比赛地址：b01lers CTF 2025

比赛时间：19 Apr 2025 07:00 CST - 21 Apr 2025 07:00 CST

复现的题目用🔁标注

Web

when

Challenge

web/whenbeginner

author: tillvit

the sunk cost fallacy

https://when.atreides.b01lersc.tf/

app.ts

1import express from 'express'2import { rateLimit } from 'express-rate-limit'3import path from "path"4 5const limiter = rateLimit({6	windowMs: 60 * 1000,7	limit: 60, // 60 per minute8	standardHeaders: 'draft-7',9	legacyHeaders: false,10    skip: (req, res) => {11        return req.path != "/gamble"12    }13})14 15const app = express()16 17app.use(limiter)18app.use(express.static(path.join(__dirname, 'static')))19 20async function gamble(number: number) {21    return crypto.subtle.digest("SHA-256", Buffer.from(number.toString()))22}23 24app.post('/gamble', (req, res) => {25    const time = req.headers.date ? new Date(req.headers.date) : new Date()26    const number = Math.floor(time.getTime() / 1000)27    if (isNaN(number)) {28        res.send({29            success: false,30            error: "Bad Date"31        }).status(400)32        return33    }34    gamble(number).then(data => {35        const bytes = new Uint8Array(data)36        if (bytes[0] == 255 && bytes[1] == 255) {37            res.send({38                success: true,39                result: "1111111111111111",40                flag: "bctf{fake_flag}"41            })42        } else {43            res.send({44                success: true,45                result: bytes[0].toString(2).padStart(8, "0") + bytes[1].toString(2).padStart(8, "0")46            })47        }48    })49});50 51app.listen(6060, () => {52    console.log(`Started express server`);53});

Solution

检查 /gamble 路由的逻辑发现服务端会检查请求头中的 Date 字段。如果存在，则将其解析为时间戳；否则使用当前时间。时间戳会被转换为秒级时间（Math.floor(time.getTime() / 1000)），然后将时间戳传递给 gamble 函数，该函数计算时间戳的 SHA-256 哈希值。如果前两个字节的值分别为 255 和 255（即二进制表示为 1111111111111111），服务器会就返回 flag ，否则服务器会返回前两个字节的二进制表示。

因此我们要做的就是伪造一个 Date 请求头，使得时间戳经过 SHA-256 哈希计算后前两个字节恰好是 255 和 255。

python

1import requests2import hashlib3from datetime import datetime4 5# Step 1: 寻找符合条件的时间戳6def find_valid_timestamp():7    # 把上限设置大一点确保有解8    for timestamp in range(0, 9999999999999999):9        # 计算时间戳的 SHA-256 哈希值10        sha256_hash = hashlib.sha256(str(timestamp).encode()).digest()11        # 检查是否符合条件12        if sha256_hash[0] == 0xFF and sha256_hash[1] == 0xFF:13            return timestamp14    return None15 16# Step 2: 发送请求17def send_forged_request(timestamp):18    url = "https://when.atreides.b01lersc.tf/gamble"19    # 把时间戳转换日期格式20    date_header = datetime.utcfromtimestamp(timestamp).strftime('%a, %d %b %Y %H:%M:%S GMT')21    headers = {"Date": date_header}22    return requests.post(url, headers=headers).json()23 24if __name__ == "__main__":25    valid_timestamp = find_valid_timestamp()26 27    if valid_timestamp:28        print(send_forged_request(valid_timestamp))29    else:30        print("没找到符合条件的时间戳")

得到以下响应

text

1{'success': True, 'result': '1111111111111111', 'flag': 'bctf{ninety_nine_percent_of_gamblers_gamble_81dc9bdb}'}

flag

🚩bctf{ninety_nine_percent_of_gamblers_gamble_81dc9bdb}

trouble at the spa

Challenge

web/trouble at the spa

author: ky28059

I had this million-dollar app idea the other day, but I can’t get my routing to work! I’m only using state-of-the-art tools and frameworks, so that can’t be the problem… right? Can you navigate me to the endpoint of my dreams?

https://ky28060.github.io/

trouble_at_the_spa.zip

Solution

关键代码：

tsx

1import { StrictMode } from 'react';2import { createRoot } from 'react-dom/client';3import { BrowserRouter, Routes, Route } from 'react-router';4 5// Pages6import App from './App.tsx';7import Flag from './Flag.tsx';8 9import './index.css';10 11 12createRoot(document.getElementById('root')!).render(13    <StrictMode>14        <BrowserRouter>15            <Routes>16                <Route index element={<App />} />17                <Route path="/flag" element={<Flag />} />18            </Routes>19        </BrowserRouter>20    </StrictMode>21);

通过浏览器扩展（Tampermonkey）注入脚本，强制触发路由跳转

1// ==UserScript==2// @name         Force React Router Navigation3// @author       Aristore4// @match        https://ky28060.github.io/*5// ==/UserScript==6 7(function() {8    'use strict';9 10    // 模拟访问 /flag11    window.history.pushState({}, '', '/flag');12 13    // 触发 React Router 的路由更新14    const event = new Event('popstate');15    window.dispatchEvent(event);16})();

然后直接访问 https://ky28060.github.io/ 就会跳转到 https://ky28060.github.io/flag

flag

🚩bctf{r3wr1t1ng_h1st0ry_1b07a3768fc}

Reverse

class-struggle

Challenge

rev/class-strugglebeginner

author: CygnusX & ky28059

I miss the good old days before OOP, when we lived in a classless, stateless society…

marx.c

1#include <stdio.h>2#include <string.h>3 4#define The5#define history6#define of7#define all8#define hitherto       struct tbnlw{int srlpn;}tbnlw_o;9#define existing       unsigned char tfkysf(unsigned char j,int10#define society11#define is             vfluhzftxror){vfluhzftxror&=7;12#define the13#define class14#define struggles      (void)tbnlw_o15#define Freeman        srlpn;16#define and17#define slave          (void)((void)018#define patrician      0);19#define plebeian       (void)((void)020#define lord           0);21#define serf           (void)((void)022#define guild23#define master         0);24#define journeyman     (void)((void)025#define in26#define a27#define word           0);(void)((void)028#define oppressor      0);29#define oppressed      (void)((void)030#define stood          0);31#define constant       return (j<<vfluhzftxror)|32#define opposition     (j>>(8-vfluhzftxror));}33#define to             unsigned char b(unsigned34#define one            char j,int vfluhzftxror){35#define another        (void)((void)036#define carried        0);37#define on             vfluhzftxror&=7;return(j38#define an             >>vfluhzftxror)|(j<<(8-vfluhzftxror));39#define uninterrupted  (void)((void)040#define now41#define hidden         0);(void)((void)042#define open           0);(void)((void)043#define fight44#define that45#define each           0);}46#define time           unsigned char jistcuazjdma(unsigned char jistcuazjdma,int mpnvtqeqmsgc){47#define ended          (void)((void)048#define either         0);49#define revolutionary  jistcuazjdma^=(50#define reconstitution mpnvtqeqmsgc *51#define at             37);52#define large          (void)((void)053#define or             0);54#define common         jistcuazjdma=55#define ruin           tfkysf(jistcuazjdma,(mpnvtqeqmsgc+3)%7);56#define contending     (void)tbnlw_o57#define classes58#define In59#define earlier        srlpn;60#define epochs         (void)((void)061#define we62#define find           0);63#define almost64#define everywhere     jistcuazjdma+=42;65#define complicated    return jistcuazjdma;}int66#define arrangement    evhmllcbyoqu(const67#define into           char68#define various        *g){69#define orders         (void)((void)070#define manifold       0);71#define gradation      const unsigned char gnmupmhiaosg[]={0x32,0xc0,0xbf,0x6c,0x61,0x85,0x5c,0xe4,0x40,0xd0,0x8f,0xa2,0xef,0x7c,0x4a,0x2,0x4,0x9f,0x37,0x18,0x68,0x97,0x39,0x33,0xbe,0xf1,0x20,0xf1,0x40,0x83,0x6,0x7e,0xf1,0x46,0xa6,0x47,0xfe,0xc3,0xc8,0x67,0x4,0x4d,0xba,0x10,0x9b,0x33};int72#define social         guxytjuvaljn=strlen(g);73#define rank           (void)tbnlw_o74#define ancient        srlpn;75#define Rome           if(guxytjuvaljn!=sizeof76#define have           (gnmupmhiaosg)){77#define patricians     (void)((void)078#define knights        0);(void)((void)079#define plebeians      0);(void)((void)080#define slaves         0);(void)(0?081#define Middle         0);82#define Ages           (void)((void)083#define feudal84#define lords          0);(void)((void)085#define vassals        0);(void)((void)086#define masters        0);(void)((void)087#define journeymen     0);(void)((void)088#define apprentices    0);(void)((void)089#define serfs          0);(void)(0?090#define these          0);(void)((void)091#define again          0);(void)((void)092#define subordinate    0);93#define gradations     (void)tbnlw_o94#define modern         srlpn;95#define bourgeois      return  0;}for(int mpnvtqeqmsgc=0;mpnvtqeqmsgc<guxytjuvaljn;mpnvtqeqmsgc++){96#define has97#define sprouted       unsigned char z=jistcuazjdma(g[mpnvtqeqmsgc],98#define from           mpnvtqeqmsgc);unsigned99#define ruins          char e=b((z&0xF0)|((~z)&0x0F),100#define not            mpnvtqeqmsgc%8);if(e!=gnmupmhiaosg101#define done           [mpnvtqeqmsgc]){102#define away           return 0;}}103#define with           return 1;104#define antagonisms    (void)tbnlw_o105#define It             srlpn;106#define but            }int main(void){107#define established    (void)((void)0108#define new109#define conditions     0);110#define oppression     (void)((void)0111#define forms          0);112#define struggle       char cmdcnwrnjxlp[64];printf("Please input the flag: ");fgets(cmdcnwrnjxlp,sizeof(cmdcnwrnjxlp),stdin);113#define place          char*nl=strchr(cmdcnwrnjxlp,'\n');if(nl){*nl=0;}if(evhmllcbyoqu(cmdcnwrnjxlp)){puts("Correct!");}else{114#define old            puts("No.");}115#define ones           return 0;}116 117The history of all hitherto existing society is the history of class struggles.118 119Freeman and slave, patrician and plebeian, lord and serf, guild-master and120journeyman, in a word, oppressor and oppressed, stood in constant opposition121to one another, carried on an uninterrupted, now hidden, now open fight, a122fight that each time ended, either in a revolutionary reconstitution of society123at large, or in the common ruin of the contending classes.124 125In the earlier epochs of history, we find almost everywhere a complicated126arrangement of society into various orders, a manifold gradation of social127rank. In ancient Rome we have patricians, knights, plebeians, slaves: in the128Middle Ages, feudal lords, vassals, guild-masters, journeymen, apprentices,129serfs: in almost all of these classes, again, subordinate gradations.130 131The modern bourgeois society that has sprouted from the ruins of feudal society132has not done away with class antagonisms. It has but established new classes,133new conditions of oppression, new forms of struggle in place of the old ones

Solution

ChatGPT 一把梭

这道题通过一系列宏定义把「输入字符串 g[i]」经过三步变换后，与给定的字节数组比较。我们要做的是把这三步变换反过来，从目标数组还原出原始的 g[i]。

一、理解正向变换

对于每个索引 i 和字符 j = g[i]，正向变换分三步：

异或与旋转

1j ^= (i * 37);                // XOR 运算，结果截断到 8 位2j = rol(j, (i + 3) % 7);      // 向左循环移位 r = (i+3)%7

加常数 42

1j = (j + 42) & 0xFF;          // 加法并截断到 8 位

提取高低 4 位后再旋转

1x = (j & 0xF0) | ((~j) & 0x0F);  // 高 4 位保留，低 4 位取 ~j 的低 4 位2e = ror(x, i % 8);               // 向右循环移位 r = i%8，得到最终字节

最终的 e 就存储在给定数组中。

二、反向还原算法

逆向第二次旋转

python

1# 已知 e 和 r2=i%82x = rol(e, r2)      # 旋转方向相反：向左旋转 r2 位

逆向高低位提取
由 x = (z & 0xF0) | ((~z) & 0x0F)，可解得

python

1z_high = x & 0xF02x_low  = x & 0x0F3z_low  = 0xF - x_low     # 因为 (~z_low)&0x0F = x_low ⇒ z_low = 0xF - x_low4z = z_high | z_low

逆向加 42
python
```
1t1 = (z - 42) & 0xFF
```

逆向第一次旋转

python

1r1 = (i + 3) % 72t2 = ror(t1, r1)     # 向右循环移位的逆运算

逆向异或
python
```
1j = t2 ^ ((i * 37) & 0xFF)
```
得到的 j 就是当时的 g[i]。

python

1# 8 位循环移位函数2def rol(v, r): return ((v << r) & 0xFF) | (v >> (8 - r))3def ror(v, r): return (v >> r) | ((v << (8 - r)) & 0xFF)4 5# 给定的目标数组6cipher = [7    0x32,0xc0,0xbf,0x6c,0x61,0x85,0x5c,0xe4,8    0x40,0xd0,0x8f,0xa2,0xef,0x7c,0x4a,0x02,9    0x04,0x9f,0x37,0x18,0x68,0x97,0x39,0x33,10    0xbe,0xf1,0x20,0xf1,0x40,0x83,0x06,0x7e,11    0xf1,0x46,0xa6,0x47,0xfe,0xc3,0xc8,0x67,12    0x04,0x4d,0xba,0x10,0x9b,0x3313]14 15flag_bytes = []16for i, e in enumerate(cipher):17    # 1. 逆向第二次循环右移18    x = rol(e, i % 8)19    # 2. 逆向高低位混合20    z = (x & 0xF0) | (0xF - (x & 0x0F))21    # 3. 逆向加 4222    t1 = (z - 42) & 0xFF23    # 4. 逆向第一次循环左移24    t2 = ror(t1, (i + 3) % 7)25    # 5. 逆向异或26    j = t2 ^ ((i * 37) & 0xFF)27    flag_bytes.append(j)28 29flag = bytes(flag_bytes).decode('ascii')30print(flag)

运行后即可得到 flag

flag

🚩bctf{seizing_the_m3m3s_0f_pr0ducti0n_32187ea8}