Skip to main content

Specialer

  • Description: Reception of Special has been cool to say the least. That's why we made an exclusive version of Special, called Secure Comprehensive Interface for Affecting Linux Empirically Rad, or just 'Specialer'. With Specialer, we really tried to remove the distractions from using a shell. Yes, we took out spell checker because of everybody's complaining. But we think you will be excited about our new, reduced feature set for keeping you focused on what needs it the most. Please start an instance to test your very own copy of Specialer.
  • Difficulty: Medium

🔎 Solution​

After connecting to the environment, I tested a few commands to see what was allowed. Some worked, others didn't:

Specialer$ clear
-bash: clear: command not found
Specialer$ pwd
/home/ctf-player

To explore further, I tried pressing tab twice to trigger autocomplete and check which commands were available. It revealed a list of allowed commands:

!          bind       compopt    elif       fc         if         printf     shift      true       while
./         break      continue   else       fg         in         pushd      shopt      type       {
:          builtin    coproc     enable     fi         jobs       pwd        source     typeset    }
[          caller     declare    esac       for        kill       read       suspend    ulimit     
[[         case       dirs       eval       function   let        readarray  test       umask      
]]         cd         disown     exec       getopts    local      readonly   then       unalias    
alias      command    do         exit       hash       logout     return     time       unset      
bash       compgen    done       export     help       mapfile    select     times      until      
bg         complete   echo       false      history    popd       set        trap       wait

Since ls wasn't available, the next option was to use shell expansion. Running echo * revealed three entries:

Specialer$ echo *
abra ala sim

Each folder could be navigated using cd, and contents could be listed the same way:

Specialer$ cd abra
Specialer$ echo *
cadabra.txt cadaniel.txt

After wandering around for a bit, I eventually found the flag inside ala/kazam.txt. Without cat, reading the file required using a different approach:

Specialer$ printf "%s\n" "$( < kazam.txt )"
return 0 picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_38f5cc78}

Since commands like for and while were available, another possible approach would have been automating the process with a small script to traverse and dump contents. But in the end, manual exploration worked just fine.

🚩Flag​

picoCTF{y0u_d0n7_4ppr3c1473_wh47_w3r3_d01ng_h3r3_38f5cc78}