# Problem
: I think this problem is similar to cmd1. The problem is as follows.
'' Daddy bought me a system command shell. But he put some filters to prevent me from playing with it without his permission... but I wanna play anytime I want!''
# How To solve
: First, connect the server cmd2@pwnable.kr -p2222 (pw : flag of cmd1 )
then, check the program source code.
When I look at the source code, I can see that it filters out some characters. I decided to use the environment variable I used in cmd1. I also decided to use the following attributes to use the / character.
The first code I think is:
./cmd2 '$(echo /)bin$(echo /)cat flag
However, I change the ascii code for the /, which is filtered here.
./cmd2 '$(echo "\57")bin$(echo "\57")cat flag
And the character "flag" was changed using an environment variable.
The result is as follows.
No comments:
Post a Comment