 Hey folks, Adam DuPay here, and today we're gonna be looking at ponables.kr, the Blackjack Challenge. So this is a one-point challenge. So hey, who knows, this could be easy, this could be hard. The mistake challenge actually took me a while, so let's dig in. So Blackjack says, hey, check out the C implementation of a Blackjack game. I found it online. Oh cool, everyone likes code that just they randomly found online. I like to give my flags to millionaires, don't we all? How much money you got? Running at ncponable.kr. All right, so this looks like another challenge where we don't necessarily have access to the binary and we have to look like, execute it remotely. All right, incorrect choice, sure. The odds this game, this program generates cards at random, each card has a value, S cards numbered one through 10, hold the value of the number, D, Jack, Queen, King, hold the value of 10, Ace cards of the value of 11, goal of this game is to reach a card value total of 21. After the dealing of the first two cards, you must decide whether to hit or stay. Stay will keep you safe, hitting will add a card. Beware you're competing against the dealer, you must beat their hand, but beware if a total goes over 21 you will lose, you can always play again, your results are recorded, would you like to go to the previous screen? Yes, are you ready? I guess, play this greatest game ever told. So obviously we want to bet 500, our total is seven, the dealer has a total of two, what happens if I stay on seven? Ah, the dealer keeps going, okay, play again, yes. You are bankrupt, would you like to play again? Obviously, okay, that's weird, you enter your bet after you know what they have, so dealer has showing a 10, we have five, yes, I want to hit, we have 16, they have 11, I think we want to hit, we have 17, let's stay on our 17, and the dealer has a better hand at 23, didn't they go over, whatever. All right, so let's look at this C code, so simple blackjack program, all right, wow. Okay, so here is, man. Wow, so this looks like somebody's, allegedly from 2009, somebody's final program, okay, so let's go here, blackjack, call this source.c. Okay, so it says feel free, I guess they can do this, feel free to use any and all parts of this program and claim it as your own work. All right, the results file, some global variables, one of which called cash, maybe we can manipulate that somehow. Cash test, okay, oh, maybe we can, let's see, cash is equal to cash, that seems like an interesting choice. Cash test, if cash less than equals zero, zero cash remaining, you are bankrupt game over, except it gives you 500 cash when doing that, would you like to play again? GANFs, oh, system clear, interesting, bye. Huh, all right, I wonder, let's see cash, yeah. Okay, cash is unsigned, all right, so let's just see this play, fancy play. So this is interesting because they just dropped us in this really kind of large-ish program that, okay, so zero holds the player total counter-asking, wait, I wanna see where play is called. Ask title, I just wanna get a feel for the overflow of this program. Wow, okay, so there's the main function, it certainly is a thing, ask title, ask us a choice, if choice is y or y, and it's definitely doing C, add us a choice, incorrect choice, okay, so it definitely wants us to make a yes choice. Clear, enter one to play the gator's game, ever played, choice two, if choice two less than zero or greater than three, invalid choice, oh, here it's a percent D, interesting. So if it's one, clear it and play, otherwise clear it, play the rules, otherwise you could have been perfect, oh, two, get it, all right, okay, so play. I don't think rules, let's briefly look at rules, I don't think it's gonna have anything interesting. Rules, blah, a choice, blah, ask title, ask title, oh, weird, it doesn't actually come back, it just keeps looping, okay, it keeps going to ask title, I guess you could get it to buffer overflow but that's not very interesting, although maybe that would leak some information, but okay, we can just assume that ask title, we're gonna go in here, so the interesting thing we want to deal with is play, the player total, so cash test, okay, ran card looks interesting, S ran, oh, okay, interesting, so does this want us to, so again, like we saw in the, I believe it was the challenge, oh, random, so we saw that if we can predict the seed, we can actually predict what the output is going to be, so we know if it's a club card, a diamond card, a heart card, or a spade card, but it's gonna do that every time, okay, maybe that's it, maybe it's somewhere else, random card, the players, wow, okay, so random card actually, let's say club card, does it output this, oh, it causes random again, all right, it's nine or less, wow, this is terrible, this is actually a great experience for getting used to looking at terrible, terrible code, all right, so S ran, so it's 13, 11, 12, man, so all of these functions are just gonna wait, so it's calling S ran, generates random seed for the brand function, so it's calling S ran every time, wow, okay, all right, that should be, we could probably break that, let's see if there's another way to do this, all right, counts the player total, players total is 0 to P plus L, whoa, global variables L, okay, all right, and so, this is one of those times where you feel like by looking at this code, you're gonna eventually go crazy yourself, cash, so prints out the cash, gets a random card, player total is the player's total, prints out our total, we then have the dealer, why in the world does it ask us to bet after we know what the card's on? Can we just keep doing this and only bet when we know we're gonna win? I mean, definitely, but for dealer AI, great, if the dealer total is less than 17, call S ran, ah, this time with time plus one, wow, maybe they realized they kept pulling the same cards over and over, in a second you'll get, yeah, random numbers Ace, dealer total less than equal to 10, so, okay, betting, maybe there's a vulnerability, enter bet, scan F, bet, if bet is greater than cash, so that was if you bet negative dollars and then lose, I wonder, let's try that, that would be something that would definitely be in the realm of are you ready, greatest game ever played, I will stay, would you like to play again? Yes, okay, there we go, we found the vulnerability, all right, so I can't believe that took so long, but it's clear, the problem here is that bet and cash are all integers, so we can enter a bet of negative dollars, and so now this bet is, and then we just intentionally lose the game, so if I do a negative dollars, I will stay with my 10, I won, how did I win, I bankrupted, okay, my total is one and the dealer has 11, so let's bet a million, negative a million, I would like to stay, I've chosen there, yes, yay, I am a millionaire, LOL, okay, wow, okay, good, glad that didn't take much longer because literally my eyes were about to fall out of my sockets, I don't know how these people found the Poneable.KR people found this challenge, but I mean, hey, you know what, this is the thing about a CTF, you gotta be prepared to look at all kinds of programs, and anything, you have to literally be up for anything, so this was a good reminder to always be prepared and to be ready for any challenge that they can possibly throw at you, so see you later, folks, and I'll see you next time.