#pwnable.kr

Toddler's Bottle Part 1

File Descriptor Using the ls -la you'll notice that the suid bit is set for fd executable. Checking the code: #include <stdio.h> #include <stdlib.h> #include <string.h> char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc<2){ printf("pass argv[1] a number\n"); return 0; } int fd = atoi( argv[1] ) - 0x1234; int len = 0; len = read(fd, buf, 32); if(!strcmp("LETMEWIN\n", buf)){ printf("good job :)\n"); system("/bin/cat flag"); exit(0); } printf("learn about Linux file IO\n"); return 0; } Two important function calls inside the code are atio() which initializes the fd. ...

#Other

Some CTF qualifier somewhere

The "Interesting" input This binary asked for some input to generate the flag. A sym.check function shines in main: This function has 3 important parts: A check for length of the password which should be at least 0x13 or 19 characters, as shown in the figure with number 1. First four letters, indicated by 2 in the figure, implying a password starting with aqua. A for loop indicated by 3 in the figure, which is almost the most challenging (still trivial) part. ...