search

Eevee Jail - 2

This time we are given a simple Bash jail

#!/bin/sh

echo "========================
=    Eevee's Jail 2    =
========================"

while :
do
	read -p "[+] > " huh
	o=`$huh`
done

also a Docker setup file

  1. sudo docker build --no-cache -t jail-3 .

  2. sudo docker run --name eevee-jail-3 -p 9003:9003 --network custom-network -d jail-3

Now this is a funny challenge with a LOT of attempts. There were no blacklisted inputs or anything at all. It only passes our inputs to $huh variable. It was a command substitution of some sort. I tried to directly read the flag and test some invalid shell commands:

❯ nc 157.180.92.15 9002

========================
=    Eevee's Jail 2    =
========================
[+] > cat flag.txt
cat flag.txt
...
...
[+] > lol
/jail-2/jail-2.sh: 1: lol: not found
[+] >

So from here, we can observe that the valid command cat flag.txt is executing but not appearing in stdout . I also tried bash and sh . Funnily enough they work but we are still in the jail and unable to see the output.

I tried using the * command which tries to match all files in the current directory

This confirms that we are in the current directory and we just have to directly read flag.txt . After that, I tested the . command which is similar to source to execute the contents of flag.txt

Its erring out and partially leaking the flag and this is where it gets funny if I tried this on the normal prompt it doesn't work lmaoo. I still dk why

Okay so the focus was on the shell prompt, its erring out so we can try to debug that using the set -x command and try . flag.txt again

And there's the flag

Flag: bbctf{wow, thats interesting}

PreviousEevee Jail - 5NextEevee Jail - 3

Last updated