polygl0ts
EPFL's CTF team
Problem:
Can you escape from jail?
When opening the challenge, we can see a shell with what looks like a Git diff file shown in the vim editor. The diff shows that the config has been modified to disable the :, Q and g keys. I wasn’t sure about usage of Q and g, but : is the way to start all kinds of commands in vim.
Since I am not a vim power-user, I did a lot of googling to find ways to go around those limitations. From the hint, and the common joke that people always have a hard time quitting vim, I started by looking for ways to exit the editor without :wq. I quickly found shift+ZZ, but this only resulted in a “Connection closed” message:
So it seems that quitting isn’t what we’re supposed to do. How about executing arbitrary shell commands? I knew that :!some_command would execute some_command in the shell. But we don’t have direct access to command mode (because : is disabled).
In the vim manual, I looked for other ways to reach command mode, but had no luck:
It didn’t seem to be possible to reach command mode in a way that wasn’t disabled. That’s when I thought:
Ha, since we can move around and write in this document, would there be a way to execute a command written under the cursor?
So I searched for this and found this StackOverflow question which taught me that we can open the man page for the word under the cursor with shift+K:
Before even going further, I tried again the ! binding in this new man view. To my surprise, it worked! Since we had a way to execute shell commands, it was easy to locate the flag by looking around the filesystem with ls, and printing it wit cat.
We got the flag!
TWCTF{the_man_with_the_vim}