picoCTF Solutions
picoCTF 2023General SkillsMedium

Special

Published: April 26, 2023

Description

Special autocorrects every shell command, so you must abuse parameter expansion and braces to execute raw commands and leak the flag.

Setup

SSH to saturn.picoctf.net on port 56058 with the supplied password.

Experiment with bash parameter expansion to bypass the forced capitalization/rewriting and run arbitrary commands under the hood.

ssh -p 56058 ctf-player@saturn.picoctf.net
d8819d45
${parameter=ls blargh}
${parameter=cat < blargh/flag.txt}

Solution

  1. Step 1Probe the sanitizer
    Simple commands like ls or cat are rewritten, but parameter-expansion expressions remain untouched. Start with harmless testers such as ${parameter=ls}.
    Learn more

    Shell command sanitizers - filters that modify or block certain commands - are often implemented by string-matching against the user's input. In this challenge, the "Special" shell rewrites recognized command names (like ls or cat) to non-functional equivalents. However, the sanitizer likely checks for the literal word at the start of the input and does not understand all of Bash's syntax.

    Bash parameter expansion is a feature where ${var} substitutes the value of a variable. The form ${parameter=word} is an assign default expansion: if parameter is unset or null, it is set to word and that value is substituted. The shell then tries to execute the resulting string as a command. Because the sanitizer sees an expression beginning with ${, not a bare command name, it may not recognize or block it.

    This is a classic example of a restricted shell escape. Bash has many such mechanisms: aliases, functions, command substitution ($(cmd)), process substitution (<(cmd)), and brace expansion. Restricted shells (rbash) or CTF jail shells try to block these, but subtle gaps in coverage often allow escapes. Understanding Bash's grammar deeply is the key to finding such gaps.

  2. Step 2Chain the exploit
    Navigate into blargh/ using sanitized cd, then use ${parameter=ls blargh} to list the directory and ${parameter=cat < blargh/flag.txt} to read the flag.
    Learn more

    The < redirection operator in ${parameter=cat < blargh/flag.txt} redirects the file as stdin to cat. This is equivalent to cat blargh/flag.txt but uses input redirection rather than a positional argument. Some sanitizers block arguments to cat but not stdin redirection, making this an alternative bypass technique even when direct arguments are filtered.

    In real-world scenarios, restricted shell escapes are relevant to: jail environments in CTF SSH challenges, git-shell and rssh (restricted shells for git/rsync access), kiosk terminals that lock users to a limited interface, and container environments that use shell restrictions instead of proper namespacing. The lesson is that purely string-based command filtering is fragile - the only reliable approach is a proper whitelist with a parser that understands the full shell grammar, or switching to a non-shell interface entirely.

    Other common restricted shell escape techniques include: using awk, python, perl, or vim's :! command to execute arbitrary code; leveraging SUID binaries accessible from the restricted environment; or abusing wildcard expansion to pass unexpected arguments to commands.

Flag

picoCTF{5p311ch3ck_15_7h3_w0...35}

Any creative use of ${parameter=...} (or similar expansion) that runs cat on blargh/flag.txt yields the answer.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for General Skills

Related reading

What to try next