Firstly I want to say that I highly recommend https://pwnable.kr/play.php to learn exploit development, the site is full of nice and easy to follow mini-challenges that you can conquer one by one. Best of all you simply ssh so no need to install VMs etc.
I wanted to do a run-through of level 1 for absolute beginners and also those keen to learn about file descriptors.
What are file descriptors?
In Unix and related computer operating systems, a file descriptor (FD, less frequently files) is an abstract indicator (handle) used to access a file or other input/output resource, such as a pipe or network socket.
That sounds complicated but it’s actually simple, and you use them all the time. Each descriptor has an integer value associated with it. The table below shows the name and the integer of the file descriptors.
We have all seen scripts do this 2>/dev/null - from the table above you can see it’s the error output and in this case it’s piped to dev/null to silence the errors — extremely useful on privilege escalation enumeration to keep your files clean of a lot of errors and junk, sometimes though they can be useful so don’t always silence errors.
For beginners this can seem daunting, let’s take it easy and go line by line.
Let’s try and run it and supply 0 to use standard input
As expected, it fails. This is due to the fact the program subtracts a value and uses the result as the file descriptor in integer.
To work this out, we can use python.
Ok, so it minuses 4660 from our supplied input. Let’s check to be sure and try and get 0.
We now know what we have to do to succeed:
- Supply 4660 to end up with 0, the standard input file descriptor
- Fill the standard input file descriptor buffer with the “LETMEWIN” string
We can execute this in one command.
Let’s test it.
And there we have it, by simply following the code line by line and doing the calculations as we go we were able to craft a solution very quickly. This is how I like to solve real world and CTF challenges. Sign up and see how you get on, they get much harder and more fun. Hit me up on Twitter when you do crack one and let’s celebrate that pwn together! ❤ @int0x33