$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Escape a restricted bash shell that only allows numbers and special characters (no letters). Solution: Use bash parameter expansion ${var:offset:length} to extract letters from $0 variable and construct commands like 'ls' and 'nl'.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
A "secure sandbox environment" that only allows specific symbols and numbers. The challenge presents a restricted bash shell where only certain characters are permitted.
Allowed characters:
^[0-9${}/?"[:space:]:&>_=()]+$
This means:
$, {, }, /, ?, ", spaces, :, &, >, _, =, (, )The key insight is that bash's parameter expansion ${var:offset:length} allows extracting individual characters from variables without using letters directly.
The $0 variable contained the script path: /home/restricted_user/broken_shell.sh
This gave us access to letters at specific positions:
| Position | Character |
|---|---|
| 1 | h |
| 2 | o |
| 3 | m |
| 4 | e |
| 6 | r |
| 8 | s |
| 9 | t |
| 11 | i |
| 12 | c |
| 15 | d |
| 16 | _ |
| 17 | u |
| 22 | b |
| 25 | k |
| 27 | n |
| 32 | l |
lsConstruct ls using parameter expansion:
${0:32:1}${0:8:1} # l(32) + s(8) = "ls"
Output revealed: this_is_the_flag_gg
nl (number lines)${0:27:1}${0:32:1} ??????????????????? # n(27) + l(32) = "nl" # ??????????????????? = glob pattern matching 19-character filename
Output:
1 'This file contains the flag. The problem is that it is not on the first line so you have to read the whole file to get it :) '
2 '
3 HTB{?y0u?4r3?4?tru3?b45h?3xp3rt}
Other commands that could be constructed from available characters:
${0:8:1}${0:2:1}${0:17:1}${0:6:1}${0:12:1}${0:4:1} (s+o+u+r+c+e)${0:8:1}${0:2:1}${0:6:1}${0:9:1} (s+o+r+t)${0:3:1}${0:2:1}${0:6:1}${0:4:1} (m+o+r+e)...
$ grep --similar