Tags: randomness

Rating:

# Focus on xalan
This is a short writeup, if you want to know the details of the challenge you can try yourself or you can read other teams writeups like:
- [https://ctftime.org/writeup/12776](https://ctftime.org/writeup/12776)
- [https://ctftime.org/writeup/12774](https://ctftime.org/writeup/12774)
- definitely check this one out [https://ctftime.org/writeup/12782](https://ctftime.org/writeup/12782)

The challenge relies on xalan interpreter for xslt files

We have to pop 5 random values from the chef-drinks array which are generated in this way

xml
<xsl:variable name="chef-drinks">
<value>
<xsl:value-of select="round(math:random() * 4294967296)"/>
</value>
...
<value>
<xsl:value-of select="round(math:random() * 4294967296)"/>
</value>
</xsl:variable>


If you take a look at the interpreter, math:random() is just the standard c rand()

And also srand seed is time(NULL), as usual.

These 2 facts combined means that if we guess the time of execution of our payload (time(NULL)) correctly, we will know the values of chef-drinks

I wrote a c++ program to generate 3 times 5 random() values for time(NULL) + 0, 1, 2
and a python script that submits them as xml

c++
int main() {
auto base = time(NULL);

for (int i = 0; i < 3; i++) {
srand(base+i);
for (int j = 0; j < 5; j++) {
auto r = rand();
double result = 0.0;

if (r != 0)
{
result = double(r) / RAND_MAX;
}
long long res = round(result * 4294967296);
cout << res << '\n';
}
}
}


xml

<meal>
<course>
<plate><宫保鸡丁></宫保鸡丁></plate> # print values for debug
<plate><Борщ></Борщ></plate> # pop drinks and chef-drinks

... 5 times ...

<plate><दाल></दाल></plate> # get flag
<plate><宫保鸡丁></宫保鸡丁></plate> # print flag

</course>
<state>
<drinks><value>1234</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
</state>
</meal>