CTFtime.org

Juggle

by chq-matteo / mhackeroni

Tags: randomness 

Rating:

# Focus on xalan
This is a short writeup, if you want to know the details of the challenge you can try yourself or you can read other teams writeups like:
- [https://ctftime.org/writeup/12776](https://ctftime.org/writeup/12776)
- [https://ctftime.org/writeup/12774](https://ctftime.org/writeup/12774)
- definitely check this one out [https://ctftime.org/writeup/12782](https://ctftime.org/writeup/12782)

The challenge relies on xalan interpreter for xslt files

We have to pop 5 random values from the chef-drinks array which are generated in this way

```xml
<xsl:variable name="chef-drinks">
<value>
<xsl:value-of select="round(math:random() * 4294967296)"/>
</value>
...
<value>
<xsl:value-of select="round(math:random() * 4294967296)"/>
</value>
</xsl:variable>
```

If you take a look at the interpreter, math:random() is just the standard c rand()

[https://github.com/apache/xalan-c/blob/765ece372aec74c438e678b8ebb5ee44306583d5/src/xalanc/XalanEXSLT/XalanEXSLTMath.cpp#L415](https://github.com/apache/xalan-c/blob/765ece372aec74c438e678b8ebb5ee44306583d5/src/xalanc/XalanEXSLT/XalanEXSLTMath.cpp#L415)

And also srand seed is time(NULL), as usual.

[https://github.com/apache/xalan-c/blob/765ece372aec74c438e678b8ebb5ee44306583d5/src/xalanc/XalanEXSLT/XalanEXSLTMath.cpp#L1549](https://github.com/apache/xalan-c/blob/765ece372aec74c438e678b8ebb5ee44306583d5/src/xalanc/XalanEXSLT/XalanEXSLTMath.cpp#L1549)

These 2 facts combined means that if we guess the time of execution of our payload (time(NULL)) correctly, we will know the values of chef-drinks

I wrote a c++ program to generate 3 times 5 random() values for time(NULL) + 0, 1, 2
and a python script that submits them as xml

```c++
int main() {
auto base = time(NULL);

for (int i = 0; i < 3; i++) {
srand(base+i);
for (int j = 0; j < 5; j++) {
auto r = rand();
double result = 0.0;

if (r != 0)
{
result = double(r) / RAND_MAX;
}
long long res = round(result * 4294967296);
cout << res << '\n';
}
}
}
```

```xml

<meal>
<course>
<plate><宫保鸡丁></宫保鸡丁></plate> # print values for debug
<plate><Борщ></Борщ></plate> # pop drinks and chef-drinks

... 5 times ...

<plate><दाल></दाल></plate> # get flag
<plate><宫保鸡丁></宫保鸡丁></plate> # print flag

</course>
<state>
<drinks><value>1234</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
<drinks><value>{}</value></drinks>
</state>
</meal>
```

Comments