Official Bashic Calculator Discussion

Official discussion thread for Bashic Calculator. Please do not post any spoilers or big hints.

i were able to list the directories and flag ,but could’nt read it .can someone give me a nudge ?

The given source code disclosed all details about the “closed roads to the flag”. There are some open roads. I give the tip to list all open roads, no matter in which direction the road goes.

I tries many hours the open roads without success. Finally I found a solution. Finally it was really easy. If you have the right idea, it is solved quickly.

You have already made a good first step.

1 Like

@xtal Thank you very much for your response . i understand what you are talking .i thought i found an open road just a minute ago .the solution were successful on my local testing environment were no socket connection is involved ,but when it come to the real code or localhost the solution just simply stop working (even tho it output a successful execution) . iam really stuck on it right know

1 Like

Yes! I assume you have the same idea like me. I also run into this problem. I use a service n***, but it does not work on the HTB server. I think this service could be the cause of the error. The IP address changes quite often. Maybe it could help to know more about this service and configuration options.

Long story short, there is another possibility: So simple that I can’t find a good nudge. I’m sure you can rework your local solution with a view change into the simple solution that works on the HTB server.

1 Like

Thank you very much for the response .let me check the posiibilities

I also am stuck on this. Can you give me a hint on how you managed to list directories bc i can’t get anywhere with this.

I know where the flag is but can’t read it. :sob: I checked the directories and it is driving me nuts I can’t get to it. First time with docker.

Many HTB challenges runs in docker containers; standard for HTB challenges like this one.

I thought the same for hours when I was trying this CTF, don’t trust the information you’re given blindly.

1 Like

There are 3 ways to do it with payloads and both require you to know what all you have to work with. Certain characters have been blacklisted but others aren’t, Identify then and learn what they do. Next, you are given how the program works, research and understand how the program works and then try the CTF. Don’t have a linear line of sight and explore all given options

1 Like

I’ve been trying to solve this easy task for the second day… I can’t get out of double brackets to execute the command. It is not possible to create a payload because the necessary characters are deleted. The remaining special characters don’t help. Can anyone recommend a resource on the Internet where I can find out how to get out of double brackets?

There is a clue in this website: Command substitution [Bash Hackers Wiki]

See if you can figure it out :wink:


Thanks. Now I can use the allowed characters to create a payload and view the contents of a file or directory, run any command and see the result.
In the form in which this command is run in the task.
But this only works in my bash terminal. For some reason I don’t see any output in the task container. It’s strange, because I use redirection to STDOUT…

Hehehehe I know what you mean. :heart::heart::heart::heart::heart::heart::heart::smiling_face_with_three_hearts::smiling_face_with_three_hearts::smiling_face_with_three_hearts::smiling_face_with_three_hearts::smiling_face_with_three_hearts::smiling_face_with_three_hearts: Thank you.

1 Like

If you still haven’t gotten the flag then gimme a DM, I’ll help out when I can. I don’t want to say any further because then it’ll be equivalent to me giving the answer.

1 Like

I know the basic bash injections but most of them use the invalid characters. I know some characters are unblocked, but I can’t seem to make anything out of them. Could I have a clue?

Is it possible to get some advice? Initially I had 5 different general methods in mind, after two days I can say that 3 of these seem impossible, one might be possible but would require a lot of work, and the last method works on my local Docker instance but not on remote target. Presumably this last method has been blocked.

OK I solved it after many hours. Still wonder if my other ideas could work. PM if you want to discuss.