Hi all, that was a really interesting challenge.
You can start playing there > pwnable.kr
Binary/Source Code - Enumeration/Reconnaissance
1 |
|
First step we connect to pwnable.kr
server, after we can see these files :
1 |
|
flag
contains our flag, random
is the binary that we have to exploit, random.c
has the vulnerable code that we have to analyze.
1 |
|
Note: i dont code C, but i can understand C.
The problem lies here :
1 |
|
This code generates bad random numbers, when you call rand() without a seed it uses the value 1 as a default seed. Anyone else on the same machine with the same compiler who calls rand() with a seed of 1 will get the same random number. WOW dangerous.
So let’s code a simple C code to grab this random number. You can go under /tmp
and create a directory.
1 |
|
Let’s compile it & run it.
1 |
|
Now, to grab the flag we have to do this :
1 |
|
XOR operator explanation
^ = means XOR operation
For example :
1 |
|
We can do this with python pretty easy :
1 |
|
Exploitation
We can reverse this :
1 |
|
To be :
1 |
|
Let’s do this with python.
1 |
|
Let’s input this now :
1 |
|
pwntools exploit
I coded this exploit to automate the process :
1 |
|