pwnable.kr-blukat
题目:ssh blukat@pwnable.kr -p2222 (pw: guest)
首先
看到
1
2
3
4
5
6
7
8
| total 36
drwxr-x--- 4 root blukat 4096 Aug 16 2018 .
drwxr-xr-x 116 root root 4096 Apr 17 14:10 ..
-r-xr-sr-x 1 root blukat_pwn 9144 Aug 8 2018 blukat
-rw-r--r-- 1 root root 645 Aug 8 2018 blukat.c
dr-xr-xr-x 2 root root 4096 Aug 16 2018 .irssi
-rw-r----- 1 root blukat_pwn 33 Jan 6 2017 password
drwxr-xr-x 2 root root 4096 Aug 16 2018 .pwntools-cache
|
然后
看到代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| #include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
char flag[100];
char password[100];
char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
void calc_flag(char* s){
int i;
for(i=0; i<strlen(s); i++){
flag[i] = s[i] ^ key[i];
}
printf("%s\n", flag);
}
int main(){
FILE* fp = fopen("/home/blukat/password", "r");
fgets(password, 100, fp);
char buf[100];
printf("guess the password!\n");
fgets(buf, 128, stdin);
if(!strcmp(password, buf)){
printf("congrats! here is your flag: ");
calc_flag(password);
}
else{
printf("wrong guess!\n");
exit(0);
}
return 0;
}
|
其中password似乎不能打开:
1
2
| blukat@pwnable:~$ cat password
cat: password: Permission denied
|
…
…
(接下去就看了writeup)
原来给的提示(if this challenge is hard, you are a skilled player.)是这个意思…
最后:
1
2
| blukat@pwnable:~$ ./blukat
cat: password: Permission denied
|
就可以得到flag了
看其他的writeup涉及到了“id”命令:
1
2
| blukat@pwnable:~$ id
uid=1104(blukat) gid=1104(blukat) groups=1104(blukat),1105(blukat_pwn)
|
查了点资料可能这就是找到password的思路…吧
这个writeup最后还给了一个命令:“strace ./blukat",不过敲出来之后没看懂…
