# 07 - input

## The Challenge

Mom? how can I pass my input to a computer program?

ssh <input2@pwnable.kr> -p2222 (pw:guest)

## The Solution

To solve this one we need to run the binary under very specific circumstances, divided into five categories.

### 1 - argv

![](/files/-MH1aXb3nQEjt5z91utg)

To get through this stage we need to provide **input** with 99 arguments. The arguments indexed **A** \[65] and **B** \[66] need to equal to the values specified above.

```
./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
```

### 2 - stdio

![](/files/-MH6BUTaTjmymtwbZCa4)

The program reads four bytes from **stdin** and the four bytes from **stderr**. To make stderr read data, bind it to stdin with 2<&0 and send the buffer.

```
printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | ./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0
```

### 3 - env

![](/files/-MH6D-uZ_ygVdTzfEsYw)

This section requires us to set an environment variable with unreadble name and value. **Export** does not support this, so we used **env** instead.

```
printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0
```

### 4- file

![](/files/-MH6GWGA3OID3oncz6CM)

To clear this stage we need to execute the binary from a directory that contains a file named **\n** that contains four bytes of **\0**. Also, we need to create a symlink to the flag, so once we clear all the stages the flag will be printed.

Inside your  writable directory:

```
printf '\x00\x00\x00\x00' > $'\n'
ln -s ~/flag flag
printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ~/input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0
```

### 5 - network

![](/files/-MH6lMoMWeTaUnYWfCPJ)

The binary will wait for connection on the port specified on the argument indexed **C** \[67]. If the data sent to the connection equals to **0xdeadbeef** we will pass the stage and recieve the flag :)

The final one-liner \[after the prerequisites of stage 4]:

```
(sleep 1 && printf '\xde\xad\xbe\xef' | nc localhost 55555 &); printf '\x00\x0a\x00\xff\x00\x0a\x02\xff' | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ~/input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' 55555 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 2<&0
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/07-input.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.