Pwnable.kr - cmd1

March 10, 2018

Welcome to the next challenge called cmd1 from pwnable.kr.

Mommy! what is PATH environment in Linux?

Solution

Firstly, as usual, we’re going to log into the provided ssh server.

main:~ > ssh [email protected] -p2222
[email protected] password:
 ____  __    __  ____    ____  ____   _        ___      __  _  ____  
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : [email protected]
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Sat Mar 10 07:15:51 2018 from 87.180.119.209
[email protected]:~$ ls -la
total 40
drwxr-x---  5 root cmd1     4096 Oct 23  2016 .
drwxr-xr-x 87 root root     4096 Dec 27 23:17 ..
d---------  2 root root     4096 Jul 12  2015 .bash_history
-r-xr-sr-x  1 root cmd1_pwn 8513 Jul 14  2015 cmd1
-rw-r--r--  1 root root      319 Jul 14  2015 cmd1.c
-r--r-----  1 root cmd1_pwn   48 Jul 14  2015 flag
dr-xr-xr-x  2 root root     4096 Jul 21  2015 .irssi
drwxr-xr-x  2 root root     4096 Oct 23  2016 .pwntools-cache

Now we’re ready to view the source code of the provided challenge files.

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "flag")!=0;
	r += strstr(cmd, "sh")!=0;
	r += strstr(cmd, "tmp")!=0;
	return r;
}
int main(int argc, char* argv[], char** envp){
	putenv("PATH=/fuckyouverymuch");
	if(filter(argv[1])) return 0;
	system( argv[1] );
	return 0;
}

First thing that is ready to exploit is that if we provide correct argument, program will put it to the system() function that will run the code. But the first obstacle is that the input is being filtered through the filter() function that will stop execution if the passed argument contains words like flag, sh or tmp.

So we need to enter something along the lines of cat flag, but that of course will not execute. But finding that running only cat program fails, made me think more about the putenv() function.

[email protected]:~$ ./cmd1 "cat fla"
sh: 1: cat: not found

If we view the PATH environment variables, we can see that the list contains all directories where the binaries are located.

[email protected]:~$ env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

So the program overwriting this, will force us to enter the whole path of cat binary.

[email protected]:~$ ./cmd1 "/bin/cat fla"
/bin/cat: fla: No such file or directory

One thing solved. Now we have to somehow obfuscate the flag word in a way that filter will not catch.

[email protected]:~$ ./cmd1 "/bin/cat 'f'lag"
mommy now I get what PATH environment is for :)

Luckily, this simple quotation trick makes this challenge marked as solved.

Contact

If you have any suggestions regarding this post or just want to chat together check out these ways to reach out to me.