Tags: escapeshellcmd restricted-bash wannabe-shell shell
Rating: 5.0
We are presented with web page tool that takes as input a file name on the server and, using the sha256sum utility on the command line, outputs the hash of that file.
![](https://i.imgur.com/xRsCete.png)
We are invited to try the `/etc/hosts` file, I then try `/etc/passwd` and other common files and the tool dutifully spits out their hash. I try `/flag.txt` and `/root/flag.txt` but it is `flag.txt` that reveals the file is in our current directory.
Playing with some different inputs it became clear that some special characters were allowed
![](https://i.imgur.com/DF7Auv3.png)
but most were not.
![](https://i.imgur.com/q9isd6F.png)
I did actually write a quick script to find the full list of available characters which might have been a little overkill but it did reveal that `!"#$%&', "'", '()*+-;<=>@\^_{|}` were all restricted and only `,./:?[]~ \t\n\r` were allowed outside of `A-z0-9`,
The new line character immediately looked promising, and indeed submitting `flag.txt\ncat flag.txt` gets us the flag.