search

Eevee Jail - 3

Note: I didn't solve this one, but I learned something new, wanted to do the writeup either way. This challenge has 2 solutions

hashtag
1'st Solution (Intended)

This one was also a Bash jail

#!/bin/bash

echo "========================
=    Eevee's Jail 3    =
========================"

function blacklist {
	if [[ $1 == *[abcdfgijklquwxz'/''<''>''&''$']* ]]
	then
    		return 0
	fi

	return 1
}

while :
do
        read -p "[+] > " huh
	if blacklist "$huh"
	then
		echo -e '[!] Mission Failed'
	else
		output=`$huh < /dev/null` &>/dev/null
		echo "Command executed"
	fi
done

We have a lot of blacklisted characters:

And it directs our input from /dev/null to /dev/null ? Honestly, I don't even understand what's going on bruv.

This is the key part actually, the challenge also came with a Docker setup file

  1. sudo docker build --no-cache -t jail-3 .

  2. sudo docker run --name eevee-jail-3 -p 9003:9003 --network custom-network -d jail-3

It was on the same network as the previous Bash jail and the technique to use is an Out-Of-Band exfiltration

If we input any normal commands we get a "Mission Failed" message but if we test it with python3 we dont receive the message which means it executed. From here we host a Python webserver

And in the jail 2 challenge we enter bash and curl the flag with 1>&2 to redirect stdout to stderr because stdout was suppressed due to /dev/null

Flag: bbctf{you really escape the prison this way huh?}

hashtag
2'nd Solution (Unintended)

Now this was also a cool way. Because stdout was suppressed, we can leak the flag through python3 but by using Python's SyntaxError message.

We use the * command which tries to execute the script in the cwd which is flag.txt but when Python finds that flag.txt is not a valid executable file it outputs the error line with the contents itself

Very cool stuff

PreviousEevee Jail - 2NextPwn

Last updated