Background

I recently created a Capture The Flag (CTF) challenge that was later used in NYP Infosec December CTF 2024.

The inspiration for creating this challenge came primarily from another CTF challenge in PicoCTF 2024, titled 'SansAlpha'. The main idea behind the CTF is for participants to figure out how to execute commands without the use of alphabets. There are several ways to solve it but it takes some experience and creativity to do so. I will go through the thought process in detail so that it is easy to follow even for beginners.

The CTF Challenge: Wild

Creator - Edwin Oh
Category - Misc
Difficulty - Medium

Description:
Christmas is back, but something's amiss — Santa Claus has gone missing! Can you track down Santa, uncover the hidden secrets, and save Christmas in time?

At first glance, we can see we are given access to an SSH connection.

ssh [email protected] -p 8010 
password: xmas

We can confirm that normal Linux commands have been disabled, at least through "alphabets". After researching online, we know that there are special characters like wildcards and symbols we can use to possibly mimic commands.

# Basic Linux knowledge you need to know here
/ #Backslash separates directories in Linux file system
? #Acts as a wildcard; Example: ???? represents 4 characters
/home/user/ #Standard directory of a user in a Linux environment

From the image, you can see that I am trying to enumerate what is inside the user's directory. The result is the path to the flag. After finding out the location of the flag, we need to find a way to retrieve the flag. The first thing that should come to mind is finding an executable to do so.

# Most executables are stored in this directory:
/bin #bin short for binary

After enumerating the /bin directory, I found this executable /bin/base64. If you don't know what base64 is, it is a way to encode strings. I am now going to try and encode the flag using base64 and decode it later.

The first thing I tried was using wildcards to mimic the directory of /bin/base64 using /???/??????, but it was getting confused with other binaries that matches binary directories that have the same number of characters. To get what we want which is /bin/base64, we need to filter.

1. Filter against base32 we can simply add a 64 /???/?????? to /???/????64
2. Now it is getting mixed up between /bin/base64 and /bin/x86_64 as you can see from this message: /bin/base64: extra operand ‘/bin/x86_64’
3. We can filter out underscore through exclamation mark and globbing > [!] matches any single character that is not . > [!_] matches any single character that is not underscore. This way we can filter out the the directory /bin/x86_64.

The final output shows an encoded string. All that is left to do is decoding the encoded string. You can do it through the terminal or going to a decoder to decode it. Finally, you retrieve the flag!

The Author's Perspective

To differentiate this CTF challenge from PicoCTF's "SansAlpha", I blocked certain solutions, such as mimicking commands like cat and ls, to increase the difficulty level.

This challenge was created using a Docker environment, with a restricted shell layered on top, along with some additional configurations.

I have also developed another CTF challenge that builds on this one and plan to feature it in the next CTF event. Stay tuned for my next blog post. Thank you for reading—I truly appreciate your time and interest. I hope you enjoyed this post!