Start by connecting to the server, with the password from the previous challenge.

Now we can view the source code of the challenge.

As we can see, logic of the challenge is mostly the same as in the previous one. But in addition, we have more filters to bypass - especially \ character which was used in our previous exploit.

Firstly, I’ve noticed that quite easy way to get to the flag is to use an wildcard. Something like cat fla* will allow us to view the flag, as it’s the only file with such a name. But how to bypass the slash?

After that let’s search how exactly commands are executed with system() command. From man pages, we can see that this command uses sh to execute a command in this particular way execl("/bin/sh", "sh", "-c", command, (char *) 0);

Now we can resaerch information about sh in order to find some help. Another man page gives us something interesting. Command command [-p] [utility [argument ...]] with -p option allows us to search using a default value of PATH. It is guaranteed to find all of the standard utilities.

Keep learning and stay safe! ~ W3ndige