Mommy! what is PATH environment in Linux?
ssh cmd1@pwnable.kr -p2222 (pw:guest)

As the setgid of cmd1_pwn is on cmd1, we can utilize it.

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}
int main(int argc, char* argv[], char** envp){
        putenv("PATH=/thankyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}
cmd1.c

It seems that cmd1 filters strings that contain “cat flag”, “sh”, or “tmp”. Since it doesn’t filter cat, we can try “./cmd1 cat”, only to see an error:

To understand the mechanism, we have to look at the basic facts of Linux: it provides users "/bin" as a default environment variable so that we wouldn't have to type "/bin/cat" every time to execute cat.

The problem here is that since cmd1 has set the only environment variable in "/thankyouverymuch", it would only execute programs there. Therefore, we have to reset the env to "/bin".

And since the string “flag” is filtered, we use the wildcard method to call flag by not typing the string “flag” itself. We type “fl*”, which would call all files starting with “fl”.

Again, we type ./cmd1 “/bin/cat fl*” (double quotes for one argument)

Pwned!