The challenge

Logging into the box we are told that the flag is located at /home/level2/flag.txt

Challenge bash code

function check_space {
        if [[ $1 == *[bdks';''&'' ']* ]]
        then 
         return 0
        fi

        return 1
}

while :
do
        echo "Your input:"
        read input
        if check_space "$input" 
        then
         echo -e '\033[0;31mRestricted characters has been used\033[0m'
        else
         output="echo Your command is: $input"
         eval $output
        fi
done 

Inference

This time, the check_space function returns a 1 if there are any characters in the input string among b,d,k,s, a semicolon, an ampersand and a whitespace. If the function does return 1, we get a “restricted characters” message and no further processing happens.

However, if our input passes the check, the program echoes "Your command is: $input". We can use a simple command like cat flag.txt in backticks (command substitution) to execute it in the eval statement. However, whitespaces are not allowed. To bypass this, we can use a tab in place of the whitespace.

Solution

We give the script the following input:

`cat	flag.txt`

Which gets evaluated and prints the flag.

Your command is: FLAG-a78i8TFD60z3825292rJ9JK12gIyVI5P