pwnable.kr: col Writeup
1. Overview
2. Recon
SSH in as the “col” user
ssh col@pwnable.kr -p2222
fd@pwnable.kr's password: guest
View the source code
cat col.c
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[]){
if(argc<2){
printf("usage : %s [passcode]\n", argv[0]);
return 0;
}
if(strlen(argv[1]) != 20){
printf("passcode length should be 20 bytes\n");
return 0;
}
if(hashcode == check_password( argv[1] )){
setregid(getegid(), getegid());
system("/bin/cat flag");
return 0;
}
else
printf("wrong passcode.\n");
return 0;
}
The check_password function is particularly interesting.
head col.c
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
Checking the math.
python
Python 3.10.12 (main, Feb 4 2025, 14:57:36) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x21DD09EC
568134124
>>> 568134124 // 5
113626824
>>> 113626824 * 4
454507296
>>> 568134124 - 454507296
113626828
>>> ((4 * 113626824) + 113626828) == 0x21DD09EC
True
3. Exploitation
Packing the integers into a 20 byte payload and inputting as the payload gives the flag.
python
Python 3.10.12 (main, Feb 4 2025, 14:57:36) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> hashcode = 0x21DD09EC
>>> chunk = hashcode // 5
>>> remainder = hashcode - (4 * chunk)
>>> payload = (4 * p32(chunk)) + p32(remainder)
>>> print(payload)
b'\xc8\xce\xc5\x06\xc8\xce\xc5\x06\xc8\xce\xc5\x06\xc8\xce\xc5\x06\xcc\xce\xc5\x06'
./col
$'\xc8\xce\xc5\x06\xc8\xce\xc5\x06\xc8\xce\xc5\x06\xc8\xce\xc5\x06\xcc\xce\xc5\x06'
**REDACTED**