Jade CTF 2022 - Baby Web

Baby Web is a web challenge that was part of the 2022 Jade CTF. In order to get the flag we had to find numbers that always return the same output.

$ curl http://34.76.206.46:10008/?page=0
a
$ curl http://34.76.206.46:10008/?page=0
B
$ curl http://34.76.206.46:10008/?page=0
q

Solution

Write a script that sends the numbers 1 to 50 multiple times to the server:

#!/bin/bash
for i in {1..3}
do
    for page in {1..50}
    do
        curl http://34.76.206.46:10008/?page=$page
    done
    echo ""
done

Output:

$ ./curl.sh
m4kRiXgnOXRZgmOe17Vs_wD2NiY9177SM1B6W55TREZmtl8OYo
m4kNi5unywc3guqPTS6A_BOiYDge0tFoz1O9tz8ns3MResB9rZ
m4kWirlnDDt6gOoAfGQN_ebrTQQLxqbGE1cZJjOWWN8Ph7ikC1

This looks good: m4king_1!

Now we have to extend the range of numbers and print only the consistent outputs:

#!/usr/bin/env python3
import httpx

def solve_baby():
    url = "http://34.76.206.46:10008/?page="
    httpx_client = httpx.Client()

    flag = []

    i = 0
    while True:
        response_texts = []
        for _ in range(3):
            r = httpx_client.get(url + str(i))
            response_texts.append(r.text)

        if len(set(response_texts)) == 1:
            flag.append(response_texts[0])
            print("i:", i, "flag:", "".join(flag))
        i += 1

            
if __name__ == "__main__":
    solve_baby()

Output:

$ solve.py
i: 1 flag: m
i: 2 flag: m4
i: 3 flag: m4k
i: 5 flag: m4ki
i: 8 flag: m4kin
i: 13 flag: m4king
i: 21 flag: m4king_
i: 34 flag: m4king_1
i: 55 flag: m4king_1t
i: 89 flag: m4king_1t_
i: 144 flag: m4king_1t_b
i: 233 flag: m4king_1t_b1
i: 377 flag: m4king_1t_b1g
i: 610 flag: m4king_1t_b1g_
^C

After 60 seconds, the time between valid outputs becomes too long. We have to stop the script and find a pattern to skip the invalid numbers.

When entering the valid numbers on https://oeis.org/, we were pointed to the Fibonacci sequence. The next valid number is always the sum of the two previous numbers.

#!/usr/bin/env python3
import httpx

def solve_baby():
    url = "http://34.76.206.46:10008/?page="
    httpx_client = httpx.Client()

    i, n1, n2 = 1, 1, 1
    while True:
        r = httpx_client.get(url + str(i)).text
        if r == "}":
            print("} i:", i)
            break
        print(r, end="", flush=True)
        i = n1 + n2
        n1 = n2
        n2 = i

            
if __name__ == "__main__":
    solve_baby()

Output:

$ ./solve.py
m4king_1t_b1g_s0_th4t_y0u_h4ve_t0_scr1pt_jadeCTF{f1bonacci_FTW!}
    i: 17167680177565

Flag

The flag is “jadeCTF{f1bonacci_FTW!}”.