seed-sPRiNG
Last updated
Was this helpful?
Last updated
Was this helpful?
The most revolutionary game is finally available: seed sPRiNG is open right now! seed_spring. Connect to it with nc 2019shell1.picoctf.com 12269.
Lets try running the binary:
```
mmm mmm mmm mmm# mmm # "# # "# mmm #"m # m" "
" #" # #" # #" "# # " #mmm#" #mmmm" # # #m # # mm
"""m #"""" #"""" # # """m # # "m # # # # # # "mmm" "#mm" "#mm" "#m## "mmm" # # " mm#mm # ## "mmm"
The capital letters in the name of this challenge (PRNG) make sense now. That is an abbreviation for pseudo random number generator (srand()
in this case), which is what we can abuse to solve this challenge. We need to "guess" 30 "random" numbers in a row to call the get_flag()
function and print the flag.
This program generates a "random" number and then applies a bitwise AND operation between that value and 0xf
, so we must do the same in our program.
The program calls srand()
and sets the seed to the current time. All the values returned by srand()
throughout the program are based on this seed. If we enter the same seed we will receive the same values.
Let's create a program that calls srand(time(0))
. Running this program at the same time as seed_spring
will produce the same set of "random" numbers. We can feed the output from our program directly into seed_spring
.
Output and flag:
```
mmm mmm mmm mmm# mmm # "# # "# mmm #"m # m" "
" #" # #" # #" "# # " #mmm#" #mmmm" # # #m # # mm
"""m #"""" #"""" # # """m # # "m # # # # # # "mmm" "#mm" "#mm" "#m## "mmm" # # " mm#mm # ## "mmm"
picoCTF{pseudo_random_number_generator_not_so_random_66aacad47c332de30eb8d8170d96b772}
Reverse the binary file using (). main()
function:
The program will print the first 30 pseudo random numbers with each one followed by a newline so the output can be easily piped into seed_spring
. Let's compile with gcc -g solve.c -o solve
.
On the shell server (we need to have the exact same time so we cannot generate out numbers locally) make a solve.c
file by copying the file in this folder, then run the following: