Utterly Broken Shell

Technical Walkthrough

Writeup

Challenge

• Name: Utterly-Broken-Shell
• Category: Misc
• Difficulty: Medium
• Mode: remote

Summary

The challenge is a sequel to Broken Shell with a much tighter regex. Digits, slashes, and letters are blocked, so the old $0 substring bypass no longer works directly. The service still passes accepted input to Bash eval, and underscore-only variables remain usable. The solve creates forbidden characters indirectly, recovers $0, assembles /bin/sh from characters in the wrapper path, and then uses the spawned unfiltered shell to read the flag.

Artifact Inventory

• Remote-only challenge: <TARGET>:30368.
• analysis/remote/initial-probe.txt: captured banner, prompt, reduced regex, and basic allowed/disallowed behavior.
• analysis/remote/special-parameter-probe.txt: validated $_ and arithmetic expansion behavior.
• analysis/remote/underscore-variable-indirect-probe.txt: validated underscore-only variables, arithmetic-generated 0, indirect expansion to $0, and wrapper-path substring extraction.
• analysis/remote/solve-transcript-redacted.txt: redacted solve transcript.
• solve/solve.py: reproducible solver.

Analysis

The banner reports the allowed character regex:

^[${}![:space:]:_=()]+$

That blocks the old Broken Shell payload because literal digits and slashes are no longer allowed. Harmless probes confirmed the backend still reaches Bash eval in /home/restricted_user/broken_shell.sh and that $_ expands to echo at evaluation time. This gives a small string source but not enough on its own.

The decisive primitive is that underscore-only variable names are valid Bash variables and pass the regex. The command __=$(()) stores the arithmetic expansion 0 without typing a literal digit. Then ___=${!__} performs indirect expansion through variable name 0, recovering $0, which is the wrapper path:

/home/restricted_user/broken_shell.sh

From that path, every character needed for /bin/sh is available. The solver uses a work variable and one-character shifts:

____=${___}
____=${____:!_}
...
_____=${_____}${____::!_}

Here !_ evaluates to arithmetic 1, so each shift removes one character and ${____::!_} extracts one character. Repeating this builds /bin/sh in _____. Executing ${_____} starts a child shell outside the wrapper's regex loop.

Solve

Run:

cd <local workspace>
python3 solve/solve.py

The script:

1. Connects to the remote service.
2. Stores 0 in an underscore-only variable using $(()).
3. Uses ${!__} to recover $0.
4. Calculates wrapper-path character offsets for /bin/sh.
5. Sends allowed-character payloads to assemble /bin/sh.
6. Executes the assembled shell and reads the flag.
7. Stores the raw candidate in loot/flag-candidate.txt and a redacted transcript in analysis/remote/solve-transcript-redacted.txt.

The harness captured the final flag into loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Blocking obvious shell metacharacters is not enough when eval remains and variable assignment/parameter expansion survive.
• Special parameter indirection can recreate forbidden digits and recover $0 without typing them.
• Use normal variables, not $_, as persistent build buffers; $_ is overwritten by wrapper/prompt commands.
• Keep remote transcripts redacted and raw flags under loot/ only.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Utterly-Broken-Shell
• Category: Misc
• Difficulty: Medium
• Mode: remote
• Remote instance: <TARGET>:30368
• Start time: 2026-06-09T14:29:03Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service: <TARGET>:30368.
• New banner exposes the reduced allowlist: ^[${}![:space:]:_=()]+$.
• The backend still evaluates accepted input through /home/restricted_user/broken_shell.sh; invalid syntax/errors disclose eval at line 41.
• The previous Broken Shell payload ${0:35:2} is blocked because digits are no longer allowed.
• $_ at eval time expands to echo, which allows generated echo output and simple substring leaks, but $_ is not stable enough to use as a persistent build buffer.
• Normal underscore-only variable names such as __, ___, ____, and _____ are allowed and persist across prompt turns.
• __=$(()) creates the forbidden digit 0 without typing a digit.
• ___=${!__} indirectly expands variable 0, recovering $0 as /home/restricted_user/broken_shell.sh.
• The solver builds /bin/sh by copying $0, shifting a work variable one byte at a time with ${var:!_}, and appending ${var::!_} into an accumulator.
• Executing the assembled /bin/sh opens an unfiltered child shell, allowing normal commands to read the flag.
• Reproducible solver: solve/solve.py.
• Raw flag captured by the harness and stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Misc
• Challenge: Utterly-Broken-Shell
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Remote prompt exposes a reduced Bash regex allowlist with only $, braces, !, whitespace, :, _, =, and parentheses.
2. Backend still evaluates accepted input through Bash eval.
3. Old $0 substring trick is blocked because literal digits are disallowed.
4. Use a normal underscore-only variable to store arithmetic expansion 0 without typing digits.
5. Use indirect expansion through that variable to recover $0.
6. Use one-character substring shifts from the wrapper path to assemble /bin/sh in another underscore-only variable.
7. Execute the assembled shell and read the flag from the unfiltered child shell.

Reusable Lessons

• If eval remains, a reduced allowlist must also remove variable assignment, indirect expansion, arithmetic expansion, and substring expansion or the shell can still synthesize forbidden characters.
• $_ is useful as a transient source string but should not be trusted as persistent state in wrapper-loop challenges.
• Underscore-only variables can act as persistent registers when alphabetic variable names are blocked.

Dead Ends

• Old Broken Shell ${0:35:2} route: blocked by the new regex because digits are disallowed.
• Direct slash/path/glob/cp/redirection methods from the previous challenge: blocked by the new regex.

Tool Quirks

• The harness local-memory-record command only accepts files inside the active workspace, so a sanitized <secret redacted>md was created from prior local memory and recorded as advisory context.
• The first solver parser failed on a too-strict wrapper-path regex; the live output was clear and the parser was patched before exploitation completed.

Evidence Paths

• analysis/remote/initial-probe.txt
• analysis/remote/special-parameter-probe.txt
• analysis/remote/underscore-variable-indirect-probe.txt
• analysis/evaluator-20260609T143915854365Z-09c67e15.md
• analysis/remote/solve-transcript-redacted.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Misc
• Challenge: Utterly-Broken-Shell
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Remote prompt exposes a reduced Bash regex allowlist with only $, braces, !, whitespace, :, _, =, and parentheses.
2. Backend still evaluates accepted input through Bash eval.
3. Old $0 substring trick is blocked because literal digits are disallowed.
4. Use a normal underscore-only variable to store arithmetic expansion 0 without typing digits.
5. Use indirect expansion through that variable to recover $0.
6. Use one-character substring shifts from the wrapper path to assemble /bin/sh in another underscore-only variable.
7. Execute the assembled shell and read the flag from the unfiltered child shell.

Reusable Lessons

• If eval remains, a reduced allowlist must also remove variable assignment, indirect expansion, arithmetic expansion, and substring expansion or the shell can still synthesize forbidden characters.
• $_ is useful as a transient source string but should not be trusted as persistent state in wrapper-loop challenges.
• Underscore-only variables can act as persistent registers when alphabetic variable names are blocked.

Dead Ends

• Old Broken Shell ${0:35:2} route: blocked by the new regex because digits are disallowed.
• Direct slash/path/glob/cp/redirection methods from the previous challenge: blocked by the new regex.

Tool Quirks

• The harness local-memory-record command only accepts files inside the active workspace, so a sanitized <secret redacted>md was created from prior local memory and recorded as advisory context.
• The first solver parser failed on a too-strict wrapper-path regex; the live output was clear and the parser was patched before exploitation completed.

Evidence Paths

• analysis/remote/initial-probe.txt
• analysis/remote/special-parameter-probe.txt
• analysis/remote/underscore-variable-indirect-probe.txt
• analysis/evaluator-20260609T143915854365Z-09c67e15.md
• analysis/remote/solve-transcript-redacted.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Utterly-Broken-Shell
• Category: Misc
• Difficulty: Medium
• Mode: remote
• Remote instance: <TARGET>:30368
• Start time: 2026-06-09T14:29:03Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service: <TARGET>:30368.
• New banner exposes the reduced allowlist: ^[${}![:space:]:_=()]+$.
• The backend still evaluates accepted input through /home/restricted_user/broken_shell.sh; invalid syntax/errors disclose eval at line 41.
• The previous Broken Shell payload ${0:35:2} is blocked because digits are no longer allowed.
• $_ at eval time expands to echo, which allows generated echo output and simple substring leaks, but $_ is not stable enough to use as a persistent build buffer.
• Normal underscore-only variable names such as __, ___, ____, and _____ are allowed and persist across prompt turns.
• __=$(()) creates the forbidden digit 0 without typing a digit.
• ___=${!__} indirectly expands variable 0, recovering $0 as /home/restricted_user/broken_shell.sh.
• The solver builds /bin/sh by copying $0, shifting a work variable one byte at a time with ${var:!_}, and appending ${var::!_} into an accumulator.
• Executing the assembled /bin/sh opens an unfiltered child shell, allowing normal commands to read the flag.
• Reproducible solver: solve/solve.py.
• Raw flag captured by the harness and stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.