Professional Documents
Culture Documents
Builds run faster on Buildkite. Get started with free trial today.
pwnable.kr - fd
Introduction
Hey guys , Lately I have been doing pwn challenges and I decided to share some stuff
with you from time to time like I do with the other write-ups. Today we will solve fd from
pwnable.kr , it’s a very easy one but as always we will go in detail.
Challenge Description
We have ssh login info, and some sort of a hint , before doing anything let’s talk about file
descriptors , because that’s what the hint said.
File descriptors
File descriptors simply are indicators or handles used to access a file or i/o (input/output)
resource , File descriptors are represented in c as integers and there are 3 types of file
descriptors :
standard input ( stdin ) , its integer value is 0
standard output ( stdout ) , its integer value is 1
standard error ( stderr ) , its integer value is 2
To summarize this up , when you run a program and give it arguments through sys.argv
for example , that’s stdin , whatever the program gives you back as an output , that’s
stdout . If the program gave you an error , because you missed a required argument or
gave it a wrong argument for example , that’s stderr .
Source analysis
After we ssh to the server ( ssh fd@pwnable.kr -p2222 , password : guest ) we find 3
files
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4 char buf[32];
5 int main(int argc, char* argv[], char* envp[]){
6 if(argc<2){
7 printf("pass argv[1] a number\n");
8 return 0;
9 }
10 int fd = atoi( argv[1] ) - 0x1234;
11 int len = 0;
12 len = read(fd, buf, 32);
13 if(!strcmp("LETMEWIN\n", buf)){
14 printf("good job :)\n");
15 system("/bin/cat flag");
16 exit(0);
17 }
18 printf("learn about Linux file IO\n");
19 return 0;
20
21 }
Breakdown :
1 char buf[32];
1 if(argc<2){
2 printf("pass argv[1] a number\n");
3 return 0;
4 }
Here it starts by checking if we passed and argument or not , and if we didn’t , it will print
pass argv[1] a number
1 int fd = atoi( argv[1] ) - 0x1234;
Then it defines a variable called fd , the value of that variable is atoi( argv[1] ) -
0x1234 . atoi() is a function in c that converts a string into an integer , it stands for
Ascii to Integer , 0x1234 is the hex of 4660
1 int len = 0;
Here it’s taking fd and also reading our input and puts it into buf , then there’s an if
statement which checks if the value of buf is LETMEIN , if it’s then it will print good job
and give us the flag , but if it’s not it will print learn about Linux file IO .
Exploitation
Now we have an idea about the logic of the program , and a pwn challenge is all about
breaking that logic.
Let’s run the program just to test :
./fd 1337
It prints learn about Linux file IO , because we didn’t get fd right. We know that
fd is an abbreviation for file descriptor , and there are 3 file descriptors stdin stdout
stderr , And we can also control the value of fd because we know that it’s subtracting
4660 from argv[1] and we control argv[1] , how are we giving the program argv[1]
? Through stdin which is represented by 0 , so if we gave the program 4660 , fd =
4660 - 4660 , fd = 0 . Let’s try it.
Now it didn’t print learn about Linux file IO , instead of that it’s reading our input –>
len = read(fd, buf, 32);
We knew earlier that we have to make buf = “LETMEWIN” to execute the first if
condition :
And we got the flag : “mommy! I think I know what a file descriptor is!!”
1 #!/usr/bin/python
2
3 from pwn import *
4
5 shell = ssh('fd' ,'pwnable.kr' ,password='guest', port=2222)
6 process = shell.process(executable='./fd', argv=['fd','4660'])
7 process.sendline('LETMEWIN')
8 print process.recv()
Let’s try it :
./exploit.py