- fd

March 25 2017

This is the first of the earlier challenges on, which is a really great pwn wargame.

SSHing into the server, I was provided with the following code snippet.

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
char buf[32]; 
int main(int argc, char* argv[], char* envp[]){ 
    printf("pass argv[1] a number\n"); 
    return 0; 
 int fd = atoi( argv[1] ) - 0x1234; 
 int len = 0; 
 len = read(fd, buf, 32); 
 if(!strcmp("LETMEWIN\n", buf)){ 
   printf("good job :)\n"); 
   system("/bin/cat flag"); 
 printf("learn about Linux file IO\n"); 
 return 0; 


By just reading through the code in this challenge, we can see that the fd that is used to read from is decided by subtracting 0x1234 from the first user provided argument.

The program then reads in 32 bytes and strcmp() that with the string LETMEWIN. So all we have to do is provide 0x1234 as the user provided argument so the file descriptor ends up being 0 (STDIN). We then pass the string LETMEWIN through stdin to the read so we trigger the system() call.

[email protected]:~$ ./fd 4660 
good job :)