ByteBanditsCTF 2019 WriteUp

Michael Ikua
2 min readApr 13, 2019


After connecting, the commands are somehow always converted to uppercase and don’t work.

After googling I found this syntax that converts words to lowercase on the command line.

${command,,} - the , denotes lowercase

So I created a variable with a command to invoke /bin/bash and it worked.

The flag was in the jail folder as well as the syntax of the jail shell that was converting all commands to uppercase.

Online Previewer 1

The page is a site where you can preview other websites by providing a url.

Previewing :

This must be a ssrf challenge. When I checked the page’s source there’s a hint on the secret service running mentioned in the description.

So the goal is to access the Using the url as is didn’t work.

I found a payload on the PayloadAllTheThings repo that worked and used this:

Using other domain names that resolved to localhost would have also worked such as this from


Twitter: ikuamike

Github: ikuamike