72 lines
1.7 KiB
Markdown
72 lines
1.7 KiB
Markdown
## Difficulty
|
|
50/100
|
|
|
|
## Category
|
|
exploitation
|
|
|
|
## How To Solve
|
|
This time the sequence is again generated with `rand()` but the generator is
|
|
seeded with the current uptime in seconds. Thing is, the program already
|
|
prints how long it has been running in the connection welcome.
|
|
|
|
Welcome to Robbe's secure vault v2.
|
|
I have been protecting Robbe's secrets for 2 day(s), 21 hours, 59 minutes and 3 seconds
|
|
Please enter the password to see all the secrets:
|
|
|
|
So to solve this, you can extract the uptime from this header string and
|
|
then use it to seed a random generator.
|
|
|
|
Most glibc implementations will use the same one, but if yours is different
|
|
you can just run all this code in a ubuntu docker image. The ubuntu version
|
|
was given.
|
|
|
|
|
|
```python
|
|
from pwn import *
|
|
import time
|
|
|
|
conn = remote("localhost", 3004)
|
|
time.sleep(0.1)
|
|
recv = conn.recv(1024).decode()
|
|
|
|
start = recv.index('for ') + 4
|
|
duration = recv[start:recv.index('\n', start)]
|
|
duration = duration.replace('and ', ', ').split(', ')
|
|
print(duration)
|
|
|
|
days = int(duration[0].split()[0])
|
|
hours = int(duration[1].split()[0])
|
|
minutes = int(duration[2].split()[0])
|
|
seconds = int(duration[3].split()[0])
|
|
|
|
seed = days * (24*60*60) + hours * (60*60) + minutes * 60 + seconds
|
|
p = process(['./generator', str(seed)])
|
|
numbers = p.recv(1024)
|
|
|
|
conn.send(numbers)
|
|
time.sleep(0.1)
|
|
print(conn.recv(1024).decode())
|
|
```
|
|
|
|
Then I used a C program to generate the output
|
|
|
|
```c
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
void main(int argc, char** argv) {
|
|
int seed = atoi(argv[1]);
|
|
srand(seed);
|
|
|
|
for (int i = 0; i < 20; i++) {
|
|
int num = rand() % 10;
|
|
printf("%i\n", num);
|
|
}
|
|
}
|
|
```
|
|
|
|
## Hints
|
|
n/a
|
|
|
|
## Flag
|
|
IGCTF{yoU_br0k3_Th3_UnbR34kAblE} |