🌌
N/B Writeups
  • CTF Writeups
  • CTFs
    • 2019
      • OverTheWire Advent
    • 2020
      • Midnight Sun
      • Things I learned from DarkCTF
  • Pwnable.kr
    • 01 - fd
    • 02 - col
    • 03 - bof
    • 04 - flag
    • 05 - passcode
    • 06 - random
    • 07 - input
    • 08 - leg
    • 09 - mistake
    • 10 - Shellshock
    • 11 - coin1
    • 12 - blackjack
    • 13 - lotto
    • 14 - cmd1
    • 15 - cmd2
    • 16 - uaf
    • 17 - memcpy
    • 18 - asm
    • 20 - blukat
    • 21 - horcruxes
    • 33 - echo1
    • 34 - echo2
    • 43 - coin2
  • More Pwn
    • Protostar - format4
  • Lord of SQLI
    • Lord of SQLI
Powered by GitBook
On this page
  • The Challenge
  • The Solution
  • 1 - argv
  • 2 - stdio
  • 3 - env
  • 4- file
  • 5 - network

Was this helpful?

  1. Pwnable.kr

07 - input

Previous06 - randomNext08 - leg

Last updated 4 years ago

Was this helpful?

The Challenge

Mom? how can I pass my input to a computer program?

ssh input2@pwnable.kr -p2222 (pw:guest)

The Solution

To solve this one we need to run the binary under very specific circumstances, divided into five categories.

1 - argv

To get through this stage we need to provide input with 99 arguments. The arguments indexed A [65] and B [66] need to equal to the values specified above.

./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A

2 - stdio

The program reads four bytes from stdin and the four bytes from stderr. To make stderr read data, bind it to stdin with 2<&0 and send the buffer.

printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | ./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0

3 - env

This section requires us to set an environment variable with unreadble name and value. Export does not support this, so we used env instead.

printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0

4- file

To clear this stage we need to execute the binary from a directory that contains a file named \n that contains four bytes of \0. Also, we need to create a symlink to the flag, so once we clear all the stages the flag will be printed.

Inside your writable directory:

printf '\x00\x00\x00\x00' > $'\n'
ln -s ~/flag flag
printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ~/input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0

5 - network

The binary will wait for connection on the port specified on the argument indexed C [67]. If the data sent to the connection equals to 0xdeadbeef we will pass the stage and recieve the flag :)

The final one-liner [after the prerequisites of stage 4]:

(sleep 1 && printf '\xde\xad\xbe\xef' | nc localhost 55555 &); printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ~/input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' 55555 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0