[b01lers2020]Scrambled

Post author: kinsey
Post link: <a href="https://kinsey973.github.io/2025/02/01/b01lers2020-Scrambled/" title="[b01lers2020]Scrambled">https://kinsey973.github.io/2025/02/01/b01lers2020-Scrambled/
Copyright Notice: All articles in this blog are licensed under <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh" target="_blank" rel="noopener" title="CC BY-NC-SA 4.0 "> unless otherwise stated.

打开网页，我们发现了一个非常可疑的cookie

暂时不知道有啥用，但我们多次刷新页面，发现cookie的kxkxkxkxsh一直不变，只有中间的数字有变化

看了大佬的wp发现

5c32表示flag第32位是c，而它的前一位为5
cd26表示flag第26位是d，而它的前一位为c
等等……

由此，我们可以编写脚本

import requests as rq
import re, urllib

flag = ['_'] * 42
url = "http://7f46b512-f523-4788-8e86-e6c8b3deb002.node3.buuoj.cn/"
cookies = {"frequency":"1","transmissions":"x"}

while True:
    res = rq.get(url, cookies=cookies)
    cookie = res.headers["Set-Cookie"].split(';')[3].split('=')[2].replace("kxkxkxkxsh","")
    cookie = urllib.parse.unquote(cookie)

    if len(cookie) == 4:
        index = int(cookie[-2:])
    else:
        index = int(cookie[-1])
    flag[index] = cookie[0]
    flag[index + 1] = cookie[1]

    print(''.join(flag))
    if '_' not in flag:
        break

得到flag