blukat

Sometimes, pwnable is strange...
hint: if this challenge is hard, you are a skilled player.

ssh blukat@pwnable.kr -p2222 (pw: guest)

查看源码：

#include 
#include <string.h>
#include 
#include 
char flag[100];
char password[100];
char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
void calc_flag(char* s){
        int i;
        for(i=0; i){
                flag[i] = s[i] ^ key[i];
        }
        printf("%s\n", flag);
}
int main(){
        FILE* fp = fopen("/home/blukat/password", "r");
        fgets(password, 100, fp);
        char buf[100];
        printf("guess the password!\n");
        fgets(buf, 128, stdin);
        if(!strcmp(password, buf)){
                printf("congrats! here is your flag: ");
                calc_flag(password);
        }
        else{
                printf("wrong guess!\n");
                exit(0);
        }
        return 0;
}

flag就是将key与password逐位异或

查看password，提示我们

cat: password: Permission denied

ls -l查看权限

 password只有root和blukat_pwn有权限

whoami查看当前用户

 是blukat

查看当前用户组

 当前就是blukat_pwn

因此password我们是有权限访问的，并且内容就是cat: password: Permission denied

将这个输入程序即可得到flag