ByteBanditsCTF 2019 WriteUp

CTF page:

Team: NoPwnNoGain


After connecting, the commands are somehow always converted to uppercase and don’t work.

After googling I found this syntax that converts words to lowercase on the command line.

${command,,} - the , denotes lowercase

So I created a variable with a command to invoke /bin/bash and it worked.

The flag was in the jail folder as well as the syntax of the jail shell that was converting all commands to uppercase.

Online Previewer 1

The page is a site where you can preview other websites by providing a url.

Previewing :

This must be a ssrf challenge. When I checked the page’s source there’s a hint on the secret service running mentioned in the description.

So the goal is to access the Using the url as is didn’t work.

I found a payload on the PayloadAllTheThings repo that worked and used this:

Using other domain names that resolved to localhost would have also worked such as this from


Twitter: ikuamike

Github: ikuamike



CyberSecurity | CTFs |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store