- mistake

1 minute read

Challenge description:

We all make mistakes, let’s move on. (don’t take this too seriously, no fancy hacking skill is required at all)

This task is based on real event Thanks to dhmonkey

hint : operator priority

#include <stdio.h>
#include <fcntl.h>

#define PW_LEN 10
#define XORKEY 1

void xor(char* s, int len){
	int i;
	for(i=0; i<len; i++){
		s[i] ^= XORKEY;

int main(int argc, char* argv[]){
	int fd;
	if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
		printf("can't open password %d\n", fd);
		return 0;

	printf("do not bruteforce...\n");

	char pw_buf[PW_LEN+1];
	int len;
	if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
		printf("read error\n");
		return 0;		

	char pw_buf2[PW_LEN+1];
	printf("input password : ");
	scanf("%10s", pw_buf2);

	// xor your input
	xor(pw_buf2, 10);

	if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
		printf("Password OK\n");
		system("/bin/cat flag\n");
		printf("Wrong Password\n");

	return 0;

This challenge requires some observation. first it opens /home/mistake/password then it reads from it (supposedly) and stores the value in pw_buf.

Next it reads 10 characters into pw_buf2, XORes it with 0x1 and compares it with pw_buf.

If we run the binary, we see something strange:

$ ./mistake 
do not bruteforce...
input password : my_input_2
Wrong Password

As you can see, it asks for input twice, hmmmm.

The mistake here is in this line (operator priority as the hint says):

if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0)

It assigns the value of the expression open("/home/mistake/password",O_RDONLY,0400) < 0 to fd, this expression is either true (1) or false (0), in this case the file opens with no errors and the result is fd = 0 which is stdin, oppps!.

So we have the ability to control pw_buf, then XOR it with 0x1 and enter this value to pw_buf2 and finally get the flag.

By the way, the fix to this mistake is by adding parenthesis like this (fd = ...) < 0.


mistake@pwnable:~$ ./mistake 
do not bruteforce...
input password : @@@@@@@@@@
Password OK
Mommy, the operator priority always confuses me :(

Flag: Mommy, the operator priority always confuses me :(