 Hey folks, Adam DuPay here, and in this video we're going to be doing a live hack of the Poneable.kr challenge Lotto. So let's dive right in. So Lotto says, mommy, I made a Lotto program for my homework. That's good. Do you want to play? And so here now, we actually have access to a system. So when we SSH to this system, we can see we're back on familiar territory. We have Lotto Pone. We have a Lotto executable, which is set UID on the owner bit by Lotto underscore Pone. And where Lotto underscore Pone can read this flag, and we have our Lotto.c. So now everything makes sense in the world, and hopefully we're back to some cool, nice challenges. So we have a decently large application here. So let's look in. So we have a global variable submit that's six characters. So we have a play function, which as we can see here, some kind of win, which is good. We want to get there. We have a help thing. So this is interesting. Let's look at this. It says Lotto rules and Lotto is consisted with six natural random number or random natural numbers less than 46. Your goal is to match Lotto numbers as many as you can use this might be a crypto one. If you win lottery for first place, you'll get a reward for more details. Follow the link below. Interesting. Mathematical chance to win the game is known to be one out of eight million. So hopefully we will not have to do that many. And if we go back, this is a two point challenge. So hopefully not that much. And so clearly this should have nothing to do with this page that they just linked us to since it is clearly in Korean. So one of the interesting things, so this clearly means that, hey, this is just kind of like this is a realistic thing that they actually wrote, which is cool. I always like it's always interesting when people take realistic vulnerabilities and put them into challenges. So just check out our main menu. So we have an unsigned in menu. So while one, so forever, do this, select menu, play Lotto, help, exit, scan F into menu. So scan a number into menu, switch menu, one play to help three print F by and return zero to get out of this crazy loop. And then we can play. All right. So let's look at this play function. So it looks like that's where the all the fun is. So it says submit your six Lotto bytes and then an F flush. And then it reads in six bytes into this submit buffer. So this buffer is again going to be in six bytes. Interesting. Okay. So read from zero, five descriptor zero standard in, then Lotto start. So generate Lotto numbers. So good. We're reading from dev you random now. That's good. And if it gets there, please tell admin, hopefully that won't happen then unsigned character Lotto. So read from this file descriptor, dev you random six bytes, if it's not equal to six, that means we didn't read six values. And what is this doing for, let's see, I equals zero, I less than six, I plus plus Lotto bracket, I is equal to Lotto, I mod 45 plus one. So the idea is to change every value in the lottery from one to 46. Let's see, then calculate a Lotto score. Interesting. All right. So match J for I zero to less than six, J less than zero, if interesting, why is this a double loop that may be the problem here? Okay. This doesn't make sense. So, okay. So the idea is we want to match. So it's checking if Lotto I is equal to submit J, then match plus plus. And if match equals six, then we win. So the idea is we are trying to, what it wants is it wants to see how many of them are correct. But I believe this loop is definitely, I mean this jumps out, this was not the way that you would check this, right? You'd check to see if the bytes actually matched. So this means that if you get any one byte correct, it will count that for however many times it's in submit. So I think if we just set it to, let's say all ones, if we just pass in six ones, then we can keep trying this. And once we get one that has all ones, we should hit it. I think that'll work. Let's try that out. And what's it going to read from? It's going to read from us, from standard input. Okay. Cool. And so we can do Python dash C print zero X zero one dot dot dot times six, pipe that into a lotto. Oh, okay, okay, okay, I see. I see the problem. So we should be able to do one. Let's see. How is it reading this in the menu? I forgot about the menu, okay. So just looking for an int. So great. So we can do one, a new line, but then is the new line going to be considered as part of that? Let's just do, and that did not work out too well. Okay. Because that is in there, okay, okay, okay, okay, six plus, was it three to exit? Oh gosh. It does not like this, it does not like this, okay. Let's go one new line, three new lines. All right, because so the reason is why aren't we, I believe you random. So the character special files dev random and dev you random, right in their face, the kernels, random number generator, file dev address, made a choice, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, when read the dev random device, we'll turn it on by it's only within the s and number of bits of noisy, I read from the dev, okay, okay, well, we may be fine there, I read from dev. So dev random is a blocking pseudo random number generator. So these devices slash dev random and dev you random are seeded by the kernels. The kernels will add entropy to this and they will check. So dev you random will not block, but that should be fine because we probably still can't guess it anyways. I think this should work, I'm not 100% certain why it would be a good approach to use. I think let's do this, we will create a Python script because I love talking about how awesome it is to write Python scripts and.py and I actually want the connection to be and let's see I can actually debug this locally. So so need conda receive until three dot exit and then send line one, we want to play our game until you give me the flag man. This is what I want to see, send line one, receive this until and then my six bytes, and then zero one, six, I'm going to send six bytes of that 123456, oh, it's because I sent. All right, let's see what that does. All right, let's see if we are six ones. Okay. So now we want to debug this process and see what's going on here. So I think the part, the problem is going to be the problem that these are global variables. No problem is that lotto. Okay. So mod 45 plus one, yeah. So it should just take 45 guesses to get that right. Yeah, because as soon as anything mod 45 matches, that should work. Oh, let's see what happens if I do a receive until there we go. Got it. Okay. Okay. Great. So yes, this definitely works because they are doing this double loop to count, which means all we have to do is wait until anything in lotto. So if lotto is if anything mod 45 plus one, so all we need to do is try wait 46 times and then that number will hit every single one in our match. And so it will get incremented six times and so match will be six and we will get the flag. So I believe we'll need to change this connection from here to home lotto, lotto, lotto make directory temp, Adam D Ludo apparently cat, no such file directory. Again, we have the same problem. So now we I mean, so now we need to make sure we have a home lotto flag flag set up, Python exploit that and get sorry, mom, I forgot to check duplicate numbers. Wow. Yep, that is a problem. Cool. That was a really fun potable. Yeah, these type of logic problems are really difficult to identify programmatically. And so these problems are super interesting to me. So that was super fun. And I hope you learned something and I will talk to you later.