$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Reverse a 64-bit ELF binary that validates 29-character input through PRNG. Solution: Brute-force each character (0-255) as srand() seed, matching rand() output against constants from .data section using ctypes.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
In this challenge, a 64-bit ELF binary casino is provided. The goal is to recover a 29-character input string that passes validation through a pseudo-random number generator.
First, let's check the file type and strings:
file casino strings casino
The binary is a standard 64-bit ELF. When run, it asks for a flag input.
Using objdump or a decompiler (Ghidra/IDA) to analyze the main function:
input[i].srand(input[i]).rand().rand() result with a value from an array located in the .data section at address 0x4080.The critical vulnerability is that only one byte (a character) is used as the seed for srand(). This gives only 256 possible values for each step. We can easily brute-force all 256 variants for each position and find the character that produces the required random number.
To solve this, we use Python and the ctypes library to call the original rand() function from the system library libc.so.6. This ensures that the random number generation algorithm is identical to the one used in the challenge.
import ctypes # Load the standard C library libc = ctypes.CDLL("libc.so.6") # Values from the .data section (address 0x4080) # These values can be extracted using objdump or a decompiler target_values = [ 0x50f5823e, 0x3e56793a, 0x1f06290d, 0x3f6f3635, 0x19661418, 0x29a0374e, 0x79273612, 0x3f6f3635, 0x13371337, 0x5c3a2b1a, # Example values # ... (29 values total) ] # In practice, values are extracted like this: # objdump -s -j .data casino # This example uses logic for demonstration ...
$ grep --similar