Welcome to another challenge from pwnable.kr. This time we’re going to work on flaws made while generating pseudo random numbers.
Firstly let’s connect with ssh.
Now we’re ready to look at the source code.
If srand is not called, rand acts as if srand(1) has been called. That’s not good for a security of the program.
We know that it should generate the same number everytime we start the program. But in order to find what number is generated, we’ll have to create small code in C. As in the rules, we can do it in /tmp directory.
We can now compile it, run and our number should be generated.
Here we have the number. As we also know that (key ^ random) == 0xdeadbeef, we can reverse the XOR operation to get the desired key. It will look like this random ^ 0xdeadbeef = key, and then we’ll be able to get the flag.