In this challenge we have a guessing game based on a python server. For win we have to guess correctly 10 times consecutively. The random number is extracted from the python random module using as seed a number from os.urandm. The number we’ll have to guess will be extracted by the _getrandbits(64)  _that will outputs a 64 bit number. Luckly for us this function is supplied using the MersenneTwister generator that is known for some its weakness about generating pseudo random numbers. For further information about how works the PRNG, MT, and randomness in python have a look at these links:

http://blog.ptsecurity.com/2012/10/random-number-security-in-python.html

http://jazzy.id.au/default/2010/09/22/cracking_random_number_generators_part_3.html

Now basically what we are going to do is:

  • build on the client a random object

  • thanks to the output that the server provide us, take the internal state of the object on the server

  • replace the internal state of our object on clientside with the one we obtained from the server

  • generate the next numbers and send them on the server to take the flag

Code (highly commented):

http://pastebin.com/3rmZmZRL

Flag: 30C3_b9b1579866cccd28b1918302382c9107

Razor4x