Figure 1: The challenge description

The challenge starts with a SSH connection to a remote server through port 51999. The syntax to do this on Kali Virtual Machine is:

ssh -p <port number> <username>@<website URL>
Figure 2: Remote log in with SSH.
Figure 3: Inspection of file type.

In the home directory, there is a bash shell script called ‘useless.’ The challenge description hints that this script should be inspected prior to running, running before looking the script leads to the message: “Read the code first”

The script’s first line indicates that the program requires 3 input arguments from the user, it then directs the inputs into a series of elif statements for carrying out either addition, multiplication, substitution and division.

Figure 4: The bash script.

The code here suggests that the flag is not going to be revealed by running this script and trying to break it using user inputs it was not designed for. The first argument has to be either the options of add, sum, sub, div or mul and the next 2 inputs must be numerical. If anything less than 3 input is given, the message to read the code appears. If the 3 inputs do not satisfy requirements e.g. an integer instead of add, sum, sub, div or mul for $1 argument, or strings instead of 2 numbers for $2 and $3 argument, the script will simply display “Read the manual.”

Hence the next step is to read the manual.

Figure 5: Manual page for the shell script.

The manual then reveals the flag as picoCTF{us3l3ss_ch4ll3ng3_3xpl0it3d_1155}.

You Might Also Like

Leave a Reply