Daddy bought me a system command shell.
but he put some filters to prevent me from playing with it without his permission...
but I wanna play anytime I want!
ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)

As the setgid of cmd2_pwn is on cmd2, we can use it.

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "=")!=0;
        r += strstr(cmd, "PATH")!=0;
        r += strstr(cmd, "export")!=0;
        r += strstr(cmd, "/")!=0;
        r += strstr(cmd, "`")!=0;
        r += strstr(cmd, "flag")!=0;
        return r;
}

extern char** environ;
void delete_env(){
        char** p;
        for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
        delete_env();
        putenv("PATH=/no_command_execution_until_you_become_a_hacker");
        if(filter(argv[1])) return 0;
        printf("%s\n", argv[1]);
        system( argv[1] );
        return 0;
}
cmd2.c

In essence, cmd2 is same with cmd1, with just some more filters. This time, it even filters backtick characters to execute some commands, slashes for directories, etc.

I was jammed for a while and spent some time reading the manifestation for commands, and I ended up finding command “command” that would allow me to execute commands in the default "/bin" path. (I know, that's very straightforward for a command named to be "command").

So using “command -p” is a way to bypass the filter.