TORGiren DevOpses Blog

fd - pwnable.kr

Sun 02 June 2019 by TORGiren en pl 

In this post we're going to solve fd challenge from pwnable.

We can log in by ssh:

$ ssh fd@pwnable.kr -p2222

with password guest.

After log in, we can see three files:

fd@ubuntu:~$ ls -l
total 16
-r-sr-x--- 1 fd_pwn fd   7322 Jun 11  2014 fd
-rw-r--r-- 1 root   root  418 Jun 11  2014 fd.c
-r--r----- 1 fd_pwn root   50 Jun 11  2014 flag

The flag is placed in flag file, but we cannot access it. But we can run fd application, which has set suid flag, what allows it to read the flag.

After execute fd:

fd@ubuntu:~$ ./fd
pass argv[1] a number

So, we have to check out, what fd do. The source code is located in fd.c

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
     if(argc<2){
             printf("pass argv[1] a number\n");
             return 0;
     }
     int fd = atoi( argv[1] ) - 0x1234;
     int len = 0;
     len = read(fd, buf, 32);
     if(!strcmp("LETMEWIN\n", buf)){
             printf("good job :)\n");
             system("/bin/cat flag");
             exit(0);
     }
     printf("learn about Linux file IO\n");
     return 0;

}

As we can see, lines 6-8 forces application to check there is a least one argument.

Next, in line 10, we can see, that it initialize fd variable with passed argument, cast to int type, and next substituted with hexadecimal 0x1234.

In line 12, we can see, that fd is used as file descriptor in read function, and the read data are stored in buf.

At last, in line 13 we compare read buffer with string LETMEWIN.

Because, there are the default file descriptors:

  • 0: standard in
  • 1: standard out
  • 2: standard error out

The easies way to read buffer will be using existing input - keyboard.

To get fd value equal to 0, we have to pass value 0x1234 to command line argument, but in decimal.

Personally, I prefer using python to calculate hex <=> decimal values

fd@ubuntu:~$ python
Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x1234
4660

Next, we have to run fd with argument 4660 and type LETMEWIN.

fd@ubuntu:~$ ./fd 4660
LETMEWIN
good job :)
mommy! I think I know what a file descriptor is!!

And we've got the flag

Fork me on GitHub