Writeup 4 [SEETF 2023]1337 Word Search
EXP 脚本:
importtime
defread_grid_from_file(filename):
"""从文件中读取字母网格"""
withopen(filename,'r')asf:
grid=[line.strip().upper()forlineinfifline.strip()]
returngrid
defsearch_in_grid(grid,target):
"""
在网格中搜索目标字符串(8个方向)
返回所有匹配的起始坐标和方向
"""
ifnotgridornottarget:
return[]
rows=len(grid)
cols=len(grid[0])
target=target.upper()
target_len=len(target)
# 8个方向:上、下、左、右、四个对角线
directions=[
(-1,0), # 上
(1,0), # 下
(0,-1), # 左
(0,1), # 右
(-1,-1), # 左上
(-1,1), # 右上
(1,-1), # 左下
(1,1) # 右下
]
results=[]
forrinrange(rows):
forcinrange(cols):
fordr,dcindirections:
# 检查边界
end_r=r+(target_len-1)*dr
end_c=c+(target_len-1)*dc
ifend_r<0orend_r>=rowsorend_c<0orend_c>=cols:
continue
# 提取字符串
found=[]
forkinrange(target_len):
nr,nc=r+k*dr,c+k*dc
found.append(grid[nr][nc])
found_str=''.join(found)
iffound_str==target:
results.append({
'start': (r,c),
'direction': (dr,dc),
'string':found_str
})
returnresults
deffind_all_strings(grid,min_len=4,max_len=None):
"""
提取网格中所有方向的字符串(用于盲搜flag)
"""
ifnotgrid:
return[]
rows=len(grid)
cols=len(grid[0])
ifmax_lenisNone:
max_len=max(rows,cols)
directions=[
(-1,0), (1,0), (0,-1), (0,1),
(-1,-1), (-1,1), (1,-1), (1,1)
]
all_strings=[]
forrinrange(rows):
forcinrange(cols):
fordr,dcindirections:
# 沿着方向尽可能提取长字符串
chars=[]
nr,nc=r,c
while0<=nr<rowsand0<=nc<cols:
chars.append(grid[nr][nc])
nr+=dr
nc+=dc
iflen(chars)>=min_len:
all_strings.append(''.join(chars))
returnall_strings
deffind_flag_by_pattern(grid,pattern_start="SEE{"):
"""
在网格所有方向的字符串中搜索以 pattern_start 开头的字符串
"""
pattern_start=pattern_start.upper()
all_strings=find_all_strings(grid,min_len=len(pattern_start))
candidates=[]
forsinall_strings:
ifs.startswith(pattern_start):
# 找到完整的flag(假设以}结尾)
if'}'ins:
end_idx=s.index('}')
flag=s[:end_idx+1]
candidates.append(flag)
else:
candidates.append(s)
returncandidates
# ========== 主程序 ==========
if__name__=="__main__":
# 记录开始时间
start_time=time.time()
start_time_str=time.strftime("%Y-%m-%d %H:%M:%S",time.localtime(start_time))
print("="*60)
print("单词搜索程序启动")
print(f"开始时间:{start_time_str}")
print("="*60)
# 方式1:如果你知道具体的flag字符串,直接搜索
# target_flag = "SEE{...}"
# results = search_in_grid(grid, target_flag)
# 方式2:盲搜所有以"SEE{"开头的字符串(推荐)
# 这里假设网格保存在 grid.txt 文件中
# 请根据实际情况修改文件名
try:
# 读取文件开始时间
read_start=time.time()
grid=read_grid_from_file("grid.txt")
read_end=time.time()
print(f"\n[文件读取] 耗时:{read_end-read_start:.4f}秒")
print(f"网格大小:{len(grid)}行 x{len(grid[0])}列")
print(f"总字符数:{len(grid)*len(grid[0])}")
# 搜索开始时间
search_start=time.time()
# 搜索所有以SEE{开头的字符串
flags=find_flag_by_pattern(grid)
search_end=time.time()
print(f"\n[搜索过程] 耗时:{search_end-search_start:.4f}秒")
ifflags:
print("\n"+"="*60)
print("找到可能的flag:")
print("="*60)
fori,flaginenumerate(flags):
print(f"{i+1}.{flag}")
# 转换为NSSCTF格式
ifflag.startswith("SEE{"):
nss_flag=flag.replace("SEE{","NSSCTF{",1)
print(f" NSS格式:{nss_flag}")
print("="*60)
else:
print("\n[提示] 未找到以SEE{开头的字符串,尝试搜索其他模式...")
# 备用:提取所有可能包含}的较长字符串
backup_start=time.time()
all_strs=find_all_strings(grid,min_len=10)
found_any=False
forsinall_strs:
if'{'insand'}'ins:
start=s.find('{')
ifstart>0:
potential=s[max(0,start-3):s.index('}')+1]
ifpotential.startswith("SEE"):
print(f"可能的部分flag片段:{potential}")
found_any=True
backup_end=time.time()
iffound_any:
print(f"\n[备用搜索] 耗时:{backup_end-backup_start:.4f}秒")
else:
print("未找到任何包含 flag 格式的字符串")
exceptFileNotFoundError:
print("\n[错误] 请将网格内容保存到 grid.txt 文件中")
print("或者直接在代码中定义 grid 变量,例如:")
print('''
grid = [
"ABCDEFG",
"HSEE{...",
...
]
''')
exceptExceptionase:
print(f"\n[错误] 发生异常:{e}")
# 记录结束时间
end_time=time.time()
end_time_str=time.strftime("%Y-%m-%d %H:%M:%S",time.localtime(end_time))
elapsed_time=end_time-start_time
print("\n"+"="*60)
print("程序运行完毕")
print(f"结束时间:{end_time_str}")
print(f"运行总耗时:{elapsed_time:.4f}秒 ({elapsed_time:.2f}秒)")
print("="*60)
运行结果:
============================================================
单词搜索程序启动
开始时间:2026-05-1516:08:48
============================================================
[文件读取]耗时:0.0212秒
网格大小:1337行x1337列
总字符数:1787569
[搜索过程]耗时:1375.3316秒
============================================================
找到可能的flag:
============================================================
1.SEE{X1TGZG2{CLF2WBCVSONYEOUEQQBKKXQGVBAQKP0RC0SE_VUQORCGUKAVRBSZHF}
NSS格式:NSSCTF{X1TGZG2{CLF2WBCVSONYEOUEQQBKKXQGVBAQKP0RC0SE_VUQORCGUKAVRBSZHF}
2.SEE{YOU_FOUND_ME_NOW_TRY_THE_1337ER_ONE}
NSS格式:NSSCTF{YOU_FOUND_ME_NOW_TRY_THE_1337ER_ONE}
3.SEE{EF12{VFJSHLNDPG{D7_LIQTIHNMG{LTUZKZJPBKPPPMU3ATHEOCA_EOAO14D{ZN5S3K1Z1_E2CUU0NVHPZF49AM}
NSS格式:NSSCTF{EF12{VFJSHLNDPG{D7_LIQTIHNMG{LTUZKZJPBKPPPMU3ATHEOCA_EOAO14D{ZN5S3K1Z1_E2CUU0NVHPZF49AM}
4.SEE{9IZ_YM5UHUH6{EOQZD{3SJQD5E59D1_LXAJ5KFHF6OQTJPOAHEZQN88SOGDQ{CGVL_WMP2EVQMCAZBGI24LUWJJQX57M8I}
NSS格式:NSSCTF{9IZ_YM5UHUH6{EOQZD{3SJQD5E59D1_LXAJ5KFHF6OQTJPOAHEZQN88SOGDQ{CGVL_WMP2EVQMCAZBGI24LUWJJQX57M8I}
5.SEE{BAQ7CKHMRVG2PFJIYZMPRK73AGUXQWOX{RVNRCRZ_QNOV2JKK9F9RBM{9ZQFD0IJC888YKOCAQHBIHUMRGILFDIEU}
NSS格式:NSSCTF{BAQ7CKHMRVG2PFJIYZMPRK73AGUXQWOX{RVNRCRZ_QNOV2JKK9F9RBM{9ZQFD0IJC888YKOCAQHBIHUMRGILFDIEU}
6.SEE{OOQGBYPQLVJBZDB4F9RVPOLCUMBHIB0TAJ5ONT13AHHEYX1CIEVRGRJZ6}
NSS格式:NSSCTF{OOQGBYPQLVJBZDB4F9RVPOLCUMBHIB0TAJ5ONT13AHHEYX1CIEVRGRJZ6}
============================================================
============================================================
程序运行完毕
结束时间:2026-05-1516:31:44
运行总耗时:1375.3540秒(1375.35秒)
============================================================
进程已结束,退出代码为0
flag是:
2. SEE{YOU_FOUND_ME_NOW_TRY_THE_1337ER_ONE}
NSS格式:NSSCTF{YOU_FOUND_ME_NOW_TRY_THE_1337ER_ONE}提交的时候,转成小写:
NSSCTF{you_found_me_now_try_the_1337er_one}