Binary Exploitation with Time Guessing
Last modified: 2023-03-01
Investigation
./example
Guess the number: 1111
You losed. The correct answer is 1475693029
Guess the number: 12345678
You losed. The correct answer is 8246712747
If we find a binary that asks us to guess the correct time (or time-base number), we can bypass it using a Pipe in command line.
Exploitation
# tr -dc '0-9': Extract the correct number provided by the binary.
echo 1234 | ./example | tr -dc '0-9' | ./example
The above payload inputs ‘1234’ at first, then the binary returns the correct number. tr
command extracts this number and passes it the second execution of the binary.
As the binary depends on the time, so we can bypass the program by passing the previous answer instantly.