本文解析了pwnable.kr平台上的Mistake挑战,详细介绍了利用SSH登录漏洞获取flag的过程。通过分析mistake.c源码,揭示了异或操作背后的原理,并演示了如何输入特定字符串绕过密码验证。
pwnable:mistake
pwnable.kr:mistake 题目链接
question
We all make mistakes, let's move on.
(don't take this too seriously, no fancy hacking skill is required at all)
This task is based on real event
Thanks to dhmonkey
hint : operator priority
ssh mistake@pwnable.kr -p2222 (pw:guest)
题目要求我们使用ssh登录到服务器上ssh mistake@pwnable.kr -p2222,密码是guest,有的时候可能有身份的校验,这个时候需要加上参数-o StrictHostKeyChecking=no进行登录
mistake.c
#include <stdio.h>
#include <fcntl.h>
#define PW_LEN 10
#define XORKEY 1
void xor(char* s, int len){
int i;
for(i=0; i<len; i++){
s[i] ^= XORKEY;
}
}
int main(int argc, char* argv[]){
int fd;
if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
printf("can't open password %d\n", fd);
return 0;
}
printf("do not bruteforce...\n");
sleep(time(0)%20);
char pw_buf[PW_LEN+1];
int len;
if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
printf("read error\n");
close(fd);
return 0;
}
char pw_buf2[PW_LEN+1];
printf("input password : ");
scanf("%10s", pw_buf2);
// xor your input
xor(pw_buf2, 10);
if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
printf("Password OK\n");
system("/bin/cat flag\n");
}
else{
printf("Wrong Password\n");
}
close(fd);
return 0;
}
analyse
只是两次输入异或操作然后比较?
输入0000000000再输入11111111111即可
get flag
mistake@ubuntu:~$ ./mistake
do not bruteforce...
0000000000
input password : 1111111111
Password OK
Mommy, the operator priority always confuses me :(
flag:Mommy, the operator priority always confuses me :(
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
