zacheller@home:~/blog$ - blukat


Sometimes, pwnable is strange… hint: if this challenge is hard, you are a skilled player.

ssh -p2222 (pw: guest)


blukat@pwnable:~$ ls
blukat  blukat.c  password
blukat@pwnable:~$ cat blukat.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
char flag[100];
char password[100];
char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
void calc_flag(char* s){
        int i;
        for(i=0; i<strlen(s); i++){
                flag[i] = s[i] ^ key[i];
        printf("%s\n", flag);
int main(){
        FILE* fp = fopen("/home/blukat/password", "r");
        fgets(password, 100, fp);
        char buf[100];
        printf("guess the password!\n");
        fgets(buf, 128, stdin);
        if(!strcmp(password, buf)){
                printf("congrats! here is your flag: ");
                printf("wrong guess!\n");
        return 0;

blukat@pwnable:~$ ./blukat
guess the password!
wrong guess!

Reading through the code, there didn’t appear to be anyway to abuse strcmp. It appeared that we would actually have to know the password, so I thought I should check out the file.

blukat@pwnable:~$ cat password
cat: password: Permission denied
blukat@pwnable:~$ file password
password: ASCII text
blukat@pwnable:~$ ls -l password
-rw-r----- 1 root blukat_pwn 33 Jan  6  2017 password
blukat@pwnable:~$ id
uid=1104(blukat) gid=1104(blukat) groups=1104(blukat),1105(blukat_pwn)
blukat@pwnable:~$ cat password 2>/dev/null
cat: password: Permission denied

Huh, we are in the blukat_pwn group so we can actually read the file; it just contains the text of the error message we would get if we couldn’t read it. If only I tried to read it first with less or vim!

blukat@pwnable:~$ ./blukat
guess the password!
cat: password: Permission denied
congrats! here is your flag: <censored>