The challenge

Upon SSHing into the box, we are told that the flag is located at /home/level1/flag.txt

Challenge bash code:

while :
do
        echo "Your input:"
        read input
        output=`$input`
done 

Inference and experimenation

The script is reading an input, executes it and then stores it in the output variable without ever displaying the output to the console.

I tried a dummy command to see if I could see its stderr since command substitution (backticks) only capture the stdout.

echo hi 1>&2

Unfortunately that did not work, we did not have the “hi” blurted out in the stderr. So, I resorted to another route.

Solution

Remember how, if we ever tweak our bashrc file, we need to source it to bring it to effect? Well, we can also, source the flag.txt file and the script should error out with the contents of the file.

source flag.txt
flag.txt: line 1: FLAG-U96l4k6m72a051GgE5EN0rA85499172K: command not found

There we have our flag.