The challenge brief tells us that we have a severely broken Linux install with only a few commands available. We're told nothing about where the flag is, in fact nothing about the environment at all. Connecting to the provided IP and port, we see the string SSH-2.0-dropbear_2020.81 - this must be a an SSH server. We use the provided username and password, and we're in.
They weren't lying, huh. We don't even have tab suggestions. However, after a quick internet search for ways to view the directory listing without ls, we find we can use echo * as an ls substitute. Running that, we see a singular file in the directory called flag.txt. It looks like we'll have to print the contents of this, but without any obvious tools.
But what tools do we have? Recall that Linux knows where everything is from the PATH variable - and it looks like we can print that one out.
Well, calendar isn't helpful. It looks like some of these commands have also been repurposed into displaying a simple forbidden message, and we can't use those (cat, grep, head, less, more, tail, vi, vim). Interestingly enough, we do have sha256sum. Let's run that on the flag:
But brute-forcing that would be a massive pain, and not the right solution to the challenge. If only the flag was shorter, then we could crack the hashes more easily?
Split takes a file and writes multiple out files of the format x**, creating a new file whenever the previous one has reached the number of bytes you tell it. If we run split rather aggressively, by splitting every 3 bytes, we should end up with some hashes that are trivially reversible online.