Abdallah Elshinbary

Abdallah Elshinbary

Malware Analysis & Reverse Engineering Adventures.

Pwnable.kr - mistake

1 minute read

Challenge description:

We all make mistakes, let’s move on. (don’t take this too seriously, no fancy hacking skill is required at all)

This task is based on real event Thanks to dhmonkey

hint : operator priority

#include <stdio.h>
#include <fcntl.h>

#define PW_LEN 10
#define XORKEY 1

void xor(char* s, int len){
	int i;
	for(i=0; i<len; i++){
		s[i] ^= XORKEY;
	}
}

int main(int argc, char* argv[]){
	
	int fd;
	if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
		printf("can't open password %d\n", fd);
		return 0;
	}

	printf("do not bruteforce...\n");
	sleep(time(0)%20);

	char pw_buf[PW_LEN+1];
	int len;
	if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
		printf("read error\n");
		close(fd);
		return 0;		
	}

	char pw_buf2[PW_LEN+1];
	printf("input password : ");
	scanf("%10s", pw_buf2);

	// xor your input
	xor(pw_buf2, 10);

	if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
		printf("Password OK\n");
		system("/bin/cat flag\n");
	}
	else{
		printf("Wrong Password\n");
	}

	close(fd);
	return 0;
}

This challenge requires some observation. first it opens /home/mistake/password then it reads from it (supposedly) and stores the value in pw_buf.

Next it reads 10 characters into pw_buf2, XORes it with 0x1 and compares it with pw_buf.

If we run the binary, we see something strange:

$ ./mistake 
do not bruteforce...
my_input1
input password : my_input_2
Wrong Password

As you can see, it asks for input twice, hmmmm.

The mistake here is in this line (operator priority as the hint says):

if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0)

It assigns the value of the expression open("/home/mistake/password",O_RDONLY,0400) < 0 to fd, this expression is either true (1) or false (0), in this case the file opens with no errors and the result is fd = 0 which is stdin, oppps!.

So we have the ability to control pw_buf, then XOR it with 0x1 and enter this value to pw_buf2 and finally get the flag.

By the way, the fix to this mistake is by adding parenthesis like this (fd = ...) < 0.

Solution:

mistake@pwnable:~$ ./mistake 
do not bruteforce...
AAAAAAAAAA
input password : @@@@@@@@@@
Password OK
Mommy, the operator priority always confuses me :(

Flag: Mommy, the operator priority always confuses me :(