Filter function be like:

  1. No unprintable characters
  2. No alphanumeric characters
  3. No any characters in this blacklist [`, !, &, |, “, \, ‘, *]

So I was taking a shot on it.

Not quite hard, in my opinion. You still can use shell variables and there’s a good predefined one

$_=/bin/rbash

We can use some basic bash string operators to resharp it into the command we want.

/bin/rbash -> hash -> help -> (our command)

You got the idea, huh? So I’ve extended it into a larger case and named project bashfuck (cuz it’s weird like others language: brainfuckjsfuck)

You can find it in source code here bashfuck 🙂

Have fun guys! 😀