SnykCon CTF - "Random Flag Generator" Weak PRNG Seed

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone and welcome back another youtube video still looking at some challenges from the sneak con fetch the flag or their capture the flag event that they hosted with sneak on their free virtual online conference from october 5th to october 7th so let's dive in i'll hop over to my computer screen here and we'll take a look at this challenge called the random flag generator i am in a directory that i've already created for this specific challenge and right now the game scoreboard is offline so i can't view the challenges description right on the site but i do have the description that is ready and available for us there was no challenge prompt here it just gave us some files to download so we had a log dot text and a generate dot pi so let's take a look at that source code here at generate.pi looks like we import the random library the time library in the hash lib library so we're likely going to be generating random numbers knowing what the time is and hashing things so we seed a random number generator interestingly enough based off of the current time time dot time will return the unix epoch time as quickly as it could with actually i think a lot of precision all the way down to some decimal values for us and we round that to an integer number which is actually really interesting and it might be something that we could take advantage of but let's keep reading on if we seed a random number generator with that seed version 2 a-ok we could follow alongside that if we wanted to recreate this and then while true over and over and over again we'll keep looping generating random numbers and then hashing something out here hashing the shot 256 string of the random number as hex bytes and then a flag being generated and created wrapping the sneak kind of a flag format around that given hash and we check oh if 5 bc is in the hash odd then we'll go ahead and write that flag out to the file and have a break statement that will close this loop so after that loop ends it says oh flag created ta-da and we'll have a random value that's bad if 5 bc is not present in that hash so given the log dot text ooh okay it will display the bad random value of the randomly generated string here or the randomly generated number and then up until it finds a value that will hash correctly and give a flag that the service wants so we have about 23 values it looks like checking the line numbers that we might be able to use to sanity check if we are getting towards a right random value uh noticeably though the time is seeded the random number generator receded by time and let me actually open that up i'll use a b python so i could have some nice syntax highlighting if i were to import time as i mentioned time.time will return the current epoch or second since the epoch i think it's what january 1st 1970 or so with a lot of precision and decimal values after that but if we were to go ahead and round that value it's going to be then an integer like if i run this over and over and over again you can see that it's incrementing each second but that means that we could kind of move backwards in time and find what the original seed might have been because it's just going to be an integer that kept counting up and presumably this ran sometime in the past so let's create a simple get flag script and i'm actually going to use this code as the base for that so i i've took all the contents and just saved a copy of this let's say that the current time dot time can be our beginning seed but let's let's seed it every single time as part of the loop so that way we can modify the original seed and continue to loop through this we do want to know what the original bad values were which are all this up here so what i'll do is i'll create a new sublime text window and i'm going to hit control a on my keyboard to select everything then i'll hit ctrl shift l so that i can have multiple cursors for every single line nice and easy i'm gonna hit uh function home or just to bring my key all the way home with a cursor on every line and that way i can move with my arrow keys like control left control right to hop over words and uh remove all that trailing text at the beginning of each line then if i hit end i'll be able to add a a comma here and i could realistically add a new square brace at the top and bottom of this here so that way we now have all of this represented as a list or as an array that we could use in in python so let's say that uh our scene before can equal this big long thing here good enough and that way we can check if our random value is going to end up being uh something that's sequentially in this scene before list right we could do we could check that um and we kind of want to keep track of all the ones that we had seen previously so hmm how can we how can we smartly do that let's take the rand value that we've gotten and let's check if it's in there or should we just kind of count over and over again let's say uh if we repeatedly found matches we'll say so we'll start it at zero but for i in i guess len of our found matches and we'll want to use a range on that so we can count up to that length uh if we count up to that and just then keep generating our numbers in that how about that we can say if r and d is equal to our found matches um i indexed at i then we can continue because we know that we've got the right thing but if we don't then we should break out of this so if we were to break out of this loop uh we'll be able to detect that inside of a for loop in python by actually supplying an else clause on our for loop so if we exit this loop unnaturally like if it were to break if it were to break in that for loop then we could hit continue on this while loop as we test another line but we'd want to subtract what our current seed value is so let's say that seed that was up top we'll go ahead and subtract -1 on that and then hit continue to regenerate all that if we were to continue we would eventually get down to knowing what that last random value is and it's going to end up being the absolute last one right because that will end up being the random value after this so i think we need to generate another one i think that should be what we want right we can go ahead and just then hash our final rand and let's try and display that out we can display that flag and actually let's go ahead and display if 5bc is in hash that should be a boolean value for us just fine so let's don't need to check for that anymore we don't need to display this out now we are just trying to move backwards in time subtracting one from the seed every time we haven't found the number of matches present or hash values that are seed values responded random generator numbers uh in this list let's see if this works uh object and type int has no len why are you telling me that len of found matches oh oh oh i'm screwed i'm sorry that should actually be our scene before and maybe we don't even you need to use this found matches variable anymore because we don't literally reference that whatsoever let's see if that works whoa that's not good that doesn't sound right let's uh let's go ahead and pee kill our python runner right now will you continue the loop here not thinking about it is that am i not doing that right this can this continue should continue that while loop and get the hash hmm let's do a if 5bc is in the hash then we can print the flag how about that uh and i'll run this in my terminal now get flagged up high how far are we gonna end up going if i were to actually print out what the seat is every time will that display for me we'll use an f string so that we can use seed equals inside of their thing and i keep typo in here forgive me how about that are we going to keep decreasing the seed no we are not c minus one for i in range of this do we ever actually break breaking i just added another print statement here to do some quick debugging so once we break we have broken how about that does that get displayed that l statement never actually runs maybe i'm misinterpreting that right uh so let's say found matches can actually be a value that we do want to use uh if we can set found matches to false if that doesn't happen so if we have not found matches what we could do is then continue this loop here how about that seed is still not decreasing because we have not actually set that to subtract out there we go now we are properly moving backwards in time and hopefully fingers crossed if i keep letting this run it will end up determining the hash value for us i'll let this go for a little bit of time and uh we'll see if we ever end up getting anywhere okay it's been going for a while uh i realize i should probably break if i want to print the flag so that that's actually displayed here and then i might be getting this wrong just as well i i want to actually verify if we have an else then we can print out uh if we were to successfully find all matches we can print out successfully found the right seed in which case we could go ahead and print that seed and let's break on that just as well and let's not print the seed here just to kind of speed up our our life uh so we got as far down as this maybe we could keep track of that uh we can say seed could equal this if we really wanted to but let's see if we were to go back in time and just let it go will it end up finding anything better at this point it might be a long long time in fact we should actually kind of see hey what is this date in real date time rather than the unix epoch time but i'll let this just run for a little bit longer and we'll see okay so we uh end up did finding i let it run for just a bit and it did end up finding the proper seed and it looks like is that even before yeah that is that is before how far i had gone i think maybe i don't no no no let's do a quick python thing is this greater than this uh so that one that we ran previously was before it in our loop down okay anyway now that we know the proper seed let's go ahead and actually display the flag here we want to generate all these 23 instances again so i'm actually going to set this here and then we could verify exited python i want to just run the script there we go it knows that that is the correct seed because we found the correct hashes let's no longer break out of that original loop and then let's see if we could get the hash oh this this loop goes on so let's move this segment into the successfully found portion there we go is it not showing me that hash thing oh i think i need to i need to rand one more and that's exactly why it never did it to begin with let's try that there we go because i didn't calculate the one just after it but finally after a little bit of that tinkering we did successfully find all of the uh numbers that would have been returned by the pseudorandom number generator given the seed at that time that that ran so we were able to walk it back and then finally get this flag here that should very well contain this 5bc value so that is our flag and we can take note of that if we really really wanted to we could go ahead and write that down because i'm not able to submit it on the scoreboard but that is that challenge and we are done thanks so much everybody i hope you enjoyed that one i hope that script kind of made sense uh what we did was after adding a lot of debug messages to kind of get a sense of where we were that's what you that's what you know and love right candlelight debugging we overwrote the seed after we kind of found the proper one otherwise we would have just taken the time and continually moved back but we were able to go ahead and subtract the seed one by one until we would end up finding one seed that would properly generate the same values that we had seen it fail on when this original time this generator script was ran so kind of a clever thing to go back in time and find the flag that it had generated based off just syncing up the pseudo random number generator seed that's it thanks so much for watching everybody i hope you enjoyed this video if you did please do all those youtube algorithm things please uh you know like the video maybe leave a comment maybe subscribe i'd be super duper grateful thanks so much and i hope you guys give sneak some love just as well because i put on a lot of good effort to host this game thanks so much everybody i'll see you in the next video i love you take care [Music] with [Music] you
Info
Channel: John Hammond
Views: 24,048
Rating: undefined out of 5
Keywords:
Id: attWRc7Wc4E
Channel Id: undefined
Length: 15min 43sec (943 seconds)
Published: Sun Oct 10 2021
Related Videos
Hackers vs. Developers // CVE-2021-44228 Log4Shell
LiveOverflow
23K
TARGETED Phishing - Fake Outlook Password Harvester
John Hammond
94K
TryHackMe! Looking Glass... with PWNCAT
John Hammond
45K
KOVTER Malware Analysis - Fileless Persistence in Registry
John Hammond
120K
CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE)
John Hammond
172K
BEGINNER Capture The Flag - PicoCTF 2021 001 "Obedient Cat"
John Hammond
82K
Basic Buffer Overflow - VulnServer TRUN
John Hammond
93K
SnykCon CTF - "Invisible Ink" Prototype Pollution
John Hammond
18K
Binary Exploitation Deep Dive: Return to LIBC (with Matt)
John Hammond
51K
Laravel CVE / PHP Deserialization - "Larablog" HTB Business CTF
John Hammond
32K
$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis
John Hammond
86K
This Is My Resume...
John Hammond
88K
Windows - Batch Obfuscated Stager
John Hammond
27K
Discord Malware - "i hacked MYSELF??"
John Hammond
117K
SnykCon CTF - Sauerkraut - Python Pickle Vulnerabilities
John Hammond
29K
HackTheBox "Business CTF" - discordvm - Node.js Sandbox Escape
John Hammond
47K
MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
John Hammond
647K
GoogleCTF - Cross-Site Scripting "Pasteurize"
John Hammond
64K
Mozi Malware - Finding Breadcrumbs...
John Hammond
93K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.