Node Write-Up by netsecbrad @FellSEC

Thanks guys!
Hope you enjoy

I would find it more valuable if you actually explained ‘why’ the wild cards work.

At first sight this may all look meaningful to just try wild cards, and it is. But blindly trying to find sanitization vulnerabilities is like lottery: in reality there’s literally millions of possible combinations and here you’re just saying “this is the winning number”.
On this box you have the somewhat rare opportunity to access the code that holds the black-listings, and so you have the opportunity to teach people to rely on skill, in stead of relying on trial and error or walkthroughs.

If you look at the backup binary, you see the literal string “/root” is blacklisted, along with a bunch of other characters, which would normally prevent you from downloading the root directory.
However ‘*’ ain’t one of them, so by typing “/rt/rt.txt”: you’re not using any of the blacklisted characters or strings. The binary will therefore pass this input on to the zip command, the os in turn will expand the wild cards and zip the root directory for you.

If you inspect the binary closely, you also see this then leaves you with 4 other remaining possible paths to root the box:

  • using the fact that ‘/’ is automatically added when you are already in the root directory
  • buffer overflow
  • exploiting the zip command, used inside the binary
  • and command injections

Except buffer overflow, these three remaining paths are a direct consequences of the bad sanitization vulnerability you point out.
This box alone offers in total at least 4 known flavors of poor black-listing solutions, some flavors offer a few dozen of individual solutions, so imagine how much combinations are actually out there in the wild.
People won’t stand a chance finding most of them, if all you teach them is to rely on “here’s the magic number”-solutions.

If anyone would be looking for some more detailed background information:

Wow thank you so much!
I must admit that the quality of this Write-Up is subpar , would you mind me linking your solution within the write-up? As well as some supporting details from your comment?

Sounds great man!