picoCTF Solutions
picoCTF 2023General SkillsMedium

Specialer picoCTF 2023 Solution

Published: April 26, 2023

Description

Specialer offers a crippled shell with only a few commands that still obey tab completion. Explore its limited filesystem to find the hidden magician's note.

Setup

SSH to saturn.picoctf.net on port 57125 with the provided password.

Use tab completion inside each directory to discover files, then rely on echo "$(<file)" to print them since cat is unavailable.

bash
ssh -p 57125 ctf-player@saturn.picoctf.net
bash
483e80d4
bash
cd abra && echo "$(<cadabra.txt)"
bash
cd ../ala && echo "$(<kazam.txt)"

Solution

Walk me through it
  1. Step 1List allowed commands
    Press Tab twice to see the approved verbs. Standard tools are missing, but cd, ls, and echo survive under slightly different syntax.
    Learn more

    Double-Tab in Bash triggers command completion against everything in $PATH. In a jail shell $PATH is pruned to a tiny whitelist, so Tab-Tab is essentially a directory listing of the allowed binaries. Built-ins like cd, echo, pwd, and read still show up because they live inside the shell binary itself, not in $PATH.

    The discovery technique also extends to filenames. Type echo $(< and press Tab in the current directory: Bash offers completions for files that match the partial substitution prefix, even though ls is blocked. Press Tab on a partial filename like echo $(<cad and it will complete to cadabra.txt if it exists. That is enumeration without ever running an enumeration command.

    When standard tools vanish, knowing which features are built into the shell versus which need an external program is the entire game. echo, printf, read, redirection, and globs cover most file-inspection tasks. The same skill helps in BusyBox and Alpine environments where cat may exist but most GNU coreutils do not.

  2. Step 2Traverse directories
    Move through abra/ and ala/, reading each *.txt file with echo "$(<file.txt)". The flag resides inside ala/kazam.txt.
    Learn more

    The mechanism behind $(<file) is worth understanding. Inside a command substitution, <file opens the file as standard input to an empty command. Because the command produces no output of its own, the substitution captures the file's contents verbatim. It is exactly equivalent to $(cat file) minus the cat invocation, which is why it works when cat is missing.

    Test the glob bypass too: echo $(<*) expands the glob to the only matching file in the directory and reads it through the same redirection trick. If multiple files match, Bash will error out (you cannot read multiple files into one substitution that way), which itself is a useful enumeration signal. cd still works with paths but rejects flags here, so navigate with bare directory names like cd ../ala.

    The pattern carries the same lesson as Special: filtering by command name is fragile. The robust way to lock down a shell is at the architectural layer (seccomp, mount namespaces, read-only filesystems) rather than by removing names from $PATH. See Linux CLI for CTFs for more shell-restriction patterns.

Flag

picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01...8b71}

The spell checker may be gone, but shell globbing still reveals the hidden text file.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for General Skills

Related reading

What to try next