 Hey folks, I'm Dupay here and today we're going to be looking at ponables.kr, the random challenge. So this will be a walkthrough of this. So jumping right in, random says, Daddy, teach me how to use random value in programming. So it's good that it's not literally random in the sense that the challenge could be about who knows what, but it actually gives us a focus and something to look for. So it's saying teach me how to use a random value when programming. So we have, this is one of those SSH type challenges, so we'll SSH into random at ponable.kr on that port, which I've already done, looking around. We can see we have our standard flag, random and random.c. Now this time random underscore PWN control has set UID, so the user will execute as and the flag is readable by that user. So looking at, so great, looking at the code again, so this is very short, and if we look back, we can see that this is a one point challenge. This would be just as easy as the file descriptor challenge. Let's see if that's the case. So here we have including standard IO.h, random and unsigned int gets a random value and unsigned int key. So passes in, and this is interesting compared to the BOF challenge, it passes in the address of key, so that's the good way to use scanf, and then it says if the key xord with random is equal to dead beef, then good, then cap the flag, otherwise it's telling you maybe you should try two to the 32 cases. So hopefully this will not require two to the 32 cases because that is a lot of cases. So first thing we gotta do is figure out what the heck is this RAND function if you've never seen this. So we look at this, we see that RAND is a pseudo random number generator, it returns an int, takes nothing in, and it says the RAND function returns a pseudo random integer in the range of zero to RAND max. The SRAND function sets its argument as the seed for a new sequence of pseudo random numbers to be returned by RAND. These sequences are repeatable by calling SRAND with the same seed value. So SRAND is to seed the random number generator, so basically a pseudo random number generator will create a sequence of numbers that should not repeat for a long time. I'm not a crypto expert, but I do know how these things work. SRAND does not stand for secure, it stands for seed, so you're seeding the pseudo random number generator, and basically if you give it a specific seed, it will start generating random numbers, essentially using that as you can think of as the seed. So this way if you needed the random number generators to be exactly the same, you'd seed them with the same number, and they would both generate the same string of numbers. It says if no seed value is provided, and since RAND is the first thing that is called, we can see that there's no seed numbers provided, it's saying if no seed value is provided the RAND function is automatically seeded with a value of one. That is interesting and seems bad. So now the question is what is that value? So we can actually write a quick function. We are in random exploit.c, and we want to include all the stuff that it does, standard io.h, int main, we don't care about any of our arguments, and actually because I have a personal weirdness, I like it like this. So unsigned int random, random is equal to RAND, and printf percent d random, return zero. So we can take this and again I'll use the, so we can run this on our local machine and let's do that now. So we can do gcc w all exploit.c, and we can run it, we can see, so let's do a new line here just because that's nicer. So we can see that it executes some value, and just because I don't fully trust just in case there's some weirdness in the pseudo random number generator that's used in this version of Linux versus the system on the remote machine. Because I have the ability to run code on that machine, I'm just going to use, I'm going to use there, so let's make dirt temp atom d dash random, and the, okay, so cat exploit.c, there we go, gcc w all exploit, run a.out, and so it actually is the same, so that's nice. So we know, so now going back to the code, now we know exactly what, so even though it's a quote quote random number, because the seed is fixed, the first call to RAND will always be the same. And in fact, if we know the seed, we actually know the first call, the second call, every single call to RAND. So now that we have this, we know that it's going to ask us for our input, and it's going to exhort our input with that random number to get it to be dead beef. So we can take this number, turn it into, we can take this number, so essentially we will have this number, and we want dead beef, and clear it, turn it into a number, and we're going to exhort these two numbers together. So that number, exhort with, and you could use your terminal, you could use Python, you could use whatever fancy thing you want to do. That should give us this beef five, you know, let's make it a little nice XOR, or, so this is going to be the value that we should want to type in. So let's see if that's the case, and what does it do when it's correct? I believe it will cat out flag. So since we're in this directory, again, we'll do our little trick of doing home, random, flag, flag, and we can call home random, random, input this, boom, and there we go, mommy, I thought libcrandom is unpredictable. And assuming you don't know the seed, it is, it should be unpredictable or difficult to predict. So we can put this in here, and now we get that we already authenticated that flag. So there we go. We just broke the random challenge of Pornables.kr. So thanks, folks. Talk to you later.