风の愿 » CTF

0CTF 2016 Quals - rand 2 Writeup

Challenge

<?php
include('config.php');
session_start();

if($_SESSION['time'] && time() - $_SESSION['time'] > 60) {
    session_destroy();
    die('timeout');
} else {
    $_SESSION['time'] = time();
}

echo rand();
if (isset($_GET['go'])) {
    $_SESSION['rand'] = array();
    $i = 5;
    $d = '';
    while($i--){
        $r = (string)rand();
        $_SESSION['rand'][] = $r;
        $d .= $r;
    }
    echo md5($d);
} else if (isset($_GET['check'])) {
    if ($_GET['check'] === $_SESSION['rand']) {
        echo $flag;
    } else {
        echo 'die';
        session_destroy();
    }
} else {
    show_source(__FILE__);
}

Solve

Obviously, we need to predict the 5 random number generated in ?go and submit it via ?check[]=num1&check[]=num2&check[]=num3&check[]=num4&check[]=num5 to get the flag.

We know that rand() is a PRNG and for a fixed seed it will generate exactly the same random number sequence. In other words, the number from rand() is decided if we give the seed and know how much rand() calls has been made before this call (the index in the sequence).

Thus in order to predict the random number, we seperate the challenge into two parts:

  1. Assume that the outputed rand() is the first number in the sequence and we search the seed so that the first number of the sequence is the number we got from the page.

  2. Enforce the creation of PHP process so that the outputed rand() we got is indeed the first number in the sequence.

Read More »
Published @ 16th March, 2016
1