Description
Specialer offers a crippled shell with only a few commands that still obey tab completion. Explore its limited filesystem to find the hidden magician’s note.
Setup
SSH to saturn.picoctf.net on port 57125 with the provided password.
Use tab completion inside each directory to discover files, then rely on echo "$(<file)" to print them since cat is unavailable.
ssh -p 57125 ctf-player@saturn.picoctf.net
483e80d4
cd abra && echo "$(<cadabra.txt)"
cd ../ala && echo "$(<kazam.txt)"
Solution
- Step 1List allowed commandsPress Tab twice to see the approved verbs. Standard tools are missing, but cd, ls, and echo survive under slightly different syntax.
- Step 2Traverse directoriesMove through abra/ and ala/, reading each *.txt file with echo "$(<file.txt)". The flag resides inside ala/kazam.txt.
Flag
picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01...8b71}
The spell checker may be gone, but shell globbing still reveals the hidden text file.