picoCTF Solutions
picoCTF 2023General SkillsMedium

Specialer

Published: April 26, 2023

Description

Specialer offers a crippled shell with only a few commands that still obey tab completion. Explore its limited filesystem to find the hidden magician's note.

Setup

SSH to saturn.picoctf.net on port 57125 with the provided password.

Use tab completion inside each directory to discover files, then rely on echo "$(<file)" to print them since cat is unavailable.

ssh -p 57125 ctf-player@saturn.picoctf.net
483e80d4
cd abra && echo "$(<cadabra.txt)"
cd ../ala && echo "$(<kazam.txt)"

Solution

  1. Step 1List allowed commands
    Press Tab twice to see the approved verbs. Standard tools are missing, but cd, ls, and echo survive under slightly different syntax.
    Learn more

    Double-Tab in Bash triggers command completion, which lists all executable commands available in $PATH. In a restricted jail shell, $PATH is deliberately limited to a small set of directories containing only the allowed binaries. This makes Tab-Tab an efficient way to enumerate what tools are available without typing commands blindly.

    Even with a minimal command set, Bash's built-in commands (cd, echo, pwd, read, test, etc.) remain available because they are compiled into the shell itself and do not require external binaries. The challenge here is using only these builtins to achieve the goal of reading a file.

    Understanding which features are built into the shell versus which require external programs is a valuable skill. When a binary is missing, builtins like echo, printf, read, and redirection operators can often replicate its behavior. This knowledge is useful both in CTF jail escapes and in minimal environments like BusyBox-based Linux distributions (routers, embedded systems) where many standard tools are absent.

  2. Step 2Traverse directories
    Move through abra/ and ala/, reading each *.txt file with echo "$(<file.txt)". The flag resides inside ala/kazam.txt.
    Learn more

    The construct echo "$(<file.txt)" is a Bash-specific shorthand for echo "$(cat file.txt)". The <file inside $(...) is a command substitution that reads the file and substitutes its contents as the argument to echo. Since echo is a built-in and $(<file) uses only shell redirection, this works even when cat is absent from the system.

    Tab completion reveals filenames when navigating directories without ls: typing echo $(< and then pressing Tab will list files in the current directory that the shell can complete. This technique - using completion as a discovery tool - is particularly useful in shells where ls is blocked but completion still functions.

    The challenge name "Specialer" (harder than "Special") reflects the tighter restrictions: whereas Special could be broken with parameter expansion, Specialer requires finding creative solutions using only the most fundamental shell features. Both challenges teach the same underlying lesson: language/shell restrictions based on command names are fundamentally weaker than architectural restrictions (seccomp, namespaces, containers) that limit the actual system calls available.

Flag

picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01...8b71}

The spell checker may be gone, but shell globbing still reveals the hidden text file.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for General Skills

Related reading

What to try next