Welcome to the next challenge called cmd1 from pwnable.kr.
Firstly, as usual, we’re going to log into the provided ssh server.
Now we’re ready to view the source code of the provided challenge files.
First thing that is ready to exploit is that if we provide correct argument, program will put it to the system() function that will run the code. But the first obstacle is that the input is being filtered through the filter() function that will stop execution if the passed argument contains words like flag, sh or tmp.
So we need to enter something along the lines of cat flag, but that of course will not execute. But finding that running only cat program fails, made me think more about the putenv() function.
If we view the PATH environment variables, we can see that the list contains all directories where the binaries are located.
So the program overwriting this, will force us to enter the whole path of cat binary.
One thing solved. Now we have to somehow obfuscate the flag word in a way that filter will not catch.
Luckily, this simple quotation trick makes this challenge marked as solved.
If you have any suggestions regarding this post or just want to chat together check out these ways to reach out to me.