Pwnable.kr - mistake

December 28, 2017

Today we’re going to learn a lot about operator priority, and why some of mistakes made in this topic can be so devastating. Great example of that will be a challenge from pwnable.kr called mistake.

We all make mistakes, let's move on.
(don't take this too seriously, no fancy hacking skill is required at all)

This task is based on real event
Thanks to dhmonkey

hint : operator priority

After connecting to ssh server, we can see two files waiting for us, compiled binary and source code.

main:~ > ssh [email protected] -p2222
[email protected] password:
 ____  __    __  ____    ____  ____   _        ___      __  _  ____  
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : [email protected]
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Thu Dec 28 05:48:19 2017 from 93.234.107.184
[email protected]:~$ ls -la
total 44
drwxr-x---  5 root        mistake 4096 Oct 23  2016 .
drwxr-xr-x 87 root        root    4096 Dec 27 23:17 ..
d---------  2 root        root    4096 Jul 29  2014 .bash_history
-r--------  1 mistake_pwn root      51 Jul 29  2014 flag
dr-xr-xr-x  2 root        root    4096 Aug 20  2014 .irssi
-r-sr-x---  1 mistake_pwn mistake 8934 Aug  1  2014 mistake
-rw-r--r--  1 root        root     792 Aug  1  2014 mistake.c
-r--------  1 mistake_pwn root      10 Jul 29  2014 password
drwxr-xr-x  2 root        root    4096 Oct 23  2016 .pwntools-cache

Let’s take a look at the code firstly.

#include <stdio.h>
#include <fcntl.h>

#define PW_LEN 10
#define XORKEY 1

void xor(char* s, int len){
	int i;
	for(i=0; i<len; i++){
		s[i] ^= XORKEY;
	}
}

int main(int argc, char* argv[]){

	int fd;
	if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
		printf("can't open password %d\n", fd);
		return 0;
	}

	printf("do not bruteforce...\n");
	sleep(time(0)%20);

	char pw_buf[PW_LEN+1];
	int len;
	if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
		printf("read error\n");
		close(fd);
		return 0;		
	}

	char pw_buf2[PW_LEN+1];
	printf("input password : ");
	scanf("%10s", pw_buf2);

	// xor your input
	xor(pw_buf2, 10);

	if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
		printf("Password OK\n");
		system("/bin/cat flag\n");
	}
	else{
		printf("Wrong Password\n");
	}

	close(fd);
	return 0;
}
endhigh

Let’s study the code to find out where the mistakes are. We can clearly see the first bug in the if statement.

if(fd=open(...) < 0){

As the hint suggested, there’s a mistake in operator priority. We know that comparision operator < is given higher priority than assignment operator =. Using parenthis this piece of code will look just like this.

if(fd=(open(...) < 0)){

And as we know, that open will return a non-negative integer representing the lowest numbered unused file descriptor, comparision will always fail and return 0. Then 0 is assigned to the fd variable. In addition, from the previous challenges, we know that file descriptor with value 0 is reserved for stdin.

if(!(len=read(fd,pw_buf,PW_LEN) > 0)){

In this line, as fd=0, program will copy the input from stdin to the pw_buf. After that every character from the second input pw_buf2 will be xored with 1, and lastly password will be compared in this line.

if(!strncmp(pw_buf, pw_buf2, PW_LEN)){

So if we find out combination where first character xored with the 1 will result in the second, we will be able to bypass the password check. I picked 1 and 0, as theire respective values in ASCII are 60* and 61.

>>> 61 ^ 1
60
>>> 60 ^ 1
61

Now we’re ready to pass these numbers into the program.

[email protected]:~$ ./mistake
do not bruteforce...
1111111111
input password : 0000000000
Password OK
Mommy, the operator priority always confuses me :(

Contact

If you have any suggestions regarding this post or just want to chat together check out these ways to reach out to me.