Challenge #0: fd
Challenge #0: fd
"Mommy! what is a file descriptor in Linux?
* try to play the wargame your self but if you are ABSOLUTE beginner, follow this tutorial link: https://www.youtube.com/watch?v=blAxTfcW9VU
ssh email@example.com -p2222 (pw:guest)"
Without further ado, let's continue!
When we ssh into the box, we are immediately presented with 3 files:
Following convention, we know the flag is the item of desire. (If you are new to CTFs or CTF-style of hacking, the obtaining the flag, which is usually a string of some sort, is the main goal). If we attempt to concatenate the file, we are presented with insufficient permissions. If it was that easy, this really wouldn't be much of a challenge. So let's take a look at the permissions.
It appears that only rood and fd_pwn have permissions to read the flag. By running the $ groups command, we discover that we are only in the fd group. What I didn't notice at first, is that the binary fd has the owner of fd_pwn and the group fd. It ALSO has a "s" which stands for SUID (Set owner User ID up on execution).
The reason this is important, is that as soon as the program runs, we have the permissions of fd_pwn, which is a user that can read the flag file. Calling a function like system("/bin/cat flag") will get us access to read the flag. Very cool!
Okay, let's take a look at the other two files starting with fd.c.
Let's start with what we know first, and learn what we are confused about or more simply don't know about. We are importing 3 libraries, creating a 32-byte buffer, and accepts 2 arguments (but looks like it only calls one), conditional compares two strings, which will lead us to a system() to read the flag if the strings match. If we fail, it will print a nice hint. Sweet!
Now let's go over what we don't know/are not as familiar with. I know very little about the function call atoi(), and would like to know more about the read(), strcmp(), and system().
First up, the atoi() function. According to tutorialpoints, it converts a string type variable that is numerical into an int type. If it doesn't understand it, it defaults to 0.
The read() function does, as it's name implies, reads from one input and outputs it to a buffer. The function takes 3 arguments:
- The file descriptor of the file
- The buffer where the read data is to be stored
- The number of bytes to read from the file.
In our program, we have read(fd, buf, 32).
LESSON: The file descriptor (fd) has 3 main standard streams.
- 0: Standard Input
- 1: Standard Output
- 2: Standard Error
To set the read to read from the command prompt, we must get the fd to equal 0. fd = 0;
Let's take a look back at our code.
In order to get the file descriptor (fd) to be set to 0, we must make the solution of argv - 0x1234 equal to 0. We can convert 0x1234 from hex to decimal by using the following python command.
Let's see what happens when you use 4660 as argv.
It looks like the program is waiting for input! Perfect! Let's continue.
Okay, next is strcmp(). After some more research, it appears that it compares two strings, and provides an output depending on the condition of the comparison. "strcmp returns 0 when the strings are equal, a negative integer when s1 is less than s2, or a positive integer if s1is greater than s2, according to the lexicographical order." This is interesting. One attack vector we could do, is reverse engineer the binary, find the location where it returns the comparison, and set that variable to 0. Glad that we have 1 type of attack under our belt. Let's keep diving in.
The system() functions appears to run a command on the system, given a string that is a command.
Now that we have all the functions down, let's try the string that's in our program, "LETMEWIN".
WE DID IT! We completed the challenge and learned more about file descriptors! Congrats!!