 Hey folks, Adam DuPay here, and today we're going to be looking at the ponables.kr challenge cmd command 1. And this is going to be a live walkthrough. I haven't seen this code before or otherwise solved this in any way. So let's dig right in. So command 1, one point, mommy, what is path environment in Linux? So this should be a very interesting and hopefully pretty straightforward level given the fact that it's one points. So we SSH to this machine. We find ourselves here. We have a command 1, group set UID on the command 1, PON. We have C code and we have a flag. So we know what we got to do. So let's go to the code. So the code, very simple program. We have an int main argc argv environment pointer put in the environment path. Something that's not very nice. There's actually something that I hate about CTF challenges is I know it can be fun to put, you know, little curse words or whatever or inappropriate things in your challenges. And yes, the hacker aesthetic and the hacker mindset is very kind of libertarian and screw the man and all this kind of stuff. But still this is, you know, it's not cool, like security should be inclusive for everyone. And this kind of stuff just serves to drive people away rather than actually do anything cool. But regardless, it's here. So we're going to deal with it. Okay. So it puts in the environment a path variable. It then filters out argv one. So the filter takes in a command checks call string string on the command looks for flag SH and temp. And if it returns any of these things that will return R, so if R returns anything, it will return zero, otherwise call system directly on our argument. So important things in here. So this actually should be fairly straightforward, man. So system, if you've never seen system before, so system is going to literally it does. So it's a libc function and it does exactly what it says it's going to do. It's going to call exec cl slash bin SH SH dash C and the command that we pass in. So it's going to pass it in as a new shell, whatever we type in. So and so one thing we could think about doing is do cmd one. And we know whatever we type in here, like if we do, let's say ID. So it's going to say ID not found. So if we do, let's say echo hello. So it's going to say hello. And so this is executing inside. Now why didn't it find ID? And that is because bash or your shell by default will use this path environment variable to look for the command you want to execute. So when you type LS, it actually knows which LS you want to execute in slash bin SH by actually looking, it splits this string based on semicolons and it looks, is there an LS and user local S bin? If not looking user local bin, if not looking user S bin and so on until it finds it in slash bin. So what they're doing by setting this path variable here, it's basically saying we can't just say LS, but what we can do is we can say, let's see, we can do which ID to figure out where that is exactly. And we can do cmd one user bin ID. And that's going to tell us that it's we are executing a user ID cmd one group ID cmd one, but effective group ID of cmd one PWM. So what we can do here, we can pretty much do anything. Let's just do bin bash to drop us into a shell. And that did not work. Why did that not work? Oh, the filter looks for SH. I see. So it looks for flag SH or temp. So what do we want it to do? Oh, this is pretty easy then. Let's do this. Let's do. So we've already basically used this trick before. So we'll make a temp directory. Yeah, we can't reference temp by name, but we can make directory temp atom D cmd one, temp atom D cmd one. And then from here, we can make a symbolic link to members like a so ln dash s, it's like a copy. So where you want to copy from and then to so we want to copy, we don't think it's symbolic link to home cmd one flag, we're going to call it boo. And what we're going to do is call home cmd one cmd one. And the command we want to pass in is bin cat boo. And what this is going to do is it's going to follow this symbolic link. And this symbolic link points to the flag. So we got past the filter, which is looking for flag SH or temp. And so then we get the flag here. It says, mommy, now I get what path environment is for. That is true. That's how we can execute any command we want. So at this point, we basically really own this program. We could do all types of things. We could create an SH script here to execute it. We can create a C code in here. We do all kinds of fun stuff here. So this is, I like these challenges because they really get you to think about how to solve these things. So I just wish there was less, maybe old fashioned to me, but less cursing in our CTF challenges. So anyways, that's it. And thanks for watching this walkthrough and I'll see you folks later.