Note: I’ve decided to solve a bunch of pwnable.kr wargames and document them in this ongoing series. I haven’t worked on lower level stuff since graduating college, so this is largely an attempt to brush up some of those skills. If you find this helpful, let me know. (๑꧆◡꧆๑)
The first pwnable challenge is quite straightforward, all we need to do is read into buf the value LETMEWIN\n; this much should be clear from the following code snippet:
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
Since we’re reading from a file descriptor, recall that:
| File Descriptor | Function |
|---|---|
| 0 | Read from standard input |
| 1 | Read from standard output |
| 2 | Read from standard error |
Essentially, we’d like to make our program read from the standard input, which means we’ll have to somehow set the value of fd to 0.
To achieve this, notice the following line:
int fd = atoi(argv[1]) - 0x1234;
The variable fd is set by performing an str to int conversion from which we then subtract the hex value 0x1234. Therefore, to set our fd value to 0 (stdin), we have to pass the decimal value of 0x1234 as the argument to the fd executable on the server. This value turns out to be 4660. Sure enough:
fd@pwnable:~$ ./fd 4660
LETMEWIN // Access to stdin - punch in the conditional match string here!
good job :)
mommy! I think I know what a file descriptor is!!