mistake
1
2
3
4
5
6
7
8
9
| We all make mistakes, let's move on.
(don't take this too seriously, no fancy hacking skill is required at all)
This task is based on real event
Thanks to dhmonkey
hint : operator priority
ssh mistake@pwnable.kr -p2222 (pw:guest)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| #include <stdio.h>
#include <fcntl.h>
#define PW_LEN 10
#define XORKEY 1
void xor(char* s, int len){
int i;
for(i=0; i<len; i++){
s[i] ^= XORKEY;
}
}
int main(int argc, char* argv[]){
int fd;
if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
printf("can't open password %d\n", fd);
return 0;
}
printf("do not bruteforce...\n");
sleep(time(0)%20);
char pw_buf[PW_LEN+1];
int len;
if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
printf("read error\n");
close(fd);
return 0;
}
char pw_buf2[PW_LEN+1];
printf("input password : ");
scanf("%10s", pw_buf2);
// xor your input
xor(pw_buf2, 10);
if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
printf("Password OK\n");
system("/bin/cat flag\n");
}
else{
printf("Wrong Password\n");
}
close(fd);
return 0;
}
|
Solution
1
2
3
4
5
6
7
8
9
| open 함수는 파일을 정상적으로 열면 0 이상의 fd 값을 리턴해줌.
fd가 1이나 2라면 출력되거나 에러가 출력될텐데 그렇지 않음.
즉 fd 값은 0
따라서 pw_buf를 입력받는다는 얘기가 되고 pw_buf2 값은 입력 값을 xor해주기 때문에
pw_buf 값은 pw_buf2의 입력 값의 xor 해준 값을 입력해줘야 함.
a와 1를 xor 해주면 `이 됨.
|
mistake@pwnable:~$ ./mistake
do not bruteforce...
input password : aaaaaaaaaa Password OK Mommy, the operator priority always confuses me :( ```