Note: I’ve decided to solve a bunch of pwnable.kr wargames and document them in this ongoing series. I haven’t worked on lower level stuff since graduating college, so this is largely an attempt to brush up some of those skills. If you find this helpful, let me know. (๑꧆◡꧆๑)
The first pwnable challenge is quite straightforward, all we need to do is read into buf
the value LETMEWIN\n;
this much should be clear from the following code snippet:
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
Since we’re reading from a file descriptor, recall that:
File Descriptor | Function |
---|---|
0 | Read from standard input |
1 | Read from standard output |
2 | Read from standard error |
Essentially, we’d like to make our program read from the standard input, which means we’ll have to somehow set the value of fd
to 0
.
To achieve this, notice the following line:
int fd = atoi(argv[1]) - 0x1234;
The variable fd
is set by performing an str
to int
conversion from which we then subtract the hex value 0x1234
. Therefore, to set our fd
value to 0
(stdin
), we have to pass the decimal value of 0x1234
as the argument to the fd
executable on the server. This value turns out to be 4660
. Sure enough:
fd@pwnable:~$ ./fd 4660
LETMEWIN // Access to stdin - punch in the conditional match string here!
good job :)
mommy! I think I know what a file descriptor is!!