 Hey folks, Adam DuPay here, and today we're going to be looking at the Poneable.KR Challenge Command 2, CMD2. So this is a live walkthrough, or live hack through. I haven't seen this challenge at all yet, and so I actually just finished the video for Command 1, so this should be an interesting challenge. So let's read the description. So it says, Daddy brought me a system command shell, but he put some filters to prevent me from playing with it without his permission. That's very good. I don't want to play any time I want. So the SSH into CMD2 at Poneable.KR on the port, the interesting thing is now instead of the password being guessed like it normally is, the password is actually the flag of CMD1. So here they've actually gated these challenges so you can only attempt to solve CMD2 before you can solve CMD1. So as I was playing through this one and the previous challenge of CMD1, I'm reminded that these are very similar to styles of challenges in CTFs where you have some access to some kind of remote command injection, either through bash or another type. And what your goal is, is your goal is to find that specific vulnerability that's going to get you in, or that pathway in that they didn't blacklist, or conversely that they accidentally whitelisted. So this is definitely a category and type of challenge that comes up. And Zardis I know loves doing this. So we look here we have CMD2, CMD2.C, and a flag. So basic stuff that we want to do. So let's look at the code. Okay, similar thing. Okay, so calls, the environment, deletes the environment, ooh, interesting. Ah, okay, deletes the environment, character P, okay, so I guess I'm getting ahead of myself, but supposedly deletes the environment and puts in a path called no command execution until you become a hacker, that's good. Then we have if, filter argv1, so again we have a filter, then printf argv1%s slash n, interesting, I wonder why it's doing, oh, it's telling you the command it's going to execute, I see. And then it's calling system on argv1, and we look at the filter, it's kind of rough, no equal signs, no path, no export, no slashes, no back ticks, and no flag variables. Okay, cool, without an environment, this should be interesting. All right, I think our previous trick would probably work here. The weird thing is no slashes, but maybe we can get around that. Yeah, let's see, cool, let's play with this. So, command two, hello, hello, shhello.found, so if we did echo hello, echo id, why did that not work? It doesn't like, it's not back ticks. So, I can't do dot slash. Let's see what the path work, okay, so let's make a directory to play in temp, atomd, cmd2. So, if we made, let's say, a link, symbolic link called env2, env locally. So, we should be able to do that, that should print out the environment, cool. And yeah, so I think it automatically looks in our home directory regardless of what the path is, so that should be good. So, let's do home, cmd2, cmd2, oh, we did not pass in a value, pass in env, it says env not found. And I definitely can't do that because slashes are not permitted. Okay, so I can't do equal sign, I can't do path, I can't say export, that's fine, you don't need to export. I can't do slash, I can do back ticks. So, what I do have though is bash and shell built in, so I have built in functions, I can't do flag. So, the slashes are the annoying part, we didn't have to do that, we could pretty easily do this. And that's returning zero, okay. No, it's looking for any slashes, so back ticks I know are not okay. If we did like this, should say hello not found, okay great. So, we know we can do that. So, if I do man echo this should, this is the built in I believe is the in the one. So, the problem is we, oh, we can use, there we go. I think, oh, your shell may have its own version of echo. Yeah. Okay, let's see what if dot e, and what we can do is try to get around this slash by using slash x, has a decimal. So, we can say echo for instance, dot, we have to do echo dash e. And is that equal path x four just just nope. Dot and instead of that will do slash x. Go to our ASCII table, what is ASCII for slash 2f I should have known that 2f Env. And so I should be able to do home cmd 2 dash cmd 2. And they should at least show me this value to show that it can do that echo dash e. And so we should be able to do something like this. Oh, I see the problem. It's actually doing that. I want to escape that so it gets passed in. So SH1 Env not found. Why is it saying that? Let's do it without this. Right. So we need to check out the man page for system. Although it said the built in is different. So maybe the SH man SH maybe the echo built in is different. Hmm. It does not have a dash e command. If any of the following sequences not output backspace suppressed form feed new line slash zero digits octal digits. Okay. Let's try octal slash zero. And then we need now our man ASCII 2f in octal. It's zero five seven. Oh, and we don't need a dash e. So that's good. So I'm calling been SH echo with that. And then so now I want to now the tricky thing is so my slash around this before this dollar sign means that I want this because otherwise my current environment will try to execute this command. But I don't want that. There we go. All right. Now I can execute commands. I'm basically done. So what I did so I'm passing to been SH so the trick is one of the tricks is we can get past these filters by using this slash zero encoding and echo. And we can see that this back takes are not allowed. But dollar sign and parentheses are exactly the same thing. So we can do basically the same thing that we did. So we can do a line dash s. Let's make a let's just make a link to home CMD to flag. Oops. Oh, I called it flag. Does it look for flag? Yeah. So let's on link flag. We'll call this boo again. And then we will also actually we don't need this. Now we can and we actually don't need that. We can just encode that character. So what we're going to want to do is echo not dot slash. We want slash been zero five seven is going to be a slash cat. I don't think we need the boo. I think we can put that outside here. There we go. So we just executed echo this. This echo transforms all these characters and then gets fun with shell variables. So that was super fun. All right. Yeah. So I think this challenge there's probably a lot of different ways to solve it. So this is just one of those ways. So I hope you enjoyed this. This was worth nine points. That was pretty fun. All right. I will talk to you guys later.