Michael Zhang
096a7a1280
2.8 KiB
| title | date | tags | |
|---|---|---|---|
| Pwnable.kr: fd (1) | 2015-10-20T18:20:38.431Z |
|
This is my first writeup. The problem reads:
Mommy! what is a file descriptor in Linux?
ssh fd@pwnable.kr -p2222 (pw:guest)
Since it tells us to SSH to their server, we’ll do that. Upon logging in, we find fd, an executable binary, fd.c, the source file, and flag, the target file we are trying to read, but is currently protected by root. Let’s begin by analyzing fd.c.
At the if statement, the program is checking buf against the string LETMEWIN. Where is buf being read? It’s being read from a variable called fd, which is a file descriptor. Since the only way we can give input to the program is STDIN_FILENO, we have to make sure fd is set to 0.
According to the code, fd is calculated by atoi( argv[1] ) — 0x1234: it converts the user input into an integer and subtracts 0x1234, or 4660 in decimal. To make fd equal to 0, we simply pass 4660 as an argument. This should cause the program to prompt us for input. Now we just enter LETMEWIN, and it should print out the flag :)
mommy! I think I know what a file descriptor is!!
By Michael Zhang on .
Exported from Medium on October 8, 2024.