{"id":3250,"date":"2025-04-06T08:35:22","date_gmt":"2025-04-05T23:35:22","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3250"},"modified":"2025-04-06T08:38:10","modified_gmt":"2025-04-05T23:38:10","slug":"input2","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3250","title":{"rendered":"input2"},"content":{"rendered":"\n

Description<\/h1>\n\n\n\n
Mom? how can I pass my input to a computer program?\n\nssh input2@pwnable.kr -p2222 (pw:guest)<\/pre>\n\n\n\n
Source Code<\/h1>\n\n\n\n
#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys\/socket.h>\n#include <arpa\/inet.h>\n\nint main(int argc, char* argv[], char* envp[]){\n\tprintf(\"Welcome to pwnable.kr\\n\");\n\tprintf(\"Let's see if you know how to give input to program\\n\");\n\tprintf(\"Just give me correct inputs then you will get the flag :)\\n\");\n\n\t\/\/ argv\n\tif(argc != 100) return 0;\n\tif(strcmp(argv['A'],\"\\x00\")) return 0;\n\tif(strcmp(argv['B'],\"\\x20\\x0a\\x0d\")) return 0;\n\tprintf(\"Stage 1 clear!\\n\");\t\n\n\t\/\/ stdio\n\tchar buf[4];\n\tread(0, buf, 4);\n\tif(memcmp(buf, \"\\x00\\x0a\\x00\\xff\", 4)) return 0;\n\tread(2, buf, 4);\n        if(memcmp(buf, \"\\x00\\x0a\\x02\\xff\", 4)) return 0;\n\tprintf(\"Stage 2 clear!\\n\");\n\t\n\t\/\/ env\n\tif(strcmp(\"\\xca\\xfe\\xba\\xbe\", getenv(\"\\xde\\xad\\xbe\\xef\"))) return 0;\n\tprintf(\"Stage 3 clear!\\n\");\n\n\t\/\/ file\n\tFILE* fp = fopen(\"\\x0a\", \"r\");\n\tif(!fp) return 0;\n\tif( fread(buf, 4, 1, fp)!=1 ) return 0;\n\tif( memcmp(buf, \"\\x00\\x00\\x00\\x00\", 4) ) return 0;\n\tfclose(fp);\n\tprintf(\"Stage 4 clear!\\n\");\t\n\n\t\/\/ network\n\tint sd, cd;\n\tstruct sockaddr_in saddr, caddr;\n\tsd = socket(AF_INET, SOCK_STREAM, 0);\n\tif(sd == -1){\n\t\tprintf(\"socket error, tell admin\\n\");\n\t\treturn 0;\n\t}\n\tsaddr.sin_family = AF_INET;\n\tsaddr.sin_addr.s_addr = INADDR_ANY;\n\tsaddr.sin_port = htons( atoi(argv['C']) );\n\tif(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){\n\t\tprintf(\"bind error, use another port\\n\");\n    \t\treturn 1;\n\t}\n\tlisten(sd, 1);\n\tint c = sizeof(struct sockaddr_in);\n\tcd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);\n\tif(cd < 0){\n\t\tprintf(\"accept error, tell admin\\n\");\n\t\treturn 0;\n\t}\n\tif( recv(cd, buf, 4, 0) != 4 ) return 0;\n\tif(memcmp(buf, \"\\xde\\xad\\xbe\\xef\", 4)) return 0;\n\tprintf(\"Stage 5 clear!\\n\");\n\n\t\/\/ here's your flag\n\tsetregid(getegid(), getegid());\n\tsystem(\"\/bin\/cat flag\");\t\n\treturn 0;\n}\n<\/pre>\n\n\n\n
Stage 1<\/h2>\n\n\n\n
\/\/ argv\n\tif(argc != 100) return 0;\n\tif(strcmp(argv['A'],\"\\x00\")) return 0;\n\tif(strcmp(argv['B'],\"\\x20\\x0a\\x0d\")) return 0;\n\tprintf(\"Stage 1 clear!\\n\");\t<\/pre>\n\n\n\n
argc<\/code>\ub294 \ud504\ub85c\uadf8\ub7a8\uc5d0 \uc804\ub2ec\ub41c \uc778\uc790\uc758 \uac1c\uc218\ub85c, 100\uac1c\uc5ec\uc57c\ud55c\ub2e4.<\/p>\n\n\n\n
A\ub294 65\uc758 16\uc9c4\uc218\ub85c, argv[65]<\/code>\uac00 \"\\x00\"<\/code>\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
B\ub294 66\uc758 16\uc9c4\uc218\ub85c, argv[66]<\/code>\uac00 \"\\x20\\x0a\\x0d\"<\/code>\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
Stage 2<\/h2>\n\n\n\n
\/\/ stdio\n\tchar buf[4];\n\tread(0, buf, 4);\n\tif(memcmp(buf, \"\\x00\\x0a\\x00\\xff\", 4)) return 0;\n\tread(2, buf, 4);\n        if(memcmp(buf, \"\\x00\\x0a\\x02\\xff\", 4)) return 0;\n\tprintf(\"Stage 2 clear!\\n\");<\/pre>\n\n\n\n
read \ud568\uc218\uc758 1\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\ub85c \uac01\uac01 \ub4e4\uc5b4\uac00\ub294 0\uacfc 2\ub294 \ud45c\uc900 \uc785\ub825\uc778 stdin\uacfc \ud45c\uc900 \uc5d0\ub7ec\uc778 stderr\uc744 \uc758\ubbf8\ud55c\ub2e4.<\/p>\n\n\n\n
read(0, buf, 4)<\/code>\ub294 \ud45c\uc900 \uc785\ub825(stdin, fd 0)\uc5d0\uc11c 4\ubc14\uc774\ud2b8\ub97c \uc77d\uc5b4 buf<\/code>\uc5d0 \uc800\uc7a5\ud558\ub294\ub370 \"\\x00\\x0a\\x00\\xff\"<\/code>\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
buf<\/code>\uc5d0 \ud45c\uc900 \uc5d0\ub7ec(stderr, fd 2)\uc5d0\uc11c 4\ubc14\uc774\ud2b8\ub97c \uc77d\uc5b4 buf<\/code>\uc5d0 \uc800\uc7a5\ud558\ub294\ub370 \"\\x00\\x0a\\x02\\xff\"<\/code>\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
Stage 3<\/h2>\n\n\n\n
\/\/ env\n\tif(strcmp(\"\\xca\\xfe\\xba\\xbe\", getenv(\"\\xde\\xad\\xbe\\xef\"))) return 0;\n\tprintf(\"Stage 3 clear!\\\\n\");<\/pre>\n\n\n\n
\ud658\uacbd \ubcc0\uc218\uc758 \uc774\ub984\uc774 \"\\xde\\xad\\xbe\\xef\"<\/code> \uc778 \uac83\uc744 \ucc3e\uc558\uc744\ub54c \uadf8 \uac12\uc774 \"\\xca\\xfe\\xba\\xbe\"<\/code>\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
Stage 4<\/h2>\n\n\n\n
\/\/ file\n\tFILE* fp = fopen(\"\\x0a\", \"r\");\n\tif(!fp) return 0;\n\tif( fread(buf, 4, 1, fp)!=1 ) return 0;\n\tif( memcmp(buf, \"\\x00\\x00\\x00\\x00\", 4) ) return 0;\n\tfclose(fp);\n\tprintf(\"Stage 4 clear!\\n\");\t<\/pre>\n\n\n\n
\uc774\ub984\uc774 \uc904\ubc14\uafc8 \ubb38\uc790 (0x0a<\/code>) \ud558\ub098\ub85c \ub41c \ud30c\uc77c\uc744 \uc77d\uae30 \ubaa8\ub4dc\ub85c \uc5f0\ub2e4.<\/p>\n\n\n\n
\uc5bb\uc740 fp<\/code>\ub85c\ubd80\ud130 4\ubc14\uc774\ud2b8<\/code>\ub97c buf<\/code>\uc5d0 \uc77d\uc5b4\uc624\ub294\ub370 \"\\x00\\x00\\x00\\x00\u201d<\/code> \uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
Stage 5<\/h2>\n\n\n\n
\/\/ network\n\tint sd, cd;\n\tstruct sockaddr_in saddr, caddr;\n\tsd = socket(AF_INET, SOCK_STREAM, 0);\n\tif(sd == -1){\n\t\tprintf(\"socket error, tell admin\\n\");\n\t\treturn 0;\n\t}\n\tsaddr.sin_family = AF_INET;\n\tsaddr.sin_addr.s_addr = INADDR_ANY;\n\tsaddr.sin_port = htons( atoi(argv['C']) );\n\tif(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){\n\t\tprintf(\"bind error, use another port\\n\");\n    \t\treturn 1;\n\t}\n\tlisten(sd, 1);\n\tint c = sizeof(struct sockaddr_in);\n\tcd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);\n\tif(cd < 0){\n\t\tprintf(\"accept error, tell admin\\n\");\n\t\treturn 0;\n\t}\n\tif( recv(cd, buf, 4, 0) != 4 ) return 0;\n\tif(memcmp(buf, \"\\xde\\xad\\xbe\\xef\", 4)) return 0;\n\tprintf(\"Stage 5 clear!\\n\");<\/pre>\n\n\n\n
argv['C']<\/code> \uc704\uce58\uc758 \ubb38\uc790\uc5f4\uc744 \ud3ec\ud2b8\ubc88\ud638\ub85c \uc0ac\uc6a9\ud558\uc5ec \uc18c\ucf13\uc5d0 \ubc14\uc778\ub529\ud558\uace0 \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \uc811\uc18d\ud558\uae30\ub97c \uae30\ub2e4\ub9b0\ub2e4.<\/p>\n\n\n\n
\ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \uc811\uc18d\ud558\uba74 \uc218\uc2e0\ub41c \ub370\uc774\ud130 4\ubc14\uc774\ud2b8\ub97c \uac80\uc0ac\ud558\ub294\ub370, \"\\xde\\xad\\xbe\\xef\"<\/code> \uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
Solution<\/h1>\n\n\n\n
\uc0ac\uc804\uc5d0 Stage 2, 4\ub97c \ud1b5\uacfc\uc2dc\ud0a4\uace0 flag\ub97c \uc77d\ud788\uae30 \uc704\ud574 \uc784\uc2dc\ub514\ub809\ud1a0\ub9ac\ub97c \ub9cc\ub4e4\uc5b4 \uba87\uba87\uc758 \uba85\ub839\uc5b4\ub97c \uc785\ub825\ud558\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport sys\n\n_port = \"13375\"\n\narg = [str(i) for i in range(100)]\narg[65] = \"\\x00\"\narg[66] = \"\\x20\\x0a\\x0d\"\narg[67] = _port\n\n_env = {'\\xde\\xad\\xbe\\xef' : \"\\xca\\xfe\\xba\\xbe\"}\n\n# python3 -c 'import sys; sys.stdout.buffer.write(b\"\\x00\\x0a\\x02\\xff\")' > \/tmp\/w4_2\/err\n# python3 -c 'import sys; sys.stdout.buffer.write(b\"\\x00\\x00\\x00\\x00\")' > \/tmp\/w4_2\/$'\\x0a'\n# ln -sf \/home\/input2\/flag \/tmp\/w4_2\/flag\n\n\n# p = process(executable='.\/input2', argv=arg, stderr = open('\/tmp\/w4\/err'), env=_env)\np = process(executable='\/home\/input2\/input2', argv=arg, stderr = open('\/tmp\/w4_2\/err'), env=_env)\n\npayload = \"\\x00\\x0a\\x00\\xff\"\n\n# input()\n\np.recvuntil(\"Stage 1 clear!\\n\")\np.send(payload)\n\np.recvuntil(\"Stage 4 clear!\\n\")\n\np2 = remote(\"127.0.0.1\", _port)\np2.send(\"\\xde\\xad\\xbe\\xef\")\np2.close()\n\n\np.interactive()<\/pre>\n\n\n\n
Result<\/h1>\n\n\n\n
input2@ubuntu:\/tmp\/w4_a$ nano solve.py\nUnable to create directory \/home\/input2\/.local\/share\/nano\/: No such file or directory\nIt is required for saving\/loading search history or cursor positions.\n\ninput2@ubuntu:\/tmp\/w4_a$ python3 -c 'import sys; sys.stdout.buffer.write(b\"\\x00\\x0a\\x02\\xff\")' > \/tmp\/w4_a\/err\ninput2@ubuntu:\/tmp\/w4_a$ python3 -c 'import sys; sys.stdout.buffer.write(b\"\\x00\\x00\\x00\\x00\")' > \/tmp\/w4_a\/$'\\x0a'\ninput2@ubuntu:\/tmp\/w4_a$ ln -sf \/home\/input2\/flag \/tmp\/w4_a\/flag\ninput2@ubuntu:\/tmp\/w4_a$ python3 solve.py\n[x] Starting local process '\/home\/input2\/input2' argv=[b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'10', b'11', b'12', b'13', b'14', b'15', b'16', b'17', b'18', b'19', b'20', b'21', b'22', b'23', b'24', b'25', b'26', b'27', b'28', b'29', b'30', b'31', b'32', b'33', b'34', b'35', b'36', b'37', b'38', b'39', b'40', b'41', b'42', b'43', b'44', b'45', b'46', b'47', b'48', b'49', b'50', b'51', b'52', b'53', b'54', b'55', b'56', b'57', b'58', b'59', b'60', b'61', b'62', b'63', b'64', b'', b' \\n\\r', b'13375', b'68', b'69', b'70', b'71', b'72', b'73', b'74', b'75', b'76', b'77', b'78', b'79', b'80', b'81', b'82', b'83', b'84', b'85', b'86', b'87', b'88', b'89', b'90', b'91', b'92', b'93', b'94', b'95',[\/.......] Starting local process '\/home\/input2\/input2' argv=[b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'10', b'11', b'12', b'13', b'14', b'15', b'16', b'17', b'18', b'19', b'20', b'21', b'22', b'23', b'24', b'25', b'26', b'27', b'28', b'29', b'30', b'31', b'32', b'33', b'34', b'35', b'36', b'37', b'38', b'39', b'40', b'41', b'42', b'43', b'44', b'45', b'46', b'47', b'48', b'49', b'50', b'51', b'52', b'53', b'54', b'55', b'56', b'57', b'58', b'59', b'60', b'61', b'62', b'63', b'64', b'', b' \\n\\r', b'13375', b'68', b'69', b'70', b'71', b'72', b'73', b'74', b'75', b'76', b'77', b'78', b'79', b'80', b'81', b'82', b'83', b'84', b'85', b'86', b'87', b'88', b'89', b'90', b'91', b'92', b'93', b'94', b'95', b'96', b'97', b'98', b'99']  env={b'\\xde\\xad\\xbe\\xef': b'\\xca\\xfe\\xba\\xbe'}        Starting local process '\/home\/input2\/input2' argv=[b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'10', b'11', b'12', b'13', b'14', b'15', b'16', b'17', b'18', b'19', b'20', b'21', b'22', b'23', b'24', b'25', b'26', b'27', b'28', b'29', b'30', b'31', b'32', b'33', b'34', b'35', b'36', b'37', b'38', b'39', b'40', b'41', b'42', b'43', b'44', b'45', b'46', b'47', b'48', b'49', b'50', b'51', b'52', b'53', b'54', b'55', b'56', b'57', b'58', b'59', b'60', b'61', b'62', b'63', b'64', b'', b' \\n\\r', b'13375', b'68', b'69', b'70', b'71', b'72', b'73', b'74', b'75', b'76', b'77', b'78', b'79', b'80', b'81', b'82', b'83', b'84', b'85', b'86', b'87', b'88', b'89', b'90', b'91', b'92', b'93', b'94', b'95', b'96', b'97', b'98', b'99']  env={b'\\xde\\xad\\xbe\\xef': b'\\xca\\xfe\\xba\\xb[+] Starting local process '\/home\/input2\/input2' argv=[b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'10', b'11', b'12', b'13', b'14', b'15', b'16', b'17', b'18', b'19', b'20', b'21', b'22', b'23', b'24', b'25', b'26', b'27', b'28', b'29', b'30', b'31', b'32', b'33', b'34', b'35', b'36', b'37', b'38', b'39', b'40', b'41', b'42', b'43', b'44', b'45', b'46', b'47', b'48', b'49', b'50', b'51', b'52', b'53', b'54', b'55', b'56', b'57', b'58', b'59', b'60', b'61', b'62', b'63', b'64', b'', b' \\n\\r', b'13375', b'68', b'69', b'70', b'71', b'72', b'73', b'74', b'75', b'76', b'77', b'78', b'79', b'80', b'81', b'82', b'83', b'84', b'85', b'86', b'87', b'88', b'89', b'90', b'91', b'92', b'93', b'94', b'95', b'96', b'97', b'98', b'99']  env={b'\\xde\\xad\\xbe\\xef': b'\\xca\\xfe\\xba\\xbe'} : pid 3732946\n[DEBUG] Received 0x92 bytes:\n    b'Welcome to pwnable.kr\\n'\n    b\"Let's see if you know how to give input to program\\n\"\n    b'Just give me correct inputs then you will get the flag :)\\n'\n    b'Stage 1 clear!\\n'\n[DEBUG] Sent 0x4 bytes:\n    00000000  00 0a 00 ff                                         \u2502\u00b7\u00b7\u00b7\u00b7\u2502\n    00000004\n[DEBUG] Received 0x2d bytes:\n    b'Stage 2 clear!\\n'\n    b'Stage 3 clear!\\n'\n    b'Stage 4 clear!\\n'\n[+] Opening connection to 127.0.0.1 on port 13375: Done\n[DEBUG] Sent 0x4 bytes:\n    00000000  de ad be ef                                         \u2502\u00b7\u00b7\u00b7\u00b7\u2502\n    00000004\n[*] Closed connection to 127.0.0.1 port 13375\n[*] Switching to interactive mode\n[DEBUG] Received 0xf bytes:\n    b'Stage 5 clear!\\n'\nStage 5 clear!\n[DEBUG] Received 0x2d bytes:\n    b'Mommy_now_I_know_how_to_pa5s_inputs_in_Linux\\n'\nMommy_now_I_know_how_to_pa5s_inputs_in_Linux\n[*] Process '\/home\/input2\/input2' stopped with exit code 0 (pid 3732946)\n[*] Got EOF while reading in interactive\n$ \n[*] Interrupted<\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Description Source Code Stage 1 argc\ub294 \ud504\ub85c\uadf8\ub7a8\uc5d0 \uc804\ub2ec\ub41c \uc778\uc790\uc758 \uac1c\uc218\ub85c, 100\uac1c\uc5ec\uc57c\ud55c\ub2e4. A\ub294 65\uc758 16\uc9c4\uc218\ub85c, argv[65]\uac00 “\\x00″\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4. B\ub294 66\uc758 16\uc9c4\uc218\ub85c, argv[66]\uac00 “\\x20\\x0a\\x0d”\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c \ud55c\ub2e4. Stage 2 read \ud568\uc218\uc758 1\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\ub85c \uac01\uac01 \ub4e4\uc5b4\uac00\ub294 0\uacfc 2\ub294 \ud45c\uc900 \uc785\ub825\uc778 stdin\uacfc \ud45c\uc900 \uc5d0\ub7ec\uc778 stderr\uc744 \uc758\ubbf8\ud55c\ub2e4. read(0, buf, 4)\ub294 \ud45c\uc900 \uc785\ub825(stdin, fd 0)\uc5d0\uc11c 4\ubc14\uc774\ud2b8\ub97c \uc77d\uc5b4 buf\uc5d0 \uc800\uc7a5\ud558\ub294\ub370 “\\x00\\x0a\\x00\\xff”\uc640 \ub3d9\uc77c\ud558\uc5ec\uc57c… \ub354 \ubcf4\uae30 »input2<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3250","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3250"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3250\/revisions"}],"predecessor-version":[{"id":3253,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3250\/revisions\/3253"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}