Pwnable.kr - random


Welcome to another challenge from pwnable.kr. This time we’re going to work on flaws made while generating pseudo random numbers.

Daddy, teach me how to use random value in programming!

ssh [email protected] -p2222 (pw:guest)

Firstly let’s connect with ssh.

main:~ > ssh [email protected] -p2222
[email protected]'s password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` ' || | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : [email protected]
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Sun Dec 10 09:21:25 2017 from 143.248.133.220
[email protected]:~$ ls -la
total 40
drwxr-x--- 5 root random 4096 Oct 23 2016 .
drwxr-xr-x 80 root root 4096 Jan 11 2017 ..
d--------- 2 root root 4096 Jun 30 2014 .bash_history
-r--r----- 1 random_pwn root 49 Jun 30 2014 flag
dr-xr-xr-x 2 root root 4096 Aug 20 2014 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
-r-sr-x--- 1 random_pwn random 8538 Jun 30 2014 random
-rw-r--r-- 1 root root 301 Jun 30 2014 random.c

Now we’re ready to look at the source code.

#include <stdio.h>

int main(){
unsigned int random;
random = rand(); // random value!

unsigned int key=0;
scanf("%d", &key);

if( (key ^ random) == 0xdeadbeef ){
printf("Good!\n");
system("/bin/cat flag");
return 0;
}

printf("Wrong, maybe you should try 2^32 cases.\n");
return 0;
}

If srand is not called, rand acts as if srand(1) has been called. That’s not good for a security of the program.

We know that it should generate the same number everytime we start the program. But in order to find what number is generated, we’ll have to create small code in C. As in the rules, we can do it in /tmp directory.

[email protected]:/tmp$ mkdir random_test
[email protected]:/tmp$ cd random_test
[email protected]:/tmp/random_test$ touch test.c
[email protected]:/tmp/random_test$ vi test.c
#include <stdio.h>

int main(){
unsigned int random;
random = rand();

printf("%d\n", random);
return 0;
}

We can now compile it, run and our number should be generated.

[email protected]:/tmp/random_test$ gcc test.c -o test
test.c: In function ‘main’:
test.c:5:18: warning: implicit declaration of function ‘rand’ [-Wimplicit-function-declaration]
random = rand();
^
[email protected]:/tmp/random_test$ chmod +x test
[email protected]:/tmp/random_test$ ./test
1804289383

Here we have the number. As we also know that (key ^ random) == 0xdeadbeef, we can reverse the XOR operation to get the desired key. It will look like this random ^ 0xdeadbeef = key, and then we’ll be able to get the flag.

  
main:~ > python
Python 3.6.3 (default, Oct 24 2017, 14:48:20)
[GCC 7.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 1804289383 ^ 0xdeadbeef
303923085

Here we have the key.

[email protected]:~$ ./random
3039230856
Good!
Mommy, I thought libc random is unpredictable...

Keep learning and stay safe! ~ W3ndige