Randy is a ELF 64-bit LSB executable. We have to figure out the valid key
[*] Key is 28 characters long
[*] Each 4 bytes from key is used as seed argument for srandom() function ie. we have 7 blocks of 4 characters each
[*] Then random() function is called 4 times, on each block of 4 characters and generated numbers are compared to validate the key
[*] So the idea is to figure out the seed value used for srandom() function
We can bruteforce the seed value to figure out the key. Here is the C code to do this
[ctf@renorobert BKPCTF]$ ./randy Password: qwerty :(Analysing the binary, we notice the following
[*] Key is 28 characters long
[*] Each 4 bytes from key is used as seed argument for srandom() function ie. we have 7 blocks of 4 characters each
[*] Then random() function is called 4 times, on each block of 4 characters and generated numbers are compared to validate the key
[*] So the idea is to figure out the seed value used for srandom() function
We can bruteforce the seed value to figure out the key. Here is the C code to do this
#include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { unsigned int seed; long int rand; unsigned int de; unsigned int ad; unsigned int be; unsigned int ef; for(de = 0x20; de <= 0x7e; de++) { for(ad = 0x20; ad <= 0x7e; ad++) { for(be = 0x20; be <= 0x7e; be++) { for(ef = 0x20; ef <= 0x7e; ef++) { seed = (de << 24 | ad << 16 | be << 8 | ef << 0 ); srandom(seed); rand = random(); if(rand == 0x7358837a) printf("Possible seed for 00-03 bytes: 0x%x\n", seed); else if(rand == 0x34d8c3b5) printf("Possible seed for 04-07 bytes: 0x%x\n", seed); else if(rand == 0x1f49456c) printf("Possible seed for 08-11 bytes: 0x%x\n", seed); else if(rand == 0x1fea6614) printf("Possible seed for 12-15 bytes: 0x%x\n", seed); else if(rand == 0x4e81abc7) printf("Possible seed for 16-19 bytes: 0x%x\n", seed); else if(rand == 0x683d3f5d) printf("Possible seed for 20-23 bytes: 0x%x\n", seed); else if(rand == 0x28c9a8fe) printf("Possible seed for 24-27 bytes: 0x%x\n", seed); } } } } }Running the code, we got the seeds in sometime
[ctf@renorobert BKPCTF]$ ./brute_randy Possible seed for 00-03 bytes: 0x2074306e Possible seed for 24-27 bytes: 0x21212121 Possible seed for 08-11 bytes: 0x30646e34 Possible seed for 20-23 bytes: 0x31316120 Possible seed for 12-15 bytes: 0x3420306d Possible seed for 04-07 bytes: 0x72203073 Possible seed for 16-19 bytes: 0x72337466Now converting this to text gives us the valid key
>>> from struct import pack >>> pack("<I",0x2074306e)+pack("<I",0x72203073)+pack("<I",0x30646e34)+pack("<I",0x3420306d)+pack("<I",0x72337466)+pack("<I",0x31316120)+pack("<I",0x21212121) 'n0t s0 r4nd0m0 4ft3r a11!!!!'
[ctf@renorobert BKPCTF]$ ./randy Password: n0t s0 r4nd0m0 4ft3r a11!!!! :)Flag for the challenge is n0t s0 r4nd0m0 4ft3r a11!!!!
No comments :
Post a Comment