TQLCTF MISC writeup-魔法少女雪殇

就跟风潇战斗到最后来着，拿了个20名也算是意料之内了，跟tsuppari师傅走一天迷宫属于是烦人，也就这样了。

Wizard

oi题，开局直接让爆破sha256（TQLCTF+?），很简单

def get_t(code):
    for i in range(10000000):
        strs = 'TQLCTF' + str(i)
        if hashlib.sha256(strs.encode()).hexdigest()[:5] == code:
            return i

进入来后一段长对话

If you want to know Zard's secret, you need to play a game with him.
Zard has an array of n distinct integers. You can ask no more than n questions.
Each question contains m distinct positions. Zard will take the corresponding m numbers from his array and sort them. However, he will only tell you the k-th number among them, in ascending order.
Your task is to guess the size of k.
(1<=k<=m<n<=10000)

You can perform two operations:

1. Query. Your query starts with a capital 'Q', followed by m positions. You will get the k-th element of the integers corresponding to these positions in the array in ascending order. (e.g., Q 2 3 4 5. The answer is 8.)

2. Guess. Your guess starts with a capital 'G', followed by a number, which is k. If your guess is correct, you'll know Zard's secret. (e.g., G 3.)

For example: 
Array = [1, 0, 9, 8, 2]
n = 5, m = 4, k = 3

[Query]
Q 2 3 4 5
8

[Guess]
G 3
You are so smart! You will get Zard's secret!

Let's start!
n = 1325, m = 230

分为两部分，首先给出m和n的值，n是整体总共多少个整数，m是需要我们提问给予的数组量

第一部分是Q ，假设m是100个的话，我就需要给出Q 1 2 3 …….100，然后返回一个k的值，此处k值是个啥我不确定，根据例子估摸着就是k在列表中的值，要我们找的值是k所在的位置。

然后至于G的获得方式，这里我暂时没有头绪，我的做法是先进行一次完整的循环，看一看整体的效果与值。

for i in range(m + 1):
    q = 'Q '
    for j in range(m+1):
        if j==i:
            continue
        q += str(j+1)+' '
    p.sendline(q.encode())
    kplace = int(p.recvuntil(b'\n')[:-1].decode())
    print(kplace)

描述说可以询问n次，但是我第一次的for i in range(n):时发现会出现worng，我估摸着描述写错了，改成m后就可以正确运行

然后，我发现k的值有两种，通过脚本分别将它们出现的次数进行统计

for i in range(m+1):
    q = 'Q '
    for j in range(m+1):
        if j==i:
            continue
        q += str(j+1)+' '
    p.sendline(q.encode())
    kplace = int(p.recvuntil(b'\n')[:-1].decode())
    if x == 0:
        x= kplace

    if x == kplace:
        cx +=1
    else:
        cy +=1
    print(cx,cy,kplace)

到现在为止，我们就获得了四种值，两个不同的k值，两个不同的k出现的次数，后面就挨个进行了一波fuzz，然后发现直接给cx值然后就能出，绝绝子。

完整脚本

from pwn import *
import re,hashlib,string,itertools


p = remote('120.79.12.160', 39385)
context.log_level="debug"
t = p.recvuntil(b'\n')
sha256_data = re.findall(b' with (.*?)\n',t)[0].decode()
table = string.printable
#print(table)
def get_t(code):
	for i in range(10000000):
		strs = 'TQLCTF' + str(i)
		if hashlib.sha256(strs.encode()).hexdigest()[:5] == code:
			return i

#t = p.recvuntil(b'Please input the string:')
p.send(str(get_t(sha256_data))+'\n')
p.recvuntil(b'start!')
p.recvuntil(b'n = ')
n = int(p.recvuntil(b',')[:-1].decode())
p.recvuntil(b'm = ')
m = int(p.recvuntil(b'\n')[:-1].decode())
x = 0
y = 0
cx = 1
cy = 1
#print(n,m)

for i in range(m+1):
	q = 'Q '
	for j in range(m+1):
		if j==i:
			continue
		q += str(j+1)+' '
	p.sendline(q.encode())
	kplace = int(p.recvuntil(b'\n')[:-1].decode())
	if x == 0:
		x= kplace

	if x == kplace:
		cx +=1
	else:
		cy +=1
	print(cx,cy,kplace)
	
cx = cx-1
p.sendline(('G ' + str(cx)).encode())
p.sendline(b'\n')
p.interactive()

Ranma½

直接打开乱码，vim查看获得文字

KGR/QRI 10656-1 zswtqgg d tnxcs tsdtofbrx osk ndnzhl gna Ietygfviy Idoilfvsu Arz (QQJ) hkkqk maikaglvusv ubyp cw ekg krzyj'o kitwkbj alypsdd.  Wjs rzvmebrwoa duwcuosu pqecgqamo cw ekg IFA, uussmpu, ysum aup qfxschljyk swks pcbb khxnsee drdoqpgpwfyv cbg xeupctzou, oql gneg ylv nsg bb zds upygzrxzkjh fq XVT-8, wpr uxxvnw qt wpvy isdz. XVT-8 kif zds tsdtofbrxegktf qt szryafmtqi hkm sahz LD-DUQLQ egjuv, auqjllvtc qfxschljvrehp hlvv iqyk omjehog, sieyafj lqf cwprx ocwezcfh bugp fvwb qb XA-NYYWZ gdniha oap oip wtoqacgnsee wq cwprx rocfhu. HTTPZB{QFOLP6_KRZ1Q}

显而易见的维吉尼亚密码，直接在线网站https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx爆破就行了

最后flag大写即可TQLCTF{CODIN6_WOR1D}，结果有点多，挨个试就行了