# seed-sPRiNG

### Problem

> The most revolutionary game is finally available: seed sPRiNG is open right now! seed\_spring. Connect to it with nc 2019shell1.picoctf.com 12269.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/seed-sPRiNG/seed_spring/README.md)

### Solution

1. Lets try running the binary:

   \`\`\`

   ```
                        #                mmmmm  mmmmm    "    mm   m   mmm 
   ```

   mmm mmm mmm mmm# mmm # "# # "# mmm #"m # m" "

   **"  #"  #  #"  #  #" "#         #   "  #mmm#" #mmmm"   #    # #m # #   mm**

   """m #"""" #"""" # # """m # # "m # # # # # # "mmm" "#mm" "#mm" "#m## "mmm" # # " mm#mm # ## "mmm"

````
Welcome! The game is easy: you jump on a sPRiNG.
How high will you fly?

LEVEL (1/30)

Guess the height: 5
WRONG! Sorry, better luck next time!
```
````

1. Reverse the binary file using [Ghidra](https://ghidra-sre.org/) ([cheat sheet](https://ghidra-sre.org/CheatSheet.html)). `main()` function:

   ```cpp
    /* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */

    undefined4 main(void)

    {
    uint local_20;
    uint local_1c;
    uint local_18;
    int local_14;
    undefined *local_10;

    local_10 = &stack0x00000004;
    puts("");
    puts("");
    puts("                                                                             ");
    puts("                          #                mmmmm  mmmmm    \"    mm   m   mmm ");
    puts("  mmm    mmm    mmm    mmm#          mmm   #   \"# #   \"# mmm    #\"m  # m\"   \"");
    puts(" #   \"  #\"  #  #\"  #  #\" \"#         #   \"  #mmm#\" #mmmm\"   #    # #m # #   mm");
    puts(
        "  \"\"\"m  #\"\"\"\"  #\"\"\"\"  #   #          \"\"\"m  #      #   \"m   #    #  # # #    #"
        );
    puts(" \"mmm\"  \"#mm\"  \"#mm\"  \"#m##         \"mmm\"  #      #    \" mm#mm  #   ##  \"mmm\"");
    puts("                                                                             ");
    puts("");
    puts("");
    puts("Welcome! The game is easy: you jump on a sPRiNG.");
    puts("How high will you fly?");
    puts("");
    fflush(stdout);
    local_18 = time((time_t *)0x0);
    srand(local_18);
    local_14 = 1;
    while( true ) {
        if (0x1e < local_14) {
        puts("Congratulation! You\'ve won! Here is your flag:\n");
        get_flag();
        fflush(stdout);
        return 0;
        }
        printf("LEVEL (%d/30)\n",local_14);
        puts("");
        local_1c = rand();
        local_1c = local_1c & 0xf;
        printf("Guess the height: ");
        fflush(stdout);
        __isoc99_scanf(&DAT_00010c9a,&local_20);
        fflush(stdin);
        if (local_1c != local_20) break;
        local_14 = local_14 + 1;
    }
    puts("WRONG! Sorry, better luck next time!");
    fflush(stdout);
                        /* WARNING: Subroutine does not return */
    exit(-1);
    }
   ```

   The capital letters in the name of this challenge (PRNG) make sense now. That is an abbreviation for pseudo random number generator (`srand()` in this case), which is what we can abuse to solve this challenge. We need to "guess" 30 "random" numbers in a row to call the `get_flag()` function and print the flag.

   This program generates a "random" number and then applies a bitwise AND operation between that value and `0xf`, so we must do the same in our program.
2. The program calls `srand()` and sets the seed to the current time. All the values returned by `srand()` throughout the program are based on this seed. If we enter the same seed we will receive the same values.
3. Let's create a program that calls `srand(time(0))`. Running this program at the same time as `seed_spring` will produce the same set of "random" numbers. We can feed the output from our program directly into `seed_spring`.
4. The [solve](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/seed-sPRiNG/solve/README.md) program will print the first 30 pseudo random numbers with each one followed by a newline so the output can be easily piped into `seed_spring`. Let's compile [solve.c](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/seed-sPRiNG/solve.c) with `gcc -g solve.c -o solve`.
5. On the shell server (we need to have the exact same time so we cannot generate out numbers locally) make a `solve.c` file by copying the [solve.c](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/seed-sPRiNG/solve.c) file in this folder, then run the following:

   ```
    gcc -g solve.c -o solve
    ./solve | nc localhost 12269
   ```

   Output and flag:

   \`\`\`

   ```
                        #                mmmmm  mmmmm    "    mm   m   mmm 
   ```

   mmm mmm mmm mmm# mmm # "# # "# mmm #"m # m" "

   **"  #"  #  #"  #  #" "#         #   "  #mmm#" #mmmm"   #    # #m # #   mm**

   """m #"""" #"""" # # """m # # "m # # # # # # "mmm" "#mm" "#mm" "#m## "mmm" # # " mm#mm # ## "mmm"

````
Welcome! The game is easy: you jump on a sPRiNG.
How high will you fly?

LEVEL (1/30)

Guess the height: LEVEL (2/30)

Guess the height: LEVEL (3/30)

Guess the height: LEVEL (4/30)

Guess the height: LEVEL (5/30)

Guess the height: LEVEL (6/30)

Guess the height: LEVEL (7/30)

Guess the height: LEVEL (8/30)

Guess the height: LEVEL (9/30)

Guess the height: LEVEL (10/30)

Guess the height: LEVEL (11/30)

Guess the height: LEVEL (12/30)

Guess the height: LEVEL (13/30)

Guess the height: LEVEL (14/30)

Guess the height: LEVEL (15/30)

Guess the height: LEVEL (16/30)

Guess the height: LEVEL (17/30)

Guess the height: LEVEL (18/30)

Guess the height: LEVEL (19/30)

Guess the height: LEVEL (20/30)

Guess the height: LEVEL (21/30)

Guess the height: LEVEL (22/30)

Guess the height: LEVEL (23/30)

Guess the height: LEVEL (24/30)

Guess the height: LEVEL (25/30)

Guess the height: LEVEL (26/30)

Guess the height: LEVEL (27/30)

Guess the height: LEVEL (28/30)

Guess the height: LEVEL (29/30)

Guess the height: LEVEL (30/30)

Guess the height: picoCTF{pseudo_random_number_generator_not_so_random_66aacad47c332de30eb8d8170d96b772}Congratulation! You've won! Here is your flag:
```
````

#### Flag

`picoCTF{pseudo_random_number_generator_not_so_random_66aacad47c332de30eb8d8170d96b772}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://picoctf2019.haydenhousen.com/binary-exploitation/seed-spring.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.