CTF-Writeups

Lottery

Overview

lottery.sh uses let "g = 0x$guess" with a regex that only checks the prefix is hex. That means we can inject extra arithmetic expressions. Bash also exposes its command hash table via the BASH_CMDS associative array. If we poison the hash for md5sum, bash will try to execute that bogus path and won’t fall back to PATH, so the pipeline produces no output and the ticket becomes 0.

Key Bug

• Input is only prefix-validated (^[0-9a-fA-F]+), so guess can contain additional arithmetic.
• BASH_CMDS[cmd]=... lets us override the hashed path for cmd.
• If md5sum fails to exec, ticket is empty and let "t = 0x$ticket" yields t=0.

Exploit

Send a guess that:

• sets g to 0, and
• poisons the md5sum hash entry.

Payload:

0,BASH_CMDS[md5sum]=0

This makes md5sum execute path 0 (which fails), so the ticket is empty and t=0. Since g=0, the comparison succeeds and the flag is printed.

Solve Steps

1. Connect and solve the PoW prompt.
2. Send the payload above as the guess.
3. Read the flag.

Example:

nc 35.245.30.212 5000
# solve PoW ...
# then send:
0,BASH_CMDS[md5sum]=0

Flag

uoftctf{you_won_the_LETtery_(hahahaha_get_it???)}