本文是关于pwnable.kr的PWN lotto CTF挑战的题解,分析了代码使用了/dev/urandom作为随机数源,而非伪随机数种子。解题关键在于理解程序对比随机数的方式——逐字节比较并累计次数。通过输入特定中间值(如0x121212121212)并反复执行,等待随机数匹配即可。文章附带了Python爆破脚本的执行结果。
目录
0x01题目
0x02解题思路
下载文件,检查一下情况
root@mypwn:/ctf/work/pwnable.kr# ssh lotto@pwnable.kr -p2222
lotto@pwnable.kr's password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` ' || | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
- Site admin : daehee87@gatech.edu
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Wed Jan 1 09:01:04 2020 from 64.43.135.184
lotto@prowl:~$ ls -la
total 44
drwxr-x--- 5 root lotto 4096 Oct 23 2016 .
drwxr-xr-x 116 root root 4096 Nov 12 21:34 ..
d--------- 2 root root 4096 Feb 18 2015 .bash_history
-r--r----- 1 lotto_pwn root 55 Feb 18 2015 flag
dr-xr-xr-x 2 root root 4096 Feb 18 2015 .irssi
-r-sr-x--- 1 lotto_pwn lotto 13081 Feb 18 2015 lotto
-r--r--r-- 1 root root 1713 Feb 18 2015 lotto.c
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache打开c语言代码
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
unsigned char submit[6];
void play(){
int i;
printf("Submit your 6 lotto bytes : ");
fflush(stdout);
int r;
r = read(0, submit, 6);
printf("Lotto Start!\n");
//sleep(1);
// generate lotto numbers
int fd = open("/dev/urandom", O_RDONLY);
if(fd==-1){
printf("error. tell admin\n");
exit(-1);
}
unsi
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
