logo

fd

The first challenge from pwnable.kr

Description

Mommy! what is a file descriptor in Linux?

ssh fd@pwnable.kr -p2222 (pw:guest)

Solution

SSH into the server, and inspect the immediate directory’s contents.

fd@ubuntu:~$ ls -lh
total 16K
-r-sr-x--- 1 fd_pwn fd   7.2K Jun 11  2014 fd
-rw-r--r-- 1 root   root  418 Jun 11  2014 fd.c
-r--r----- 1 fd_pwn root   50 Jun 11  2014 flag

We get permission denied if we try to cat flag, but fd has suid so it executes as fd_pwn, the same owner as flag.

Source code for fd is provided, so let’s see what fd does by opening up fd.c:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
	if(argc<2){
		printf("pass argv[1] a number\n");
		return 0;
	}
	int fd = atoi( argv[1] ) - 0x1234;
	int len = 0;
	len = read(fd, buf, 32);
	if(!strcmp("LETMEWIN\n", buf)){
		printf("good job :)\n");
		system("/bin/cat flag");
		exit(0);
	}
	printf("learn about Linux file IO\n");
	return 0;

}

You can quickly spot that cat is being run on flag, and in order to get there, we need to pass in LETMEWIN during the read() call.

read() takes in STDIN if fd is valid (0, 1 or 2 for STDIN, STDOUT, or STDERR).

But fd is being modified by having 0x1234 subtracted from argv[1]. So supply int value between 4660-4662 to be able to get into the read() call.

Capturing the Flag

fd@ubuntu:~$ ./fd 4660
LETMEWIN
good job :)
mommy! I think I know what a file descriptor is!!