Apr 27, 2020

Pwnable fd CTF walkthrough

In this document we are going to try a new CTF called file descriptor. This is from pawnable.kr  . This is a simple CTF runs on Linux environment. We need some knowledge on Linux file descriptors and C programing. So let's start it. Hear is the starting description o the CTF.


At the top we can see a string "Mommy! what is a file descriptor in Linux?" . It looks like  a hint to get started with. Also there is the ssh address to get started.

So I used putty to log in to the CTF via SSH. The password is given as "guest".


Let's discover it to see what we can find. I used "ls" to see files in current directory.

[email protected]:~$ ls
fd  fd.c  flag

So there is a flag in a file. We don't have permission to read it. Also there is a binary called fd and a source code of a c Program. We can assume this is the source of above binary file. Let's read it using cat command.

char buf[32];
int main(int argc, char* argv[], char* envp[]){
                printf("pass argv[1] a number\n");
                return 0;
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
        printf("learn about Linux file IO\n");
        return 0;


There is an interesting code as follow.

if(!strcmp("LETMEWIN\n", buf)){
    printf("good job :)\n");
    system("/bin/cat flag");

After reading above part of code we can imaging we need to fill buff buffer space with the string "LETMEWIN\n". When I see this, the first thing comes to mind is buffer overflow. But in this CTF we see a different game. We have to use file descriptors and streams to exploit the program. On the top of program "buf" is defined with length 32.

What about following three lines of code.

int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);

In len = read(fd, buf, 32);we use read function with tree arguments. We have talked about this function in c programming tutorials. Hear is what Linux man tells about the read function.


We could read the definition of read function hear.

ssize_t read(int fd, void *buf, size_t count);

buff is a pointer to the buffer, count is the number of bytes to read and the fd is file descriptor number. Every file descriptor has it's own unique number.

In Linux there are three slandered file descriptors.  They are standard input (stdin) , standard output (stdout) and standard error (stderr). fd number of stdin is zero, stdout is one and stderr's fd number is two. As we know stdin is used to get a input from keyboard. So if we want to enter "LETMEWIN\n" string we should use file stdin file descriptor.

How we can control this file descriptor number in above program? . Think about  int fd = atoi( argv[1] ) - 0x1234; Hear program uses our command line argument to make the value for fd integer variable. Actually  it reduce 0x1234 (4660 in decimal) from our input and assign that value to fd.

So what we want to do is give the value zero to fd integer. Therefore our input should be 4660.

Now it's time to exploit the program.


Nice. I hope you enjoyed it. see you again on another CTF.


Apr 16
Wordpress nulled theme checker

We all love free stuff. So many people try to install premium themes and plugins on there WordPress....

Mar 12
Remote Command Execution

In this. article we are going to see another interesting topic in web application hacking. This is....

Sep 05
PHP MySQL tutorial | create delete and modify tables

This is the second tutorial of our PHP+MySQL tutorial serious.In last tutorial we saw that how we....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.