So beginning with the puzzle, the hint we have is

Mommy! what is a file descriptor in Linux?

ssh fd@pwnable.kr -p2222 (pw:guest)

File Descriptor (fd):

If you have ever had to work with C, Linux, and pipes you must know this already. But for those who don't it's basically an I/O resource identifier for a running process. Apart from being used for stdout and stdin streams, it is also used for reading and writing into files.

Walkthrough:

Let's start with the SSH credentials provided to us and login to the server via SSH. Upon logging in we'll be greeted by this.

❯ ssh fd@pwnable.kr -p2222
fd@pwnable.kr's password:
 ____  __    __  ____    ____  ____   _        ___      __  _  ____
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : daehee87@khu.ac.kr
- irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
You have mail.
Last login: Sun Oct  6 06:50:32 2024 from <redacted>
fd@pwnable:~$

Now we start searching for the flag. We type ls into the terminal and are greeted by this

fd@pwnable:~$ ls
fd  fd.c  flag
fd@pwnable:~$

But we can't open that file directly if we wanted to because that file is owned by another user and we don't have access to open that file as shown by the ls -la command

fd@pwnable:~$ ls -la
total 40
drwxr-x---   5 root   fd   4096 Aug 31 16:09 .
drwxr-xr-x 116 root   root 4096 Oct 30  2023 ..
d---------   2 root   root 4096 Jun 12  2014 .bash_history
-r-sr-x---   1 fd_pwn fd   7322 Jun 11  2014 fd
-rw-r--r--   1 root   root  418 Jun 11  2014 fd.c
-r--r-----   1 fd_pwn root   50 Jun 11  2014 flag
-rw-------   1 root   root  128 Oct 26  2016 .gdb_history
dr-xr-xr-x   2 root   root 4096 Dec 19  2016 .irssi
drwxr-xr-x   2 root   root 4096 Oct 23  2016 .pwntools-cache
fd@pwnable:~$

But if you look closely we can execute the fd file which also appears to be an executable which we can confirm by the file command

fd@pwnable:~$ file fd
fd: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=c5ecc1690866b3bb085d59e87aad26a1e386aaeb, not stripped
fd@pwnable:~$

And the other one appears to be the source code for the fd file judging by the .c extension. Let's read the contents of the fd.c file.

fd@pwnable:~$ cat fd.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;

}

fd@pwnable:~$

Reading the source code we can infer the following about the fd file

• It requires 1 argument to be passed because of the following check if(argc<2) { … return 0;}

• This file can open the flag file via a system call to the cat command system("/bin/cat flag")

• This file can only be opened if the buf equals LETMEWIN\n which it is reading from a file descriptor

• The file descriptor being used is calculated via atoi( argv[1] ) - 0x1234

Taking all of this into account we can plan a strategy via the user parameter input into the executable. But how do we arrange a LETMEWIN\n into the buf to open the flag. It is reading from a file descriptor after all but there are no other files we can manipulate. Or do we even need other files?

If you have used file descriptors for piping you must know about special file descriptors 0 and 1. The file descriptor denoted by 0 is input stream for the process and can be used to take input from the user sometimes instead of scanf. If we could somehow make the fd value equal to 0 we can make the program take our own input and let us type in the key to open the flag.

Since fd is calculated by this atoi( argv[1] ) - 0x1234 we need to somehow make this value equal 0. The atoi function is used to convert a string to number. We also have 0x1234 which is a hexadecimal representation of the number 4660. So if we enter 4660 as the parameter this should equate to 0 and let us do our trick.

fd@pwnable:~$ ./fd 4660

Tadaa!!!. The program is now waiting for our input and if we enter LETMEWIN and press enter this should read and print the outputs of the flag.

fd@pwnable:~$ ./fd 4660
LETMEWIN
good job :)
mommy! I think I know what a file descriptor is

The last line is our flag and we have successfully solved this puzzle