After feeling a big need to improve my knowledge of pwnable category, I decided to check out pwnable.kr and start from the beginning.

Here comes the Toddler’s Bottle and the first challenge - fd.

In order to view the challenge, we have to connect via ssh with password guest.

In this directory we have the challenge files - source code and binary. Firstly, let’s view the source to understand what’s going on.

By reading it, we get that firstly atoi( argv[1] ) will convert the argument into the integer, then it will substract from it 0x1234. After converting it into decimal we get number 4660.

After that read(fd, buf, 32) syscall is executed. First argument of this function fd is the file descriptor of where to read the input. Then buf is the character array where the read content will be stored and 32 is the number of bytes to read before truncating the data. The last step compares the content of buf with a string LETMEWIN\n.

How can we enter this string to make the condition true? Firstly, we can learn that file descriptor is simply an integer that is used to access a file, or IO resource. Read more at Wikipedia

Each Unix process should have three standard POSIX file descriptors. With respective integers 0 is stdin, 1 is stdout and 2 is stderr. In our attack we’re going to use stdin, since it’s going to allow us to enter characters from the keyboard.

To make the fd equall to 0, we’re going to make the atoi( argv[1] ) equall to the 4660. Then substraction will result in 0, and the read function will read the characters that we enter.

Here goes the flag!

Keep learning and stay safe! ~ W3ndige