https://blog.zars.me/tags/pwnable/Recent content in Pwnable on Tyler's BlogHugoen-us© AthulMon, 10 Jul 2023 12:13:32 +0530https://blog.zars.me/posts/pwnable/blackjack/Mon, 10 Jul 2023 12:13:32 +0530https://blog.zars.me/posts/pwnable/blackjack/Source The source provided in the game can be found here: Link Analysis I noticed the main gameplay block was quite interesting in the way it handled the users bet: if(p<=21) //If player total is less than 21, ask to hit or stay { printf("\n\nWould You Like to Hit or Stay?"); scanf("%c", &choice3); //... if((choice3=='H') || (choice3=='h')) // If Hit, continues { //... if(dealer_total==21) //Is dealer total is 21, loss { printf("\nDealer Has the Better Hand.https://blog.zars.me/posts/pwnable/cmd1/Mon, 10 Jul 2023 12:13:32 +0530https://blog.zars.me/posts/pwnable/cmd1/Starting to solve the pwnable.kr series of problems! Provided Source #include <stdio.h> #include <string.h> int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!=0; return r; } int main(int argc, char* argv[], char** envp){ putenv("PATH=/thankyouverymuch"); if(filter(argv[1])) return 0; system( argv[1] ); return 0; } Breaking this down, we can see three main parts: Reset the $PATH to only include one entry Filter the input to no include any strings Run system() Solving The $PATH holds the main directories for where binaries are located, allowing for users to just run something short like pwd instead of /bin/pwd.