picoCTF Solutions
picoCTF 2019Binary ExploitationHard

seed-sPRiNG picoCTF 2019 Solution

Published: April 2, 2026

Description

Predict the PRNG output. Connect to the server and guess correctly.

Read the technique guide

Setup

Download the binary and connect to the server.

bash
wget <url>/seed-sPRiNG
bash
nc <HOST> <PORT_FROM_INSTANCE>

Solution

Walk me through it
  1. Step 1Analyze the binary to find the seed
    Run the binary locally and examine it with Ghidra or strings. Find what value is used to seed the random number generator. The seed is likely based on time(NULL) (current Unix timestamp) or a fixed constant.
    bash
    strings seed-sPRiNG
    bash
    ghidra seed-sPRiNG &
    Learn more

    C's srand(seed) initializes the random number generator, and rand() produces deterministic pseudo-random numbers from that seed. If you know the seed, you can reproduce the exact sequence of outputs from any other machine.

    Common predictable seeds: time(NULL) returns the current Unix timestamp (seconds since 1970). If the server seeds with the current time, and you know (or can guess) the time within a few seconds, you can reproduce the sequence.

  2. Step 2Reproduce the PRNG sequence
    Once you know the seed formula (e.g., time-based), write a C program that seeds with the same value and produces the same sequence. Note the connection timestamp to estimate the server time.
    c
    cat << 'EOF' > predict.c
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main() {
    // Try seeds near the current time
    time_t t = time(NULL);
    for (int delta = -5; delta <= 5; delta++) {
        srand(t + delta);
        printf("Seed %ld: %d\n", t + delta, rand());
    }
    return 0;
}
EOF
gcc predict.c -o predict && ./predict
    Learn more

    The Linux C library rand() is a linear congruential generator (LCG): a simple mathematical formula that produces a sequence of numbers. LCGs are fast but not cryptographically secure - given the output sequence, the internal state can be recovered.

  3. Step 3Submit the prediction and get the flag
    Send the predicted value to the server. If correct, the server reveals the flag.
    Learn more

    Cryptographically secure pseudo-random number generators (CSPRNGs) like /dev/urandom, ChaCha20, or Fortuna use unpredictable entropy sources and are designed so that future outputs cannot be predicted from past ones. Always use CSPRNGs for security-sensitive applications, never time-seeded LCGs.

Flag

picoCTF{...}

Find the PRNG seed (likely time-based), reproduce the rand() sequence in a C program, and submit the predicted value.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Binary Exploitation

Related reading

What to try next