Apr 27, 2020

Pwnable fd CTF walkthrough

In this document we are going to try a new CTF called file descriptor. This is from pawnable.kr  . This is a simple CTF runs on Linux environment. We need some knowledge on Linux file descriptors and C programing. So let's start it. Hear is the starting description o the CTF.

pawnable-fd-ctf-decription

At the top we can see a string "Mommy! what is a file descriptor in Linux?" . It looks like  a hint to get started with. Also there is the ssh address to get started.

So I used putty to log in to the CTF via SSH. The password is given as "guest".

pawnable-fd-ctf-ssh-loogged-in

Let's discover it to see what we can find. I used "ls" to see files in current directory.

[email protected]:~$ ls
fd  fd.c  flag

So there is a flag in a file. We don't have permission to read it. Also there is a binary called fd and a source code of a c Program. We can assume this is the source of above binary file. Let's read it using cat command.

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;

}

There is an interesting code as follow.

if(!strcmp("LETMEWIN\n", buf)){
    printf("good job :)\n");
    system("/bin/cat flag");
    exit(0);
}

After reading above part of code we can imaging we need to fill buff buffer space with the string "LETMEWIN\n". When I see this, the first thing comes to mind is buffer overflow. But in this CTF we see a different game. We have to use file descriptors and streams to exploit the program. On the top of program "buf" is defined with length 32.

What about following three lines of code.

int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);

In len = read(fd, buf, 32);we use read function with tree arguments. We have talked about this function in c programming tutorials. Hear is what Linux man tells about the read function.

linux-man-read

We could read the definition of read function hear.

ssize_t read(int fd, void *buf, size_t count);

buff is a pointer to the buffer, count is the number of bytes to read and the fd is file descriptor number. Every file descriptor has it's own unique number.

In Linux there are three slandered file descriptors.  They are standard input (stdin) , standard output (stdout) and standard error (stderr). fd number of stdin is zero, stdout is one and stderr's fd number is two. As we know stdin is used to get a input from keyboard. So if we want to enter "LETMEWIN\n" string we should use file stdin file descriptor.

How we can control this file descriptor number in above program? . Think about  int fd = atoi( argv[1] ) - 0x1234; Hear program uses our command line argument to make the value for fd integer variable. Actually  it reduce 0x1234 (4660 in decimal) from our input and assign that value to fd.

So what we want to do is give the value zero to fd integer. Therefore our input should be 4660.

Now it's time to exploit the program.

pawnable-fd-ctf-success

Nice. I hope you enjoyed it. see you again on another CTF.

 

Aug 12
Loops | Python programming

Looping is an essential part of a programming language. If you want to do a task again and again....

Aug 12
Reverse engineering a simple binary

Today I selected an interesting topic to discus. Hear we are going to disassemble a binary file and....

Aug 12
PHP introducing tutorial

Hello guys, in this tutorial I am going to give you a quick idea about php language. We use php for....

Replying to 's comment Cancel reply