Month: December 2022

Writeup: no_util

Our first misc challenge! This one felt reminiscent of overthewire’s Bandit series, which are a good introduction to the command line.

GNU Coreutils are too bloated.
That's why minimalists use Busybox.
But the TRUE masters don't even need that.

flag.txt is around here somewhere ~_~
but I lost it in this cluttered filesystem o_o
can you help me find it? UwU

^-^ ls
bash: ls: command not found

So, we’ve got nothing to work with besides bash builtins. This is gonna be hard! We unfortunately can’t mount the filesystem remotely, as the machine we ssh to isn’t the machine that the challenge is located on. 

sshfs noutil@chal.ctf-league.osusec.org:/ ~/temp
noutil@chal.ctf-league.osusec.org's password: 
remote host has disconnected

So! What do we have access to? Tab completion, for loops, echo, cd, variables, globbing, and functions. We can use these bash builtins to build some functionality that might be helpful.

^-^ cd /
^-^ echo *
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var

OK, so echo * is basically ls. From here, we can start recursively jumping around directories and looking for a file named flag.txt.

Most recursion requires a function that calls itself, so let’s start with that.

function find {
    find;
}

👍

Now simply write the necessary functionality!

function find {
    for f in *;
    do if [[ -d $f && ! -L $f ]];
    then
        cd "$f";
        find;
        cd ..;
    elif [ $f == 'flag.txt' ] 
    then 
        echo `pwd`/$f;
    fi;
done

Line by line:

function find {
    for f in *; # Loop through all files in current directory
    do if [[ -d $f && ! -L $f ]]; # If is a directory and not a symbolic link

We don’t want to follow symbolic links, as that could lead to infinite loops, as well as breaking our depth-first search.

elif [ $f == 'flag.txt' ] 
then 
    echo `pwd`/$f;
fi;

Our base case! This is pretty self explanatory.

So, what does this function do when run? 

^-^ find
bash: [: too many arguments
/usr/lib/share/misc/flag.txt

Nice! Let’s print it out by reading the contents and “executing” them. 

$(</usr/lib/share/misc/flag.txt)
bash: osu{b4$h_i5_p1en7y}: command not found