# lotto challenge in Pwnable.kr

In this post we solve the *lotto* challenge of [pwnable.kr](https://www.pwnable.kr).

### lotto

The challenge starts by inviting us to play a game of chance

```bash
Mommy! I made a lotto program for my homework. do you want to play?

ssh lotto@pwnable.kr -p2222 (pw:guest)
```

Inspecting the code, it reads 6 bytes from `/dev/urandom` which leaves us with 256^6 possible values. My initial thought, before seeing the code was that this would be poorly implemented seeding and use of a random integer function, however, `/dev/urandom/` is safe as it is seeded by the OS during boot.

Later in the code, the check against the password is made, looping over the random bytes and the user input 36 times. An `int` is incremented for each match.

```bash
// calculate lotto score 
int match = 0, j = 0; 
for(i=0; i<6; i++){ 
    for(j=0; j<6; j++){ 
        if(lotto[i] == submit[j]){ 
            match++;
        } 
    } 
}
```

This however, means that if we just match with one of the bytes from the random input 6 times, we get the flag. Hence any byte repeated 6 times wins the challenge.

```bash
lotto@prowl:~$ ./lotto

Select Menu -

Play Lotto

Help

Exit 1 Submit your 6 lotto bytes : $$$$$$ Lotto Start! bad luck...

Select Menu -

Play Lotto

Help

Exit 1 Submit your 6 lotto bytes : $$$$$$ Lotto Start! bad luck...

Select Menu -

Play Lotto

Help

Exit 1 Submit your 6 lotto bytes : $$$$$$ Lotto Start! bad luck...

Select Menu -

Play Lotto

Help

Exit 1 Submit your 6 lotto bytes : $$$$$$ Lotto Start! [flag omitted]
```