fd-Pwnable.kr
learn File descriptor
fd-Pwnable.kr
Overview
video grab from Youtube
Step by Step Solution
SSH in
1
ssh fd@pwnable.kr -p2222 # guest
Find Flag
1
ls
- see flag, try to open
1
cat flag
- try reading
fd.c
1
cat fd.c
- The Code needed to solve.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234; //This is the key
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
setregid(getegid(), getegid());
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
The key line is:
1
int fd = atoi(argv[1]) - 0x1234;
0x1234 is 4660 in decimal. If you pass 4660 as the first argument (argv[1]), then:
- convert hex 0x1234 to decimal $((1x16^3)+(2x16^2)+(3x{16}^1)+(4x{16}^0))$ =4066
1
fd = 4660 - 4660 = 0
File descriptor 0 is stdin. The program will then read from your input.
1
./fd 4460 # LETMEWIN
Then type LETMEWIN and press Enter.
One-liner Solution
1
echo "LETMEWIN" | ./fd 4660
Answer
1
Mama! Now_I_understand_what_file_descriptors_are!
This post is licensed under CC BY 4.0 by the author.