Mistakes Happen.

Sometimes a coder, no matter how experienced, makes incredibly novice mistake. These mistakes commonly find their way into finished software, and can be exploited by users to make the program do things that were not intended. Sometimes these result in funny glitches that make interesting YouTube Videos, sometimes its far more serious and results in the ability for a user or an attacker to gain root or administrator access to a system.

VPN Recommended: You’re logging into a remote SSH Server, and therefore your IP Address information may become viewable to other users. Use a VPN to mask your true IP.

mistake pwnable.krLets look at the challenge.

Mistake – Sometimes its just a dumb error.

As with the other pwnable.kr challenges, we’re presented with a username and password to log into the SSH Server. Doing so and issuing our ls -l command gives us the following results.

 

This time we have a Flag, our Mistake executable, the C code behind it; and a password file. Running “cat ./mistake.c” gives us the following code output.

 

Lets run through it.

The first thing its trying to do is load a file  if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){ printf("can't open password %d\n", fd); return 0; } except, this doesn’t work the way the coder intended. Due to operator priority in C, this always assigns the value ‘0’ to FD. This is important for the upcoming code.

if(!(len=read(fd,pw_buf,PW_LEN) > 0)) was intended to take the password from the file that was supposed to be stored in fd, and then read it into the pw_buf variable. Instead, this gets evaluated as  if(!(len=read(0,pw_buf,PW_LEN) > 0)) , which if we remember from our first challenge, FD, equals STDIN. Which means this takes input from STDIN and assigns it to pw_buf instead.

Now the program takes a bit of a logical turn, It reads your input for pw_buf2, and needs 10 Characters ( scanf("%10s", pw_buf2);). It then XOR‘s your input for pw_buf2, and compares it to your original input that was assigned to pw_buf; if they match your password is OK, and the system prints the flag.

That means to get the flag, run the program with  ./mistake, enter 1111111111, and the XOR of that string, 0000000000; and voila, your Flag!