Hello and welcome to another writeup, this time for CSAW'24 CTF. I participated in this CTF with my team Beasthood. I contributed to this CTF by completing the Pwn Challenge “Diving Into Null”. This was a fun challenge and I learned the immense possibilities of echo command in Linux. So, without further ado let’s jump in!

I connected to the challenge’s machine with netcat. The most peculiar thing is that I couldn’t run any basic commands.

┌──(kali㉿kali)-[~]
└─$ nc null.ctf.csaw.io ****
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
groot@diving-into-null-6859fcf8d4-gl2bw:/$ ls
ls
bash: ls: command not found
groot@diving-into-null-6859fcf8d4-gl2bw:/$ nano
nano
bash: nano: command not found
groot@diving-into-null-6859fcf8d4-gl2bw:/$ vim
vim
bash: vim: command not found
groot@diving-into-null-6859fcf8d4-gl2bw:/$

The only two commands that seemed to work were cd and echo.

groot@diving-into-null-6859fcf8d4-gl2bw:/$ cd #
cd #
groot@diving-into-null-6859fcf8d4-gl2bw:~$ echo hello
echo hello
hello
groot@diving-into-null-6859fcf8d4-gl2bw:~$

I tried to look for ls or cat commands in the /usr/bin but it seems useless as the challenge info on CSAW’s website says "Oops, I rm -rf 'ed my binaries". This might mean that no command will work on this machine except cd and echo. Great, so now I have to find the flag with just echo. After some digging I realised that I can use echo as ls command by using echo *.

groot@diving-into-null-6859fcf8d4-gl2bw:/$ echo *
echo *
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
groot@diving-into-null-6859fcf8d4-gl2bw:/$

How to Use Echo

Great! I am guessing the flag must be in the user’s home directory so let’s get in there with cd.

groot@diving-into-null-6859fcf8d4-gl2bw:/$ cd home
cd home
groot@diving-into-null-6859fcf8d4-gl2bw:/home$ echo *
echo *
bin groot
groot@diving-into-null-6859fcf8d4-gl2bw:/home$ cd groot
cd groot
groot@diving-into-null-6859fcf8d4-gl2bw:~$

I tried echo * again but this directory seems empty. However, there might be hidden files and/or folders in here. As a hunch, I tried echo .* and Et Voila!

groot@diving-into-null-6859fcf8d4-gl2bw:~$ echo *
echo *
*
groot@diving-into-null-6859fcf8d4-gl2bw:~$ echo .*
echo .*
.bash_history .bashrc .flag .profile
groot@diving-into-null-6859fcf8d4-gl2bw:~$

Now, I have to figure out how to read this file. As cat doesn’t work I have to use echo again. Some more digging and I found a wonderful Stackoverflow thread which lists various ways to read a file’s contents with echo.

How to use echo command and print out content of a text file?

Some users list the command echo $(cat file.txt) but this will obviously not work in my case. The other command I tried was echo $(< .flag) and it works!

groot@diving-into-null-6859fcf8d4-gl2bw:~$ echo $(<.flag)
echo $(<.flag)
||||||||||||||||||||||||||||||||||||||||||||||||||||| ||| csawctf{********_***_****_*****_****_*******} ||| |||||||||||||||||||||||||||||||||||||||||||||||||||||
groot@diving-into-null-6859fcf8d4-gl2bw:~$

Why did this command work? Well, echo reads inputs from stdin and then prints it on stdout. When we use something like echo hello, hello is the content we give to echo with stdin which it then prints. In the above command, I am giving the contents of the file .flag as stdin (the < operator) hence, echo prints out the contents on the terminal.

This was a pretty easy but fun challenge and I still wasted 30 minutes but I learned a lot. Thanks so much for reading and I will see you next time!