Writeup

HTB FlagCasino — Full Writeup

Mohammed-Amine Bouaafia

November 10, 2025

2 min read

reverse-engineering

HTB FlagCasino — Full Writeup

Small, focused writeup for an easy reverse challenge where the binary validates 29 single-byte seeds by seeding rand() with each input and comparing the first rand() result to a table.

Summary

Binary reads 29 characters; for each it calls srand(char) then rand() and compares that 32-bit result to a known check[] value. Recovering which byte seeds produce those rand() outputs yields the 29-byte flag.

Steps

Open the binary in your disassembler. Notice the loop in main:
- scanf(" %c", &v4)
- srand(v4)
- if (rand() != check[i]) exit(...)
Realize check[i] is just the first rand() output after srand(seed). So brute-force the 1-byte seed space and match rand() to each check[i].
Use the system libc implementation of srand/rand (so results match the binary). Try all char values (-128..127 or 0..255 bytes) and record the matching byte for each index.
Assemble bytes into ASCII to get the flag.

Python solver (self-contained)

Save as solve.py and run with python3 solve.py. It uses ctypes to call the system libc srand/rand so behavior matches the target binary.

1
#!/usr/bin/env python3
2
# solve.py — recover 29-byte flag by matching libc rand() outputs
3

4
import ctypes
5
import sys
6

7
check = [
8
  608905406,183990277,286129175,128959393,1795081523,1322670498,868603056,
9
  677741240,1127757600,89789692,421093279,1127757600,1662292864,1633333913,
10
  1795081523,1819267000,1127757600,255697463,1795081523,1633333913,677741240,
11
  89789692,988039572,114810857,1322670498,214780621,1473834340,1633333913,
12
  585743402
13
]
14

15
# load libc (tries common names, falls back to default handle)
16
libc = None
17
for name in ("libc.so.6", "libc.so", None):
18
    try:
19
        libc = ctypes.CDLL(name) if name is not None else ctypes.CDLL(None)
20
        break
21
    except Exception:
22
        libc = None
23
if libc is None:
24
    print("Failed to load libc. Abort.", file=sys.stderr)
25
    sys.exit(1)
26

27
libc.srand.argtypes = (ctypes.c_uint,)
28
libc.srand.restype = None
29
libc.rand.argtypes = ()
30
libc.rand.restype = ctypes.c_int
31

32
found = []
33
for idx, target in enumerate(check):
34
    matched = False
35
    # try all possible signed char values (-128..127) which correspond to input bytes
36
    for s in range(-128, 128):
37
        seed_u = ctypes.c_uint(ctypes.c_int8(s).value).value
38
        libc.srand(seed_u)
39
        r = ctypes.c_uint(libc.rand()).value
40
        if r == target:
41
            found.append(seed_u & 0xff)
42
            matched = True
43
            break
44
    if not matched:
45
        print(f"no seed found for index {idx} (target {target})", file=sys.stderr)
46
        sys.exit(2)
47

48
flag_bytes = bytes(found)
49
try:
50
    flag = flag_bytes.decode('ascii')
51
except UnicodeDecodeError:
52
    flag = "hex:" + flag_bytes.hex()
53

54
print("Flag:", flag)

Result

Flag: HTB{r4nd_1s_v3ry_pr3d1ct4bl3}

Notes

This is a low-effort reverse: the trick is recognizing srand+rand per-byte.
Using the system libc via ctypes (or compiling and running the provided C brute-force) guarantees the same PRNG sequence as the binary.