We get the credentials to SSH into a server, where we are given a restricted shell. If we try to run ls, we will see several files in the current directory – notably, there’s a blank line and something seems to be missing. One reasonable assumption is that this is where the flag.txt file would be, and that the shell censors all lines containing flag before returning the result.
Further, if we try to run any command that includes the string flag, the shell returns a bunch of random characters. Therefore, we can’t run cat flag.txt (since the command won’t even get executed). Further, the shell doesn’t support any sort of redirection or pipes.
To get around the restrictions on permitted commands, we can run /bin/bash and launch a “real” shell. This is, however, not enough: if we try to run cat flag.txt, we won’t get any output, since the data still goes through the original restricted environment.
The restricted shell, however, doesn’t filter the data printed to stderr. We can therefore run bash and redirect stdout to stderr to bypass the censoring. Note that we need to run that from a “real” shell and not the restricted environment, since the restricted shell doesn’t support redirection:
/bin/bash
/bin/bash 1>&2
cat flag.txt