Pwnable.kr series

Ok, I am not going to waste too much time on the reversing part in this post but more on the solution.

We again have a very simple directory were we copy the binary cmd2 to our local computer

cmd2@pwnable:~$ ls -ls
total 20
12 -r-xr-sr-x 1 root cmd2_pwn 8794 Dec 21  2015 cmd2
 4 -rw-r--r-- 1 root root      586 Dec 21  2015 cmd2.c
 4 -r--r----- 1 root cmd2_pwn   30 Jul 14  2015 flag

While reversing this we noticed two new things

It would remove any environmental variables. (func delete_env)
It had extra blacklisted words

The blacklisted words are

=
PATH
export
/
`
flag

This made our life a bit harder as now we could not use anything not in a /bin folder. Hence searching what some of the builtin commands were! There aren’t that many and the first mistake I made was looking at the BASH builtin commands which are a lot more than the actual shell our program would be using so the first failed solution was using an echo with the cli argument -e and hex encoded /bin/cat /home/cmd2/flag

$ ./cmd2 "echo -e '\x2f\x62\x69\x6e\x2f\x63\x61\x74\x20\x2f\x68\x6f\x6d\x65\x2f\x63\x6d\x64\x32\x2f\x66\x6c\x61\x67'"

-e \x2f\x62\x69\x6e\x2f\x63\x61\x74\x20\x2f\x68\x6f\x6d\x65\x2f\x63\x6d\x64\x32\x2f\x66\x6c\x61\x67

This failed and would output… everything after echo? I was pulling my hairs until I remembered that bash is a default shell for users but not for applications on most systems.

And surely that theory seemed to be true as not bash but sh was the default shell on this machine (as it is on almost all Linux distro’s). Now, the list of sh builtins is much smaller than bash.

The most interesting one was eval which would execute the argument passed. The only problem I had was… I could not pass anything through the environment nor could I pass anything with a blacklisted word. No conversion seemed to be possible. So I needed a way to write after the filter/delete_env of the application.

So I started looking for another command to maybe be able to work together with eval and my eye dropped on read. Which would, upon testing it, wait for stdin and set a variable to whatever the input was.

Found the passcode

Because of cmd1 I kinda diagonally looked over cmd2 as both were pretty much the same except for the environ clear code and other blacklisted codes.

< Home

Pwnable.kr series - cmd2

Tom Stroobants

2021-02-01