We have updated the lucky game just for you! Now the executable is lighter and more efficient.
Target: 167.99.143.206 65032
Bin: https://dctf.def.camp/dctf-18-quals-81249812/lucky2

Let’s check the file information first.

It is an ELF 64-bit LSB shared object which is dynamically linked and stripped like the previous lucky challenge.

Let’s run this one to see what is different.

It looks very similar to the previous challenge except that this one tells us the server time.

Let’s disassemble its main function to see what is going on behind the scene.

At first it calls time(0) to get the time in seconds and stores its result in v29. Then, it calls srand(v29 / 10) to set the seed value for future calls of rand function. After getting the user input using again std::getline, the function call sub_2033(&v26, v29 / 10000) simply puts v29 / 10000 into v26 as a string. Then, it is printed to the user as the server time. There are no more calls to srand in this one which means we need to find the correct seed value. However, the last 3 digits of the seed is unknown. Since time(0) returns the time in seconds and the seed is one tenth of it, these last 3 digits will be increasing every 10 seconds which makes it vulnerable to a brute force attack.

I have created a different C program for this challenge which gets a seed value as an argument and prints 100 random numbers using that seed.

Here is the exploit script:

Let’s execute the script and wait until it finds the correct seed value.

Here is the flag DCTF{2e7aaa899a8b212ea6ebda3112d24559f2d2c540a9a29b1b47477ae8e5f20ace}.