When I got some free time I try to solve some beginners hacker ctfs. Recently I stumbled over cmd2 at Pwnable.kr and it took me some time to solve it. Later I realized that my earlier attempts would have been successful if I knew the difference between calling arguments with "..." or '...'. 🙂
For starters, when calling a binary with "$(...)" the code inside $(…) will be executed first and then the result will be the arg for the binary.
When a binary is called with '$(...)' the whole parameter will be seen as argument. With some help from youtube I used the following solution for cmd2:

./cmd2 '$(cs() { printf ${@}; }; cs "\57bin\57cat\40fl"; cs "ag";)'

An easier solution as seen here would be:

./cmd2 '$(echo "\57bin\57cat \57home\57cmd2\57f")lag'