Try   HackMD

[EN] ASAP

tags:Writeup Pwn English

FlyDragon

Background knowledge

  • pwntools

Step.1

nc lotuxctf.com 10000 or checkserver.py
This challenge consists of two rounds:

  • Round 1:guess a number
  • Round 2:math questions

Step.2

Since you need to complete two rounds within one minute, it's not possible to solve this challenge by manual input. Instead, use pwntools to solve this challenge.



from pwn import *
r = remote("lotuxctf.com", 10000)

Step.3

After guessing the number in Round 1, you will receive a response telling you whether your guess is too big or too small. Binary search is a great choice to complete Round 2.


















while not number_found:
    #check the response and adjust leftmost/rightmost
    if("lower" in response):
        high_num = int(guess)
    elif("higher" in  response):
        low_num = int(guess)
    
    #guess the middle number
    guess = str((high_num+low_num) // 2)
    print(guess)
    r.sendline(guess.encode())
    
    #break the loop after find answer
    response = r.recvline().decode()
    print(response, end='')
    if "clear" in response:
        number_found = True

Step.4

Use a for loop to solve Round 2.






for i in range(101):
    question = r.recvuntil(b'=')[:-1].decode()
    ans = eval(question)
    print(f"Question{i+1}:"+question+f"={ans}")
    r.sendline(str(ans).encode())

Solve script

































from pwn import *

r = remote("lotuxctf.com", 10000)

print(r.recvline().decode())

low_num = 0
high_num = 10000000
guess = 0
number_found = False
response = ""
while not number_found:
    if("lower" in response):
        high_num = int(guess)
    elif("higher" in  response):
        low_num = int(guess)
    guess = str((high_num+low_num) // 2)
    print(guess)
    r.sendline(guess.encode())
    response = r.recvline().decode()
    print(response, end='')
    if "clear" in response:
        number_found = True
print(r.recvline().decode(), end='')
for i in range(101):
    question = r.recvuntil(b'=')[:-1].decode()
    ans = eval(question)
    print(f"Question{i+1}:"+question+f"={ans}")
    r.sendline(str(ans).encode())
print(r.recvline().decode())
    
r.close()
Last changed by 
LoTuX CTF
0
116

Read more

[CH] Cookie Stealer

[name=FlyDragon]

May 28, 2025
[EN] Cookie Stealer

[name=FlyDragon]

May 28, 2025
LoTuX CTF 投稿說明

在 LoTuX 平台上取得 2000 分以上

Apr 4, 2025
[EN] Rev C 2

[name=FlyDragon] Step.1 By observing output.txt and executing the code, it can be inferred that the program flag.exe will output the flag after shuffling it. Step.2 By examining main() using Ghidra, it can be discovered that this program reads in the contents of flag.txt and outputs them after performing specific swaps in a particular order. order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9]

Nov 1, 2023
Read more from LoTuX CTF
Published on HackMD