FlagCasino — HTB

Description

In this challenge, a 64-bit ELF binary casino is provided. The goal is to recover a 29-character input string that passes validation through a pseudo-random number generator.

Analysis

Static Analysis

First, let's check the file type and strings:

file casino
strings casino

The binary is a standard 64-bit ELF. When run, it asks for a flag input.

Using objdump or a decompiler (Ghidra/IDA) to analyze the main function:

1. The program reads 29 characters.
2. In a loop from 0 to 28:
   • Takes the next character input[i].
   • Calls srand(input[i]).
   • Calls rand().
   • Compares the rand() result with a value from an array located in the .data section at address 0x4080.
3. If all 29 comparisons succeed, a victory message is displayed.

Vulnerability

The critical vulnerability is that only one byte (a character) is used as the seed for srand(). This gives only 256 possible values for each step. We can easily brute-force all 256 variants for each position and find the character that produces the required random number.

Solution

To solve this, we use Python and the ctypes library to call the original rand() function from the system library libc.so.6. This ensures that the random number generation algorithm is identical to the one used in the challenge.

Solution Script

import ctypes

# Load the standard C library
libc = ctypes.CDLL("libc.so.6")

# Values from the .data section (address 0x4080)
# These values can be extracted using objdump or a decompiler
target_values = [
    0x50f5823e, 0x3e56793a, 0x1f06290d, 0x3f6f3635, 0x19661418,
    0x29a0374e, 0x79273612, 0x3f6f3635, 0x13371337, 0x5c3a2b1a, # Example values
    # ... (29 values total)
]

# In practice, values are extracted like this:
# objdump -s -j .data casino
# This example uses logic for demonstration

...