Skip to content

Pwnable Challenge 1 - fd

Tarun Verma

Published: at 03:22 PM

Note: I’ve decided to solve a bunch of pwnable.kr wargames and document them in this ongoing series. I haven’t worked on lower level stuff since graduating college, so this is largely an attempt to brush up some of those skills. If you find this helpful, let me know. (๑꧆◡꧆๑)

The first pwnable challenge is quite straightforward, all we need to do is read into buf the value LETMEWIN\n; this much should be clear from the following code snippet:

len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
    printf("good job :)\n");
    system("/bin/cat flag");
    exit(0);
}

Since we’re reading from a file descriptor, recall that:

File DescriptorFunction
0Read from standard input
1Read from standard output
2Read from standard error

Essentially, we’d like to make our program read from the standard input, which means we’ll have to somehow set the value of fd to 0.

To achieve this, notice the following line:

int fd = atoi(argv[1]) - 0x1234;

The variable fd is set by performing an str to int conversion from which we then subtract the hex value 0x1234. Therefore, to set our fd value to 0 (stdin), we have to pass the decimal value of 0x1234 as the argument to the fd executable on the server. This value turns out to be 4660. Sure enough:

fd@pwnable:~$ ./fd 4660
LETMEWIN // Access to stdin - punch in the conditional match string here!
good job :)
mommy! I think I know what a file descriptor is!!