pwnable.kr-random-Writeup

MarkdownPad Document

html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video { margin: 0; padding: 0; border: 0 }
body { font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 14px; line-height: 1.6; color: #333; background-color: #fff; padding: 20px; max-width: 960px; margin: 0 auto }
body>*:first-child { margin-top: 0 !important }
body>*:last-child { margin-bottom: 0 !important }
p,blockquote,ul,ol,dl,table,pre { margin: 15px 0 }
h1,h2,h3,h4,h5,h6 { margin: 20px 0 10px; padding: 0; font-weight: bold }
h1 tt,h1 code,h2 tt,h2 code,h3 tt,h3 code,h4 tt,h4 code,h5 tt,h5 code,h6 tt,h6 code { font-size: inherit }
h1 { font-size: 28px; color: #000 }
h2 { font-size: 24px; border-bottom: 1px solid #ccc; color: #000 }
h3 { font-size: 18px }
h4 { font-size: 16px }
h5 { font-size: 14px }
h6 { color: #777; font-size: 14px }
body>h2:first-child,body>h1:first-child,body>h1:first-child+h2,body>h3:first-child,body>h4:first-child,body>h5:first-child,body>h6:first-child { margin-top: 0; padding-top: 0 }
a:first-child h1,a:first-child h2,a:first-child h3,a:first-child h4,a:first-child h5,a:first-child h6 { margin-top: 0; padding-top: 0 }
h1+p,h2+p,h3+p,h4+p,h5+p,h6+p { margin-top: 10px }
a { color: #4183C4; text-decoration: none }
a:hover { text-decoration: underline }
ul,ol { padding-left: 30px }
ul li>:first-child,ol li>:first-child,ul li ul:first-of-type,ol li ol:first-of-type,ul li ol:first-of-type,ol li ul:first-of-type { margin-top: 0px }
ul ul,ul ol,ol ol,ol ul { margin-bottom: 0 }
dl { padding: 0 }
dl dt { font-size: 14px; font-weight: bold; font-style: italic; padding: 0; margin: 15px 0 5px }
dl dt:first-child { padding: 0 }
dl dt>:first-child { margin-top: 0px }
dl dt>:last-child { margin-bottom: 0px }
dl dd { margin: 0 0 15px; padding: 0 15px }
dl dd>:first-child { margin-top: 0px }
dl dd>:last-child { margin-bottom: 0px }
pre,code,tt { font-size: 12px; font-family: Consolas, "Liberation Mono", Courier, monospace }
code,tt { margin: 0 0px; padding: 0px 0px; white-space: nowrap; border: 1px solid #eaeaea; background-color: #f8f8f8 }
pre>code { margin: 0; padding: 0; white-space: pre; border: none; background: transparent }
pre { background-color: #f8f8f8; border: 1px solid #ccc; font-size: 13px; line-height: 19px; overflow: auto; padding: 6px 10px }
pre code,pre tt { background-color: transparent; border: none }
kbd { background-color: #DDDDDD; background-image: linear-gradient(#F1F1F1, #DDDDDD); background-repeat: repeat-x; border-color: #DDDDDD #CCCCCC #CCCCCC #DDDDDD; border-style: solid; border-width: 1px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; line-height: 10px; padding: 1px 4px }
blockquote { border-left: 4px solid #DDD; padding: 0 15px; color: #777 }
blockquote>:first-child { margin-top: 0px }
blockquote>:last-child { margin-bottom: 0px }
hr { clear: both; margin: 15px 0; height: 0px; overflow: hidden; border: none; background: transparent; border-bottom: 4px solid #ddd; padding: 0 }
table th { font-weight: bold }
table th,table td { border: 1px solid #ccc; padding: 6px 13px }
table tr { border-top: 1px solid #ccc; background-color: #fff }
table tr:nth-child(2n) { background-color: #f8f8f8 }
img { max-width: 100% }

pwnable.kr-random-Writeup

  • 与前几题套路相同,ssh远程登录,ls -l查看文件及权限,cat获得C代码如下:
 1 #include <stdio.h>
 2
 3 int main(){
 4     unsigned int random;
 5     random = rand();    // random value!
 6
 7     unsigned int key=0;
 8     scanf("%d", &key);
 9
10     if( (key ^ random) == 0xdeadbeef ){
11         printf("Good!\n");
12         system("/bin/cat flag");
13         return 0;
14     }
15
16     printf("Wrong, maybe you should try 2^32 cases.\n");
17     return 0;
18 }
  • 查看random()函数时有这样的描述:
  • 即该函数每次产生的随机值均为定值,自己写一个类似的程序可以得到此时产生的随机值为1804289383
  • 根据代码流程,1804289383 ^ 0xdeadbeef即可得到要输入的key值为3039230856,则可得到flag为 Mommy, I thought libc random is unpredictable...

2017-2-7 22:01;32

时间: 2024-10-13 03:07:18

pwnable.kr-random-Writeup的相关文章

【LINUX】pwnable.kr cmd1 writeup

[email protected]:~$ ls cmd1  cmd1.c  flag [email protected]:~$ cat cmd1.c #include <stdio.h> #include <string.h> int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, &quo

【PWN】pwnable.kr echo1 writeup

#Exploit for [email protected] #@Windcarp 2015.07.23 from pwn import * #init context(arch = 'amd64', os = 'linux') local=False if local: p = process("./echo1") libc = ELF("/lib/x86_64-linux-gnu/libc-2.19.so") else: p = remote("pwn

【PWN】Pwnable.kr echo2 writeup

依旧是基本技巧的考察,shellcode的寻找着实费了一番周折,然后就是FSB和UAF漏洞的利用,很好的一题! #Exploit for [email protected] #@Windcarp 2015.07.23 from pwn import * #init context(arch = 'amd64', os = 'linux') local=False if local: p = process("./echo2") libc = ELF("/lib/x86_64-

【LINUX】pwnable.kr cmd2 writeup

试了一晚上终于试出来了....真心曲折,考察linux脚本. 里面需要注意的点如下: 1. Linux里面的sh bash是不一样的,在不同系统上的存在也有不同.sh是为Unix所设计,讲究精简,里面比dash少一些功能,导致调试脚本时很多错了不知道怎么改,一步一步试出来的: 2. 重点在于构造“/”这个东西 3. 到此Toodler's Bottle已经刷完了,我的教程也写到了Lesson 3,接下来的题目writeup很少,我自己做也比较困难,可能转Protostar训练了吧? 前面进展缓慢

【pwnable.kr】 codemap

pwnable新的一题. download: http://pwnable.kr/bin/codemap.exe ssh [email protected] -p2222 (pw:guest) 这道题虽然是在pwnable下,但是是一道逆向题... //前web狗膜一发二进制大佬 根据提示,需要查看 0x403E65 运行时,寄存器 EAX,EBX 的内容. 先不考虑运行的内容,先看程序.首先这个程序没有加壳,直接可以用ida查看内容. 然后可以看到程序的框架,在main函数中,默默按下F5..

【pwnable.kr】bof

pwnable从入门到放弃,第三题. Download : http://pwnable.kr/bin/bofDownload : http://pwnable.kr/bin/bof.c Running at : nc pwnable.kr 9000 很简单的一道栈溢出题目. 依然先读代码: #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overfl

【pwnable.kr】leg

pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.cDownload : http://pwnable.kr/bin/leg.asm ssh [email protected] -p2222 (pw:guest) 先下载这两个文件:leg.c #include <stdio.h> #include <fcntl.h> int key1(){ asm("mov r3, pc\n"); } int key2

【pwnable.kr】 asm

一道写shellcode的题目, #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sa

pwnable.kr的passcode

前段时间找到一个练习pwn的网站,pwnable.kr 这里记录其中的passcode的做题过程,给自己加深印象. 废话不多说了,看一下题目, 看到题目,就ssh连接进去,就看到三个文件如下 看了一下我们的用户名,并不能直接查看flag这个文件.查看passcode.c的源码看一下 #include <stdio.h> #include <stdlib.h> void login(){ int passcode1; int passcode2; printf("enter

pwnable.kr bof之write up

这一题与前两题不同,用到了静态调试工具ida 首先题中给出了源码: 1 #include <stdio.h> 2 #include <string.h> 3 #include <stdlib.h> 4 void func(int key){ 5 char overflowme[32]; 6 printf("overflow me : "); 7 gets(overflowme); // smash me! 8 if(key == 0xcafebabe