niteCTF 2023 - German Shell - Writeup
Challenge Setup
- Challenge Name: German Shell
- Challenge Category: Reverse Engineering
Challenge handout only consisted of a remote endpoint to connect to over netcat and the filepath at which the flag is located on the remote server.
The flag is located at /var/quantumLava/flag.txt
Once connected to the remote server, you are given a shell for you to execute commands on. But any user input is garbled via some unknown process:
$ This is some text right here
/bin/sh: 1: frdf/pcabj/jmsg/pwxa/yn/vkiT: not found
Let’s reverse it, to get the flag
Solving the challenge
First thing I did, was to see how the garbleing treats equal prefixes. I wanted to answer questions such as:
- Is the garbling process deterministic?
- When garbling the input, do garbled characters depend on previous characters?
With the following test:
$ This is some text right here
/bin/sh: 1: frdf/pcabj/jmsg/pwxa/yn/vkiT: not found
$ This is other text
/bin/sh: 1: knth+dprcw+yn+vkiT: not found
you can observe:
- The prefix has disappeared
- The two garbled outputs have a shared suffix
From this we can conclude that the garbling process first reverses the user input.
Some more experimentation:
$ a
/bin/sh: 1: a: not found
$ aa
/bin/sh: 1: ba: not found
$ aaa
/bin/sh: 1: cba: not found
$ aaaa
/bin/sh: 1: dcba: not found
$ aaaaa
/bin/sh: 1: edcba: not found
$ aaaaaa
/bin/sh: 1: fedcba: not found
reveals that ever-increasing sequences of ‘a’ spell out the alphabet in reverse.
This transformation holds even across non-alphabetical characters:
$ aaaa/aaa
/bin/sh: 1: hgf*dcba: not found
See how the e
got skipped?
So to recap for alphabetical characters the transformation goes as follows:
- reverse the input
- rotate every character in the reversed string by its index in the non-reversed string
Problem: Non-alphabetical characters
Non-alphabetical characters clearly seem to be special cased. Recall:
$ This is some text right here
/bin/sh: 1: frdf/pcabj/jmsg/pwxa/yn/vkiT: not found
$ This is other text
/bin/sh: 1: knth+dprcw+yn+vkiT: not found
Notice that /
is substituted with +
in all cases.
Not what you would expect!
After much experimenting I just had to conclude that the non-alphabetic transformation was random.
So I chose to ignore them!
Solution script
My solution script applies the transformation to alphabetic characters and leaves non-alphabetic ones intact.
symbols = "!\"#$%&'()*+,-./ "
string = "cat /var/quantumLava/flag.txt"
garbled = []
alphabet = "abcdefghijklmnopqrstuvwxyz"
for i, c in enumerate(reversed(string)):
if c in symbols:
garbled.append(c)
continue
assert c.lower() in alphabet
idx = (ord(c.lower()) - ord('a'))
a = alphabet[idx - i % len(alphabet)]
garbled.append(a if c in alphabet else a.upper())
print("".join(garbled))
Then I just went ahead and repeatedly pasted the ouptut of the above script
into the shell prompt of the remote server until I got lucky and I got the
flag: nite{tr7n517t10n_u51ng_t1m3_n0t_c001_00000yx}