15 - cmd2
The Challenge
Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission... but I wanna play anytime I want!
ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)
The Solution
Another blacklisting challenge, this time on steroids. The greatest hurdle is the prohibition on using forward slash.
Solution #1 - Octal Encoding
dash
supports octal encoding [not hex]. It's important to surround the argument with single quotes soprintf
won't execute before being passed as an argument.
Solution #2 - Builtin Secrets
Bash has a builtin named command
. It can be used with the flag -p
to revert to the default function lookup.
Solution #3 - ${PWD}
If you navigate to the root directory $PWD will equal to, well, forward slash.
Last updated