Narnia · Pwnable.kr

Pwnable.kr Toddler’s Bottle writeup

fd

Username : fd
Password : guest
SSH : pwnable.kr:2222

Solution

To solve this level, we first ssh into the pwnable server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-09-09 13-34-53.png

9-9-2017 1-36-11 PM.png

As we can see above, the executable expects a number to be passed to it. It then uses the number passed to calculate a file descriptor, fd which is then used to open a file. If the content of the file pointed by the fd pointer contains ‘LETMEWIN’ then the executable prints our flag.

To start off, let’s have a look at the Wikipedia page of file descriptor and understand what it is and why it’s needed. As we can see, the main purpose of the file descriptor is to provide us a channel to perform operations on a file. Each file descriptor performs a specific task (read/write) on a file.

As the executable compares the file content of the file pointed by fd with ‘LETMEWIN’, if we can create a file containing ‘LETMEWIN’ and know its file descriptor number, we can pass it to the executable to capture our flag. We can also see in the Wikipedia page that the value 0 for a file descriptor is a pipe to standard input. therefore, if we can change fd’s value to 0, we will be able to enter ‘LETMEWIN’ using standard input and capture the flag. To set the value of fd to 0, we need to pass 4660 (0x1234) to the executable as it is subtracted by that amount in the executable.

Screenshot from 2017-09-09 13-50-34.png

Flag : mommy! I think I know what a file descriptor is!!

Continue reading “Pwnable.kr Toddler’s Bottle writeup”