← Back
vortex10 | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

in this level we need to exploit the fact the seed isn’t really randomized, and we can find it.

the difficulty with this level is the way we solve it, when we need to be fast when input the seed back to /vortex/vortex10.

this is the process:

run vortex in the background /vortex/vortex10 &, copy the 20 numbers and give it to level10 solution

./code "[ 406d24bc, 611ce048, 730ce6d4, 6d26333f, 4c62274d, 6351d72e, 0f9cbb1f, 0beed3e0, 484b284e, 1afcb11c, 72b9599f, 4c65ffd3, 0051df7c, 492c9c2d, 0004bba9, 5855a95d, 2d85388d, 021bb254, 65d633cb, 559b6674,]"

then, we need to hope we get printable result, return our vortex10 to foreground using fg and give it our seed. If we’ll be lucky, we’ll manage to get our shell and might have enough time to read the password, before it disconnect. YAY :(

/vortex/vortex10 &
./level10 ""
fg

# inside the shell
cat /etc/vortex_pass/vortex11

</del>

UPDATE:

I created script in python that do the whole piping process.

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h> 
#include <string.h>

#define PATH "/vortex/vortex10"

int checkSeed(int* numbers, int* checkBuffer) {
    for (int i = 0; i < 20; i++) {
        if (numbers[i] != checkBuffer[i])
            return 0;
    }
    return 1;
}

// Function to convert the captured string into a numbers array
void parseVortexOutput(char* output, int* numbers) {
    char* token = strtok(output, "[], ");
    int index = 0;

    while (token != NULL && index < 20) {
        sscanf(token, "%x", &numbers[index]);
        token = strtok(NULL, "[], ");
        index++;
    }
}

int main(int argc, char** argv){
    if (argc < 2) {
        printf("not enough params\n");
        return 1;
    }
    
    int numbers[20];
    parseVortexOutput(argv[1], numbers);

    int checkBuf[20];

    time_t time_start = time(NULL) - 500;
    time_t time_end = time(NULL) + 500;
    int seed;
    int i;
    int iVar3;

    for (int tVar2 = time_start; tVar2 <= time_end; tVar2++) {
        for (int local_8c = 0x180; local_8c >= -0x20; local_8c--) {
            seed = tVar2 + local_8c;
            srand(seed);
            setvbuf(stdout, (char*)0x0, 2, 0);
            for (i = 0; i < local_8c; i = i + 1) {
                rand();
            }
            //putchar(0x5b);
            for (i = 0; i < 20; i = i + 1) {
                iVar3 = rand();
                checkBuf[i] = iVar3;
                //printf(" %08x,", iVar3);
            }
            //puts("]");

            if (checkSeed(numbers, checkBuf)) {
                // Print the seed as raw binary bytes
                fwrite(&seed, sizeof(seed), 1, stdout);
                printf("\n");
                return 1;
            }
        }
    }
    return 0;
}
// gcc -m32 level10.c -o level10


#!/usr/bin/python3
import subprocess

program = "./level10"
vortex_program = "/vortex/vortex10"

process = subprocess.Popen(vortex_program, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

numbers = process.stdout.readline() 
print("numbers = " + str(numbers) + '\n')

result = subprocess.run(
    [program, numbers],
    capture_output=True
)

seed = result.stdout
print(f"seed = {int.from_bytes(seed, 'little')}")

process.stdin.write(seed)
process.stdin.flush() # send EOF to stdin

command = '''
    cat /etc/vortex_pass/vortex11
    '''
process.stdin.write(command.encode())
process.stdin.close() # send EOF to stdin, and close it

print("password is:", process.stdout.read().decode())

process.kill()

.

all you need to do is to execute the piping script :)

image

Flag: srx196haC