0x0 Introduction
Author: nhwn
Feeling lucky? I have just the challenge for you :D
SNI: lucky
0x1 Mitigation
1 | Arch: amd64-64-little |
0x2 Vulnerability
The basic idea is set a seed for rand()
so that 3 key is same as the requirements.
Because both function are called in the main. The function seed()
and function welcome
share the same stack address.
On the other hand, seed()
just return the value on the stack. In this case, the stack will looks like this.
1 | stack for welcome stack for seed |
Therefore, we can control the value of lol (which is the seed) by write last 4 bytes in function welcome
/
now, we just need to find the correct seed by using the script below
1 | #include <stdio.h> |
0x3 Exploit
1 | from pwn import * |
0x4 Flag
gigem{un1n1t14l1z3d_m3m0ry_15_r4nd0m_r1ght}