Pwnable fd CTF walkthrough

HacksLand | The computer science playground

Posted by Thilan Dissanayaka on Apr 27, 2020

In this document we are going to try a new CTF called file descriptor. This is from pawnable.kr  . This is a simple CTF runs on Linux environment. We need some knowledge on Linux file descriptors and C programing. So let's start it. Hear is the starting description o the CTF.

pawnable-fd-ctf-decription

At the top we can see a string "Mommy! what is a file descriptor in Linux?" . It looks like  a hint to get started with. Also there is the ssh address to get started.

So I used putty to log in to the CTF via SSH. The password is given as "guest".

pawnable-fd-ctf-ssh-loogged-in

Let's discover it to see what we can find. I used "ls" to see files in current directory.

[email protected]:~$ ls
fd  fd.c  flag

So there is a flag in a file. We don't have permission to read it. Also there is a binary called fd and a source code of a c Program. We can assume this is the source of above binary file. Let's read it using cat command.

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;

}

There is an interesting code as follow.

if(!strcmp("LETMEWIN\n", buf)){
    printf("good job :)\n");
    system("/bin/cat flag");
    exit(0);
}

After reading above part of code we can imaging we need to fill buff buffer space with the string "LETMEWIN\n". When I see this, the first thing comes to mind is buffer overflow. But in this CTF we see a different game. We have to use file descriptors and streams to exploit the program. On the top of program "buf" is defined with length 32.

What about following three lines of code.

int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);

In len = read(fd, buf, 32);we use read function with tree arguments. We have talked about this function in c programming tutorials. Hear is what Linux man tells about the read function.

linux-man-read

We could read the definition of read function hear.

ssize_t read(int fd, void *buf, size_t count);

buff is a pointer to the buffer, count is the number of bytes to read and the fd is file descriptor number. Every file descriptor has it's own unique number.

In Linux there are three slandered file descriptors.  They are standard input (stdin) , standard output (stdout) and standard error (stderr). fd number of stdin is zero, stdout is one and stderr's fd number is two. As we know stdin is used to get a input from keyboard. So if we want to enter "LETMEWIN\n" string we should use file stdin file descriptor.

How we can control this file descriptor number in above program? . Think about  int fd = atoi( argv[1] ) - 0x1234; Hear program uses our command line argument to make the value for fd integer variable. Actually  it reduce 0x1234 (4660 in decimal) from our input and assign that value to fd.

So what we want to do is give the value zero to fd integer. Therefore our input should be 4660.

Now it's time to exploit the program.

pawnable-fd-ctf-success

Nice. I hope you enjoyed it. see you again on another CTF.

 

Hi, I'm Thilan. An engineering student from SriLanka. I love to code with Python, JavaScript PHP and C.

Also read

May 01
build a tcp server with C

Socket programming is one of most important feature in C. In this document we are going to build a....

Aug 12
How to use python as a http server

Hello guys, Today I'm hear with another quick tutorial. in this one I'll explain you how we can....

Aug 12
Debugging Binaries with GDB

GDB is shipped with te GNU tool set. It is a debugging tool used in Linux environments. The term....

Comments