write-ups-challenges-2023-2024/unbreakable-2/SOLUTION.md

## Difficulty
50/100

## Category
exploitation

## How To Solve
This time the sequence is again generated with `rand()` but the generator is 
seeded with the current uptime in seconds. Thing is, the program already 
prints how long it has been running in the connection welcome.

	Welcome to Robbe's secure vault v2.
	I have been protecting Robbe's secrets for 2 day(s), 21 hours, 59 minutes and 3 seconds
	Please enter the password to see all the secrets:

So to solve this, you can extract the uptime from this header string and 
then use it to seed a random generator.

Most glibc implementations will use the same one, but if yours is different
you can just run all this code in a ubuntu docker image. The ubuntu version
was given.


```python
from pwn import *
import time

conn = remote("localhost", 3004)
time.sleep(0.1)
recv = conn.recv(1024).decode()

start = recv.index('for ') + 4
duration = recv[start:recv.index('\n', start)]
duration = duration.replace('and ', ', ').split(', ')
print(duration)

days = int(duration[0].split()[0])
hours = int(duration[1].split()[0])
minutes = int(duration[2].split()[0])
seconds = int(duration[3].split()[0])

seed = days * (24*60*60) + hours * (60*60) + minutes * 60 + seconds
p = process(['./generator', str(seed)])
numbers = p.recv(1024)

conn.send(numbers)
time.sleep(0.1)
print(conn.recv(1024).decode())
```

Then I used a C program to generate the output

```c
#include <stdio.h>
#include <stdlib.h>

void main(int argc, char** argv) {
    int seed = atoi(argv[1]);
    srand(seed);

    for (int i = 0; i < 20; i++) {
        int num = rand() % 10;
        printf("%i\n", num);
    }
}
```

## Hints
n/a

## Flag
IGCTF{yoU_br0k3_Th3_UnbR34kAblE}
intitial commit 2023-11-28 15:24:59 +00:00			`## Difficulty`
			`50/100`

			`## Category`
			`exploitation`

			`## How To Solve`
			This time the sequence is again generated with `rand()` but the generator is
			`seeded with the current uptime in seconds. Thing is, the program already`
			`prints how long it has been running in the connection welcome.`

			`Welcome to Robbe's secure vault v2.`
			`I have been protecting Robbe's secrets for 2 day(s), 21 hours, 59 minutes and 3 seconds`
			`Please enter the password to see all the secrets:`

			`So to solve this, you can extract the uptime from this header string and`
			`then use it to seed a random generator.`

			`Most glibc implementations will use the same one, but if yours is different`
			`you can just run all this code in a ubuntu docker image. The ubuntu version`
			`was given.`


			```python
			`from pwn import *`
			`import time`

			`conn = remote("localhost", 3004)`
			`time.sleep(0.1)`
			`recv = conn.recv(1024).decode()`

			`start = recv.index('for ') + 4`
			`duration = recv[start:recv.index('\n', start)]`
			`duration = duration.replace('and ', ', ').split(', ')`
			`print(duration)`

			`days = int(duration[0].split()[0])`
			`hours = int(duration[1].split()[0])`
			`minutes = int(duration[2].split()[0])`
			`seconds = int(duration[3].split()[0])`

			`seed = days * (246060) + hours * (6060) + minutes 60 + seconds`
			`p = process(['./generator', str(seed)])`
			`numbers = p.recv(1024)`

			`conn.send(numbers)`
			`time.sleep(0.1)`
			`print(conn.recv(1024).decode())`
			```

			`Then I used a C program to generate the output`

			```c
			`#include <stdio.h>`
			`#include <stdlib.h>`

			`void main(int argc, char** argv) {`
			`int seed = atoi(argv[1]);`
			`srand(seed);`

			`for (int i = 0; i < 20; i++) {`
			`int num = rand() % 10;`
			`printf("%i\n", num);`
			`}`
			`}`
			```

			`## Hints`
			`n/a`

			`## Flag`
			`IGCTF{yoU_br0k3_Th3_UnbR34kAblE}`