Open in app

Sign in

Write

Sign in

STDiO CTF 2022: Lottery Predictor Game V2

Altair
3 min readJan 19, 2023

--

Source Code: https://pub-f6b4a5d9d6ff4c2cb57e61cff1114b05.r2.dev/file/ch20_lottery_v2.zip

Target: http://45.77.169.171:10020

As we can see, the given target asks us to guess a number between 000000 to 999999. Although it lets you put 5 numbers at a time, still it seems impossible to get it right plus ReCAPTCHA will get difficult if you try that. We better take a look at the source code it provides.

Looks like the winningNum is generated with random.radint() and server time as a seed.

It tells us the right answer when we get it wrong.

import random 
import time 

while True:
    random.seed(time.time()) # set current time as a seed
    randNum = random.randint(0, 999999) 
    print(randNum)

I tried to create simple random code and fortunately that the number generated is perfectly matched with what it shows on the site. We know the present winningNum, but how can we put it in time before the winningNum change?

This python module perfectly fits this situation: paperclip

  • Install : pip install paperclip

It allows you to interact with the system clipboard by using ‘paperclip.coppy()’ and ‘paperclip.paste()’. Therefore, add ‘paperclip.coppy(randNum)’ into the code above and then we can simply use ‘ctrl+v’ to paste the right winningNum within a second.

However, we have to paste and click ‘buy’ within one second, so I. modify the code to take advantage of answering multiple numbers at a time.

Final code:

import random
import time
import pyperclip

while True:
    current_time = time.time()
    
    random.seed(int(time.time()))
    rand1 = random.randint(0, 999999) # current number
    
    # Generate second random number after 1 second delay
    random.seed(int(time.time()+1))
    rand2 = random.randint(0, 999999) # number in next second

    # Generate third random number after 2 second delay
    random.seed(int(time.time())+2)
    rand3 = random.randint(0, 999999) # number in next 2 seconds
    
    ans = str(rand1)+', '+str(rand2)+', '+str(rand3) # merge numbers into usable format
    pyperclip.copy(ans) # coppy to clipboard
    # print(ans)

Leave the loop running, paste it, and now you can delay pressing ‘buy’ button for up to 3 seconds (or you can add more code to make it 5 seconds).

Enjoy! ( — — ;)

Ctf2020
Stdio Ctf
Python
Stdio2022
Ctf Writeup

--

--

Altair

Written by Altair

18 Followers

still learn, do ctf when I’m bored

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams