USTC HackerGame 2022 Writeup

博主： siscon
发布时间：2022 年 10 月 29 日
407 次浏览
2 条评论
7871字数
分类：默认分类

友情链接

某魏's Blog (tqlwsl.moe)

前言

时隔一年，又迎来了一年一度的hacker game，不得不说的是，去年也为了写题解而建了博客，只不过一直在咕而已TT。

P.S.今年我的排名可以说比去年高了整整几百名，并且整场比赛打下来也对于网络安全意识方面有着不止一星半点的提高。并且能取得这样的成绩也是我所没有预想到的，很开心的hhhhhh。

那么切入正题，今年的hacker game在打的过程中我能明显地感受到和去年不同，有些题目有思路，而且知道往哪里去想 ~~(虽然也不会做就是了)~~ 具体的做题顺序已经忘了，先从签到题开始说起。

签到

正解：进入网页，观察到需要画文字经由识别成2022签下即可拿到flag，但画字时间逐渐减小，所以说明存在其他解法，点击提交发现Url上增加query参数 ?result=????

将????更改为2022提交Url即可拿到flag

歪解：查看题解之后发现原网页模型识别基于点落得位置进行数字的判断，所以尝试

也是可行的。

猫咪问答喵

第一问：
谷歌USTC Nebula即可查询到此页面点击查看，查看到最后一段

中国科学技术大学“星云战队（Nebula）”成立于2017年3月

得到答案2017-03

第二问：
谷歌LUG活动，查询到历史FSD数据

点击slides查看到相关pdf

发现到关键字 Configure Kdenlive

猜测是Kdenlive ~~（注意首字母要大写）~~
尝试可得答案即为Kdenlive

第三问：
谷歌搜索firefox on windows 2000

上面写的是10，但是答案不对，尝试往上增加版本号，12即为正确版本号，其实帖子下面也说了，12是最后的版本）））但当时我没看见

QQ图片20221029162442.png

第四问：
找到 torvalds/linux.git的Github地址
转到commit尝试搜索argc无果后，搜索题中所给 CVE-2021-4034关键字得到commit结果
QQ图片20221029162920.png
复制即可得到答案 dcd46d897adb70d63e025f175a00a89797d31a43

第五问：
考察搜索引擎使用方法，直接搜肯定是不行的，引擎会自动拆分关键字，应该在引擎中搜索 "e4:ff:65:d7:be:5d:c8:44:1d:89:6b:50:f5:50:a0:ce"字段，引号表示强匹配，得到链接

进入查看可得网址为sdf.org 吻合题目说明域名为1996年创建

p.s.：其实一开始想太多了，还想到有没有什么方法可以从md5算法逆向出来原url，还是经过别人提醒才想到的搜索就行了，惭愧惭愧hhhhh

第六问：
谷歌搜索 USTC 网络通 20元发现啥都没有，进入官网搜索关键字网络通，经过一番查找定位到网字文件，尝试 2011-01-01发现答案不对，查看文件发现2003年存在老的网字文件，尝试即可得到答案为 2003-03-01

家目录里的秘密

下载题目zip

观察一通，发现flag可能藏在隐藏目录里，拿出everything，搜索到

存在两个可疑文件

rclone.conf 对应rclone
DUGV.c 对应vscode

打开DUGV.c，看到注释直接出现flag{finding_everything_through_vscode_config_file_932rjdakd}

打开rclone.conf，看到文本内容为

猜测从逆向密码入手

谷歌 how to reverse rclone password

慢慢搜索发现rclone forum有人提到
How to retrieve a 'crypt' password from a config file - Help and Support - rclone forum
应该是go写的，把代码稍作修改

package main
import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/rand"
    "encoding/base64"
    "errors"
    "fmt"
    "log"
)

// crypt internals
var (
    cryptKey = []byte{
        0x9c, 0x93, 0x5b, 0x48, 0x73, 0x0a, 0x55, 0x4d,
        0x6b, 0xfd, 0x7c, 0x63, 0xc8, 0x86, 0xa9, 0x2b,
        0xd3, 0x90, 0x19, 0x8e, 0xb8, 0x12, 0x8a, 0xfb,
        0xf4, 0xde, 0x16, 0x2b, 0x8b, 0x95, 0xf6, 0x38,
    }
    cryptBlock cipher.Block
    cryptRand  = rand.Reader
)

// crypt transforms in to out using iv under AES-CTR.
//
// in and out may be the same buffer.
//
// Note encryption and decryption are the same operation
func crypt(out, in, iv []byte) error {
    if cryptBlock == nil {
        var err error
        cryptBlock, err = aes.NewCipher(cryptKey)
        if err != nil {
            return err
        }
    }
    stream := cipher.NewCTR(cryptBlock, iv)
    stream.XORKeyStream(out, in)
    return nil
}

// Reveal an obscured value
func Reveal(x string) (string, error) {
    ciphertext, err := base64.RawURLEncoding.DecodeString(x)
    if err != nil {
        return "", fmt.Errorf("base64 decode failed when revealing password - is it obscured? %w", err)
    }
    if len(ciphertext) < aes.BlockSize {
        return "", errors.New("input too short when revealing password - is it obscured?")
    }
    buf := ciphertext[aes.BlockSize:]
    iv := ciphertext[:aes.BlockSize]
    if err := crypt(buf, buf, iv); err != nil {
        return "", fmt.Errorf("decrypt failed when revealing password - is it obscured? %w", err)
    }
    return string(buf), nil
}

// MustReveal reveals an obscured value, exiting with a fatal error if it failed
func MustReveal(x string) string {
    out, err := Reveal(x)
    if err != nil {
        log.Fatalf("Reveal failed: %v", err)
    }
    return out
}

func main() {
    fmt.Println(MustReveal("tqqTq4tmQRDZ0sT_leJr7-WtCiHVXSMrVN49dWELPH1uce-5DPiuDtjBUN3EI38zvewgN5JaZqAirNnLlsQ"))
}

扔到一个在线go后端跑一下，得到flag

HeiLang

作为一名理工男，不觉得这道题很酷吗，完全符合我对未来生活的想象，科技并带着趣味😎

下载题目附件

点开发现酷炸了，一千多行

既然如此我也耍个酷，写个简短的c#程序处理一下文件（把文件的前面和后面多余代码全部去掉，只留下科技与狠活的位置）

static void Main(string[] args)
{
        string text = "";
        var lines = File.ReadLines("txt.txt");
        foreach (var line in lines)
        {
            var ansandre = line.Split("=");
            var anses = ansandre[0];
            var re = ansandre[1];
            var anss = anses.Replace("a[", "").Replace("]", "").Split("|");
            foreach (var ans in anss)
            {
                text += $"a[{ans.Trim()}]={re.Trim()}\n";
            }
        }
        File.WriteAllText("txt1.txt", text);
    }
}

处理完后把科技与狠活粘贴回去

此时我们已经对helang的语言进行了全面的翻译，这时进行运行即可得到何同学赋予我们最终的答案。

Tha flag is: flag{6d9ad6e9a6268d96-add67fb6bea2f786}

Xcaptcha

进入题目

点击图片后出现如下题目，且停留时间只有一秒钟

解题思路是用c#请求页面，然后正则取出对应的值，用大整数类进行计算然后post回去，但是当时不论怎么尝试都显示已经超过1s，百思不得解，后来魏佬提醒每次新题都会下发新的session，需要进行session的替换，所以得到flag，代码如下：

using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Numerics;
using System.Text;
using System.Text.RegularExpressions;

namespace test
{
    class Program
    {
        public static List<string> StartPos = new();
        public static List<string> EndPos = new();
        public static List<string> Flight = new();

        public static string Session = "";
        static void Main(string[] args)
        {
            var con = GetHttp("http://202.38.93.111:10047/xcaptcha");
            var match1 = Regex.Match(con, @"(?<=( <label for=""captcha1"">)).*(?=( 的结果是？</label>))");
            var match2 = Regex.Match(con, @"(?<=( <label for=""captcha2"">)).*(?=( 的结果是？</label>))");
            var match3 = Regex.Match(con, @"(?<=( <label for=""captcha3"">)).*(?=( 的结果是？</label>))");
            string num1, num2, num3, num4, num5, num6;
            num1 = match1.Value.Split("+")[0];
            num2 = match1.Value.Split("+")[1];
            num3 = match2.Value.Split("+")[0];
            num4 = match2.Value.Split("+")[1];
            num5 = match3.Value.Split("+")[0];
            num6 = match3.Value.Split("+")[1];
            Console.WriteLine(PostHttp("http://202.38.93.111:10047/xcaptcha",
                $"captcha1={BigInteger.Parse(num1) + BigInteger.Parse(num2)}&captcha2={BigInteger.Parse(num3) + BigInteger.Parse(num4)}&captcha3={BigInteger.Parse(num5) + BigInteger.Parse(num6)}"));
        }


        public static string GetHttp(string url)
        {
            HttpWebRequest request = (HttpWebRequest) WebRequest.Create(url);
            request.Method = "GET";
            request.ContentType = "text/html; charset=UTF-8";
            request.Headers.Add("Cookie",
                "DOKU_PREFS=list#rows#sort#name; session=.eJwVUMlOQlEM_Ze3fomdBxIXjAaeQkwkuFVAERRlUEiM_-5l0UV7eob2tzouz8eqVaGZAycoJSaFOmudiOgSxEnCaoJBEGASQBGWyEqeUVsIOKNbEjMHm6ISuCF4hCgpMCDWKeFg7KSFV7RUkpQQ1dQJIAiNhWtCAHQPJODwIh3JnGacWeYlH1qAa01paCmFqiAeZYNQSrGrkCIVZwvlOkAA1b0ku8CRfrktUVNY_CJ_Marq6vi5WW7LJ0qrrbv-fXfYhdVksu-s50t88nOzHTSLKc5uD_PhwTk-9DmaMXzvbmD30H5rb86jEze9_SI63psNBuNpu1ntOuv-y9do-_izf7866XQ1X2_Pr9fX1d8_HZBbKQ.Y1z_TA.Fhw3bYP9PAmTMnAvS2sTAg0ut3E");
            HttpWebResponse response = (HttpWebResponse) request.GetResponse();
            Session = response.Headers.Get(name: "set-cookie");
            Stream myResponseStream = response.GetResponseStream();
            StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding("utf-8"));
            string retString = myStreamReader.ReadToEnd();
            myResponseStream.Close();
            myResponseStream.Close();
            return retString;
        }

        public static string PostHttp(string url, string postData)
        {
            HttpWebRequest request = (HttpWebRequest) WebRequest.Create(url);
            var data = Encoding.ASCII.GetBytes(postData);
            request.Method = "POST";
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = data.Length;
            request.Headers.Add("Cookie", Session);
            using (var stream = request.GetRequestStream())
            {
                stream.Write(data, 0, data.Length);
            }

            var response = (HttpWebResponse) request.GetResponse();
            Stream myResponseStream = response.GetResponseStream();
            StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding("utf-8"));
            string retString = myStreamReader.ReadToEnd();
            myResponseStream.Close();
            myResponseStream.Close();
            return retString;
        }
    }
}

即可得到flag：flag{head1E55_br0w5er_and_ReQuEsTs_areallyour_FR1ENd_45339267b3}

旅行照片2.0

travel-photo

第一问

上传至exif信息网站即可获得

即可获得答案：

第二问

通过分析照片上远处建筑物牌子上的字即可发现信息

看出来是ZOZOXXXXXXX Staduim 谷歌得到是zozo marine stadium 题目上说是拍照人所在地点的邮政编码 ~~（并非体育馆邮政编码）~~

得到附近酒店邮编为2610021 ~~（体育馆邮编是2610020）~~

通过上一题juice sm6115＋xiaomi可搜到是红米Note9，闪光灯位置也可以通过反光看出来很吻合。
所以答案为2340x1080

难点在于航班，首先看到是下午六点二十三分左右拍摄得到，是日本东京时间，所以搜索flightaware在时间点附近的航班逐一排除即可。根据飞机飞向可得是东北方向，所有离港航班均会经过此处，进港航班全部排除掉，所以暴力搜索可得

即可得到flag

Latex机器人

谷歌Latex inject得到

所以得到flag

第二问不会，当时想着是要执行shell的

\immediate\write18{}

结果试了好久也没尝试出来。

Flag的痕迹

这一题是随便尝试出来的，首先尝试了?rev=1666291980
因为发现规律是rev的赋值是修改的时间戳，结果发现

然后又尝试了

发现revision相关的功能都寄了

走投无路之下，尝试了http://202.38.93.111:15004/doku.php?id=start&rev=1666292040&do=diff

diff功能是比对两次文件的修改

拿到flag

线路板

下载zip

用kicad打开ebaz_sdr-F_Cu.gbr，打开显示边界可以看出来flag

请输入图片描述

Flag自动机

下载zip

个人认为是这场比赛最满意的一题，因为是人生中第一次做出binary。

打开软件，发现点不到狠心读取。

用ida打开
经过分析可得exit函数引用如下
请输入图片描述

分析主要函数在sub_401510

考虑动态调试干掉前面判断
用x32附加进程

把401840之前的函数全部nop掉，让他进入执行即可得到flag

杯窗鹅影

第一问

很简单，写个读取文件的c就好了

#include <stdio.h>

int main(void)
{
    int ch;
    FILE *fp;
    fp = fopen("/flag1", "r");
    while ((ch = fgetc(fp)) != EOF)
    {
        putchar(ch);
    }
    return 0;
}

得到flag

第二问(NOT SOLVED)

当时考虑的是使用win32api的CreatProcess函数创建/readflag进程，结果不知道为什么在服务器端一直都无法调起进程，导致这问完全不会了）思路就这么僵死了

惜字如金

第一问

HS384脚本如下

#!/usr/bin/python3

# Th siz of th fil may reduc after XZRJification

from bas64 import urlsaf_b64encod
from hashlib import sha384
from hmac import digest
from sys import argv


def check_equals(left, right):
    # check whether left == right or not
    if left != right: exit(0x01)


def sign(fil: str):
    with open(fil, 'rb') as f:
        # import secret
        secret = b'ustc.edu.cn'
        check_equals(len(secret), 39)
        # check secret hash
        secret_sha384 = 'ec18f9dbc4aba825c7d4f9c726db1cb0d0babf47f' +\
                        'a170f33d53bc62074271866a4e4d1325dc27f644fdad'
        check_equals(sha384(secret).hexdigest(), secret_sha384)
        # generat th signatur
        return digest(secret, f.read(), sha384)


if __nam__ == '__main__':
    try:
        # check som obvious things
        check_equals('creat', 'cr' + 'at')
        check_equals('referer', 'refer' + 'rer')
        # generat th signatur
        check_equals(len(argv), 2)
        sign_b64 = urlsaf_b64encod(sign(argv[1]))
        print('HS384 sign:', sign_b64.decod('utf-8'))
    except (SystemExit, Exception):
        print('Usag' + 'e: HS384.py <fil' + 'e>')

可以看出来这是一份被惜字如金过的脚本，观察secret应该是有39位的，且有供验证secret具体值的sha384，所以分析secret被惜字如金前的排列组合

首先分为两类：一类是辅音字母消除，一类是元音字母消除元音字母分为两种：一类是原先就没有e的，另一种是e跟在c后面的，也就是ustce.edu.cn,一类是e在n后面的，也就是ustc.edu.cne，最后一种是包含两种状态ustce.edu.cne。

辅音字母包含s,t,c,d,c,n重复的状态，也就是有可能为ussstttttcc.eduuuu.cccccccccn这种组合，也就是说，可以循环遍历每一位上所有组合并叠加，符合总位数为39位，进行sha384和脚本中的验证值中的一串数字作为比较即可（选择数字是因为数字不会被惜字如金）。

以下是寻找secret值的脚本

// us |a| t |b| c |c|.ed |d| u.c |e| n |f|
//39
// ustc.edu.cn

using System.Security.Cryptography;
using System.Text;
using Utils.Encrypt;

namespace ConsoleApp1;

public static class Program
{
    public static void Main()
    {
        string sa = "us";
        string sb = "t";
        string sc = "c";
        string sd = ".ed";
        string se = "u.c";
        string sf = "n";
        string result = "";
        //no e
        {
            for (int a = 0; a <= 28; a++)//s
            {
                for (int b = 0; b <= 28; b++)//t
                {
                    for (int c = 0; c <= 28; c++)//c
                    {
                        for (int d = 0; d <= 28; d++)//d
                        {
                            for (int e = 0; e <= 28; e++)//c
                            {
                                for (int f = 0; f <= 28; f++)//n
                                {
                                    if (a + b + c + d + e + f == 28)
                                    {
                                        result += sa;
                                        for (int i = 0; i < a; i++)
                                        {
                                            result += "s";
                                        }
                                        result += sb;
                                        for (int i = 0; i < b; i++)
                                        {
                                            result += "t";
                                        }
                                        result += sc;
                                        for (int i = 0; i < c; i++)
                                        {
                                            result += "c";
                                        }
                                        result += sd;
                                        for (int i = 0; i < d; i++)
                                        {
                                            result += "d";
                                        }
                                        result += se;
                                        for (int i = 0; i < e; i++)
                                        {
                                            result += "c";
                                        }
                                        result += sf;
                                        for (int i = 0; i < f; i++)
                                        {
                                            result += "n";
                                        }
                                        if (Hash.SHA384(result).Contains("62074271866"))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = "";
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        sa = "us";
        sb = "t";
        sc = "c";
        sd = "e.ed";
        se = "u.c";
        sf = "n";
        result = "";
        
        //ustce.edu.cn
        //e after c
        {
            for (int a = 0; a <= 27; a++)
            {
                for (int b = 0; b <= 27; b++)
                {
                    for (int c = 0; c <= 27; c++)
                    {
                        for (int d = 0; d <= 27; d++)
                        {
                            for (int e = 0; e <= 27; e++)
                            {
                                for (int f = 0; f <= 27; f++)
                                {
                                    if (a + b + c + d + e + f == 27)
                                    {
                                        result += sa;
                                        for (int i = 0; i < a; i++)
                                        {
                                            result += "s";
                                        }

                                        result += sb;
                                        for (int i = 0; i < b; i++)
                                        {
                                            result += "t";
                                        }

                                        result += sc;
                                        for (int i = 0; i < c; i++)
                                        {
                                            result += "c";
                                        }

                                        result += sd;
                                        for (int i = 0; i < d; i++)
                                        {
                                            result += "d";
                                        }

                                        result += se;
                                        for (int i = 0; i < e; i++)
                                        {
                                            result += "c";
                                        }

                                        result += sf;
                                        for (int i = 0; i < f; i++)
                                        {
                                            result += "n";
                                        }

                                        if (Hash.SHA384(result).Contains("62074271866"))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = "";
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        sa = "us";
        sb = "t";
        sc = "c";
        sd = ".ed";
        se = "u.c";
        sf = "n";
        result = "";
        
        //ustc.edu.cne
        //e after n
        {
            for (int a = 0; a <= 27; a++)
            {
                for (int b = 0; b <= 27; b++)
                {
                    for (int c = 0; c <= 27; c++)
                    {
                        for (int d = 0; d <= 27; d++)
                        {
                            for (int e = 0; e <= 27; e++)
                            {
                                for (int f = 0; f <= 27; f++)
                                {
                                    if (a + b + c + d + e + f == 27)
                                    {
                                        result += sa;
                                        for (int i = 0; i < a; i++)
                                        {
                                            result += "s";
                                        }

                                        result += sb;
                                        for (int i = 0; i < b; i++)
                                        {
                                            result += "t";
                                        }

                                        result += sc;
                                        for (int i = 0; i < c; i++)
                                        {
                                            result += "c";
                                        }

                                        result += sd;
                                        for (int i = 0; i < d; i++)
                                        {
                                            result += "d";
                                        }

                                        result += se;
                                        for (int i = 0; i < e; i++)
                                        {
                                            result += "c";
                                        }

                                        result += sf;
                                        for (int i = 0; i < f; i++)
                                        {
                                            result += "n";
                                        }

                                        result += "e";
                                        if (Hash.SHA384(result).Contains("62074271866"))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = "";
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        sa = "us";
        sb = "t";
        sc = "c";
        sd = "e.ed";
        se = "u.c";
        sf = "n";
        result = "";
        //ustce.edu.cne
        //e after c and n
        {
            for (int a = 0; a <= 26; a++)
            {
                for (int b = 0; b <= 26; b++)
                {
                    for (int c = 0; c <= 26; c++)
                    {
                        for (int d = 0; d <= 26; d++)
                        {
                            for (int e = 0; e <= 26; e++)
                            {
                                for (int f = 0; f <= 26; f++)
                                {
                                    if (a + b + c + d + e + f == 26)
                                    {
                                        result += sa;
                                        for (int i = 0; i < a; i++)
                                        {
                                            result += "s";
                                        }

                                        result += sb;
                                        for (int i = 0; i < b; i++)
                                        {
                                            result += "t";
                                        }

                                        result += sc;
                                        for (int i = 0; i < c; i++)
                                        {
                                            result += "c";
                                        }

                                        result += sd;
                                        for (int i = 0; i < d; i++)
                                        {
                                            result += "d";
                                        }

                                        result += se;
                                        for (int i = 0; i < e; i++)
                                        {
                                            result += "c";
                                        }

                                        result += sf;
                                        for (int i = 0; i < f; i++)
                                        {
                                            result += "n";
                                        }

                                        result += "e";
                                        if (SHA384Encrypt(result).Contains("a825c"))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = "";
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    
    /// <summary>
    /// SHA384加密，不可逆转
    /// </summary>
    /// <param name="str">string str:被加密的字符串</param>
    /// <returns>返回加密后的字符串</returns>
    public static string SHA384Encrypt(string str)
    {
        SHA384 sha384 = SHA384CryptoServiceProvider.Create();
        return Convert.ToBase64String(sha384.ComputeHash(Encoding.Default.GetBytes(str)));
    }

    public static void Run()
    {
        
    }
}

是的，极其暴力的搜索，最终得到答案：usssttttttce.edddddu.ccccccnnnnnnnnnnnn
有了secret即可拿到flag

第二问(NOT SOLVED)

不会）））

光与影

打开之后分析render-main.js
发现主要调用的是fragment-shader.js的文件
打开文件发现是shader相关内容

定位分析到这个函数最可疑

经过写unity的经验，trans代表transform，pTO变量后面还有scale字样，猜测pTO可能是flag有关的参数。
修改scale的值发现flag被拉伸

调整trans的值发现flag有位移

修改如下，即可使flag偏移出来

得到flag

片上系统

下载题目附件

第一问

朋友介绍了SDCARD_SPI模式的原理和信号特征，打开pulseview，打开文件并调整为SD Card(SPI Mode)
调整信道对应如下

得到扇区信号如下

FF FF FF FF FF FF 01 FF FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF FF FF FF FE 37 01 10 20 13 01 C1 FF EF 00 00 01 37 15 00 20 67 00 05 00 6F 00 40 00 B7 07 00 20 83 A8 87 0B B7 07 00 20 83 A5 47 0A B7 07 00 20 03 AF 47 0B B7 07 00 20 83 AE 07 0B B7 07 00 20 03 A8 C7 09 13 05 10 00 13 86 08 20 13 0E 10 00 13 03 70 00 83 A7 05 00 E3 8E 07 FE 23 20 AF 00 23 A0 CE 01 83 A7 05 00 E3 8E 07 FE 93 87 08 00 13 07 08 00 83 A6 07 00 13 07 47 00 93 87 47 00 23 2E D7 FE E3 98 C7 FE 13 05 15 00 13 08 08 20 E3 12 65 FC B7 12 00 20 67 80 02 00 67 80 00 00 00 10 00 20 14 20 00 96 10 20 00 96 00 20 00 96 08 10 00 96 04 10 00 96 00 10 00 96 00 00 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 6C 61 67 7B 30 4B 5F 79 6F 75 5F 67 6F 54 5F 74 68 33 5F 62 34 73 49 63 5F 31 64 45 34 5F 63 61 52 52 79 5F 30 4E 7D B0 E5 FF

使用十六进制转文本即可查看到末尾flag

第二问(NOT SOLVED)

依旧不会）

企鹅拼盘

题目附件下载

第一问

暴力尝试得出）

第二问第三问(NOT SOLVED)

不会）

火眼金睛的小 E

第一问

下载两个binary文件bindiff分析，软件使用不再展开详细讲解

ps：如果有找不到的match函数需要在unmatched列表里找大致相同的

第二问第三问(NOT SOLVED)

依旧不会）

后记

今年会做的题目也就只有这些了）有些题目是有思路的，但是碍于自身知识欠缺，并没有解出，直到看官方题解才恍然大悟，哦~ 原来是这样的。那么今年就到这里了，我们明年HackerGame再见w~

最后修改：2023 年 11 月 11 日

如果觉得我的文章对你有用，请随意赞赏

2 条评论

某魏
November 6th, 2022 at 02:56 am

太强了！妹控聚聚教教

回复
1. siscon
  November 6th, 2022 at 11:56 am
  
  @某魏
  
  魏佬教教math🥺
  
  回复

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

评论 *

私密评论

名称 *

🎲

邮箱 *

地址

USTC HackerGame 2022 Writeup

siscon • 2022 年 10 月 29 日

<h3>友情链接</h3><a class="no-external-link" href="https://tqlwsl.moe/index.php/archives/1768/" target="_blank">某魏&#39;s Blog (tqlwsl.moe)</a><h3>前言</h3>时隔一年，又迎来了一年一度的hacker game，不得不说的是，去年也为了写题解而建了博客，只不过一直在咕而已TT。<img src="http://blog.siscon.top/usr/uploads/2022/11/2994594937.png" alt="image.png" title="image.png" style="">P.S.今年我的排名可以说比去年高了整整几百名，并且整场比赛打下来也对于网络安全意识方面有着不止一星半点的提高。并且能取得这样的成绩也是我所没有预想到的，很开心的hhhhhh。那么切入正题，今年的hacker game在打的过程中我能明显地感受到和去年不同，有些题目有思路，而且知道往哪里去想 <del>(虽然也不会做就是了)</del> 具体的做题顺序已经忘了，先从签到题开始说起。<h3>签到</h3>正解：进入网页，观察到需要画文字经由识别成2022签下即可拿到flag，但画字时间逐渐减小，所以说明存在其他解法，点击提交发现Url上增加query参数 <code>?result=????</code><img src="http://blog.siscon.top/usr/uploads/2022/10/2175028732.png" alt="p1-1.png" title="p1-1.png" style="">将????更改为2022提交Url即可拿到flag<img src="http://blog.siscon.top/usr/uploads/2022/10/2426848883.png" alt="p1-3.png" title="p1-3.png" style="">歪解：查看<a class="no-external-link" href="https://github.com/USTC-Hackergame/hackergame2022-writeups/blob/master/official/%E7%AD%BE%E5%88%B0/README.md" target="_blank">题解</a>之后发现原网页模型识别基于点落得位置进行数字的判断，所以尝试<img src="http://blog.siscon.top/usr/uploads/2022/10/948078618.png" alt="p1-2.png" title="p1-2.png" style="">也是可行的。<h3>猫咪问答喵</h3><img src="http://blog.siscon.top/usr/uploads/2022/10/1226375544.png" alt="meow-problem.png" title="meow-problem.png" style="">第一问： 谷歌USTC Nebula即可查询到此页面<a class="no-external-link" href="http://cybersec.ustc.edu.cn/2022/0826/c23847a565848/page.htm" target="_blank">点击查看</a>，查看到最后一段<blockquote>中国科学技术大学“星云战队（Nebula）”成立于2017年3月</blockquote>得到答案2017-03第二问： 谷歌LUG活动，查询到<a class="no-external-link" href="https://lug.ustc.edu.cn/wiki/lug/events/sfd/" target="_blank">历史FSD数据</a><img src="http://blog.siscon.top/usr/uploads/2022/10/3983089389.png" alt="sfd.png" title="sfd.png" style="">点击slides查看到<a class="no-external-link" href="https://ftp.lug.ustc.edu.cn/%E6%B4%BB%E5%8A%A8/2022.9.20_%E8%BD%AF%E4%BB%B6%E8%87%AA%E7%94%B1%E6%97%A5/slides/gnome-wayland-user-perspective.pdf" target="_blank">相关pdf</a><img src="http://blog.siscon.top/usr/uploads/2022/10/1800623953.png" alt="kdenlive.png" title="kdenlive.png" style="">发现到关键字 <code>Configure Kdenlive</code>猜测是Kdenlive <del>（注意首字母要大写）</del> 尝试可得答案即为Kdenlive第三问： 谷歌搜索firefox on windows 2000<img src="http://blog.siscon.top/usr/uploads/2022/10/1510784113.png" alt="google-firefox.png" title="google-firefox.png" style="">上面写的是10，但是答案不对，尝试往上增加版本号，12即为正确版本号，其实帖子下面也说了，12是最后的版本）））但当时我没看见<img src="http://blog.siscon.top/usr/uploads/2022/10/3067347366.png" alt="QQ图片20221029162442.png" title="QQ图片20221029162442.png" style="">第四问： 找到 <code>torvalds/linux.git</code>的<a class="no-external-link" href="https://github.com/torvalds/linux" target="_blank">Github地址</a> 转到commit尝试搜索argc无果后，搜索题中所给 <code>CVE-2021-4034</code>关键字得到commit结果 <img src="http://blog.siscon.top/usr/uploads/2022/10/125778036.png" alt="QQ图片20221029162920.png" title="QQ图片20221029162920.png" style=""> 复制即可得到答案 dcd46d897adb70d63e025f175a00a89797d31a43第五问： 考察搜索引擎使用方法，直接搜肯定是不行的，引擎会自动拆分关键字，应该在引擎中搜索 <code>&quot;e4:ff:65:d7:be:5d:c8:44:1d:89:6b:50:f5:50:a0:ce&quot;</code>字段，引号表示强匹配，得到链接<img src="http://blog.siscon.top/usr/uploads/2022/10/1957465898.png" alt="sdf-1.png" title="sdf-1.png" style=""> <img src="http://blog.siscon.top/usr/uploads/2022/10/1243343703.png" alt="sdf-2.png" title="sdf-2.png" style=""><a class="no-external-link" href="https://gist.github.com/jandryuk/61b286220447300ba9dca0faa26526dd" target="_blank">进入查看</a>可得网址为sdf.org 吻合题目说明域名为1996年创建p.s.：其实一开始想太多了，还想到有没有什么方法可以从md5算法逆向出来原url，还是经过别人提醒才想到的搜索就行了，惭愧惭愧hhhhh第六问： 谷歌搜索 <code>USTC 网络通 20元</code>发现啥都没有，进入<a class="no-external-link" href="https://ustcnet.ustc.edu.cn/main.htm" target="_blank">官网</a>搜索关键字网络通，经过一番查找定位到<a class="no-external-link" href="https://ustcnet.ustc.edu.cn/2010/1210/c11109a210869/page.htm" target="_blank">网字文件</a>，尝试 <code>2011-01-01</code>发现答案不对，查看文件发现2003年存在老的<a class="no-external-link" href="https://ustcnet.ustc.edu.cn/2003/0301/c11109a210890/page.htm" target="_blank">网字文件</a>，尝试即可得到答案为 <code>2003-03-01</code><h3>家目录里的秘密</h3><img src="http://blog.siscon.top/usr/uploads/2022/10/832147458.png" alt="image.png" title="image.png" style=""><a class="no-external-link" href="http://blog.siscon.top/usr/uploads/2022/10/3512922693.zip" target="_blank">下载题目zip</a>观察一通，发现flag可能藏在隐藏目录里，拿出everything，搜索到 <img src="http://blog.siscon.top/usr/uploads/2022/10/3182912586.png" alt="image.png" title="image.png" style=""> 存在两个可疑文件<blockquote>rclone.conf 对应rcloneDUGV.c 对应vscode</blockquote>打开DUGV.c，看到注释直接出现<code>flag{finding_everything_through_vscode_config_file_932rjdakd}</code><img src="http://blog.siscon.top/usr/uploads/2022/10/2666132247.png" alt="image.png" title="image.png" style="">打开rclone.conf，看到文本内容为<img src="http://blog.siscon.top/usr/uploads/2022/10/2117171363.png" alt="image.png" title="image.png" style="">猜测从逆向密码入手谷歌 <code>how to reverse rclone password</code>慢慢搜索发现rclone forum有人提到 <a class="no-external-link" href="https://forum.rclone.org/t/how-to-retrieve-a-crypt-password-from-a-config-file/20051" target="_blank">How to retrieve a &#39;crypt&#39; password from a config file - Help and Support - rclone forum</a> 应该是go写的，把代码稍作修改<pre><code>package main
import (
 &quot;crypto/aes&quot;
 &quot;crypto/cipher&quot;
 &quot;crypto/rand&quot;
 &quot;encoding/base64&quot;
 &quot;errors&quot;
 &quot;fmt&quot;
 &quot;log&quot;
)

// crypt internals
var (
    cryptKey = []byte{
        0x9c, 0x93, 0x5b, 0x48, 0x73, 0x0a, 0x55, 0x4d,
        0x6b, 0xfd, 0x7c, 0x63, 0xc8, 0x86, 0xa9, 0x2b,
        0xd3, 0x90, 0x19, 0x8e, 0xb8, 0x12, 0x8a, 0xfb,
        0xf4, 0xde, 0x16, 0x2b, 0x8b, 0x95, 0xf6, 0x38,
    }
    cryptBlock cipher.Block
    cryptRand  = rand.Reader
)

// crypt transforms in to out using iv under AES-CTR.
//
// in and out may be the same buffer.
//
// Note encryption and decryption are the same operation
func crypt(out, in, iv []byte) error {
    if cryptBlock == nil {
        var err error
        cryptBlock, err = aes.NewCipher(cryptKey)
        if err != nil {
            return err
        }
    }
    stream := cipher.NewCTR(cryptBlock, iv)
    stream.XORKeyStream(out, in)
    return nil
}

// Reveal an obscured value
func Reveal(x string) (string, error) {
    ciphertext, err := base64.RawURLEncoding.DecodeString(x)
    if err != nil {
        return &quot;&quot;, fmt.Errorf(&quot;base64 decode failed when revealing password - is it obscured? %w&quot;, err)
    }
    if len(ciphertext) &lt; aes.BlockSize {
        return &quot;&quot;, errors.New(&quot;input too short when revealing password - is it obscured?&quot;)
    }
    buf := ciphertext[aes.BlockSize:]
    iv := ciphertext[:aes.BlockSize]
    if err := crypt(buf, buf, iv); err != nil {
        return &quot;&quot;, fmt.Errorf(&quot;decrypt failed when revealing password - is it obscured? %w&quot;, err)
    }
    return string(buf), nil
}

// MustReveal reveals an obscured value, exiting with a fatal error if it failed
func MustReveal(x string) string {
    out, err := Reveal(x)
    if err != nil {
        log.Fatalf(&quot;Reveal failed: %v&quot;, err)
    }
    return out
}

func main() {
 fmt.Println(MustReveal(&quot;tqqTq4tmQRDZ0sT_leJr7-WtCiHVXSMrVN49dWELPH1uce-5DPiuDtjBUN3EI38zvewgN5JaZqAirNnLlsQ&quot;))
}</code></pre>扔到一个在线go后端跑一下，得到flag<img src="http://blog.siscon.top/usr/uploads/2022/10/700243235.png" alt="image.png" title="image.png" style=""><h3>HeiLang</h3><img src="http://blog.siscon.top/usr/uploads/2022/10/108560213.png" alt="image.png" title="image.png" style="">作为一名理工男，不觉得这道题很酷吗，完全符合我对未来生活的想象，科技并带着趣味😎<a class="no-external-link" href="http://blog.siscon.top/usr/uploads/2022/10/307042619.txt" target="_blank">下载题目附件</a>点开发现酷炸了，一千多行<img src="http://blog.siscon.top/usr/uploads/2022/10/20786512.png" alt="image.png" title="image.png" style="">既然如此我也耍个酷，写个简短的c#程序处理一下文件（把文件的前面和后面多余代码全部去掉，只留下科技与狠活的位置）<pre><code>static void Main(string[] args)
{
 string text = &quot;&quot;;
 var lines = File.ReadLines(&quot;txt.txt&quot;);
 foreach (var line in lines)
 {
 var ansandre = line.Split(&quot;=&quot;);
 var anses = ansandre[0];
 var re = ansandre[1];
 var anss = anses.Replace(&quot;a[&quot;, &quot;&quot;).Replace(&quot;]&quot;, &quot;&quot;).Split(&quot;|&quot;);
 foreach (var ans in anss)
 {
 text += $&quot;a[{ans.Trim()}]={re.Trim()}\n&quot;;
 }
 }
 File.WriteAllText(&quot;txt1.txt&quot;, text);
 }
}</code></pre>处理完后把科技与狠活粘贴回去<img src="http://blog.siscon.top/usr/uploads/2022/10/357125452.png" alt="image.png" title="image.png" style="">此时我们已经对helang的语言进行了全面的翻译，这时进行运行即可得到何同学赋予我们最终的答案。<code>Tha flag is: flag{6d9ad6e9a6268d96-add67fb6bea2f786}</code><h3>Xcaptcha</h3><img src="http://blog.siscon.top/usr/uploads/2022/10/234686829.png" alt="image.png" title="image.png" style="">进入题目<img src="http://blog.siscon.top/usr/uploads/2022/10/2587366740.png" alt="image.png" title="image.png" style="">点击图片后出现如下题目，且停留时间只有一秒钟<img src="http://blog.siscon.top/usr/uploads/2022/10/2499437767.png" alt="image.png" title="image.png" style="">解题思路是用c#请求页面，然后正则取出对应的值，用大整数类进行计算然后post回去，但是当时不论怎么尝试都显示已经超过1s，百思不得解，后来魏佬提醒每次新题都会下发新的session，需要进行session的替换，所以得到flag，代码如下：<pre><code>using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Numerics;
using System.Text;
using System.Text.RegularExpressions;

namespace test
{
    class Program
    {
        public static List&lt;string&gt; StartPos = new();
        public static List&lt;string&gt; EndPos = new();
        public static List&lt;string&gt; Flight = new();

public static string Session = &quot;&quot;;
        static void Main(string[] args)
        {
            var con = GetHttp(&quot;http://202.38.93.111:10047/xcaptcha&quot;);
            var match1 = Regex.Match(con, @&quot;(?&lt;=( &lt;label for=&quot;&quot;captcha1&quot;&quot;&gt;)).*(?=( 的结果是？&lt;/label&gt;))&quot;);
            var match2 = Regex.Match(con, @&quot;(?&lt;=( &lt;label for=&quot;&quot;captcha2&quot;&quot;&gt;)).*(?=( 的结果是？&lt;/label&gt;))&quot;);
            var match3 = Regex.Match(con, @&quot;(?&lt;=( &lt;label for=&quot;&quot;captcha3&quot;&quot;&gt;)).*(?=( 的结果是？&lt;/label&gt;))&quot;);
            string num1, num2, num3, num4, num5, num6;
            num1 = match1.Value.Split(&quot;+&quot;)[0];
            num2 = match1.Value.Split(&quot;+&quot;)[1];
            num3 = match2.Value.Split(&quot;+&quot;)[0];
            num4 = match2.Value.Split(&quot;+&quot;)[1];
            num5 = match3.Value.Split(&quot;+&quot;)[0];
            num6 = match3.Value.Split(&quot;+&quot;)[1];
            Console.WriteLine(PostHttp(&quot;http://202.38.93.111:10047/xcaptcha&quot;,
                $&quot;captcha1={BigInteger.Parse(num1) + BigInteger.Parse(num2)}&amp;captcha2={BigInteger.Parse(num3) + BigInteger.Parse(num4)}&amp;captcha3={BigInteger.Parse(num5) + BigInteger.Parse(num6)}&quot;));
        }

public static string GetHttp(string url)
        {
            HttpWebRequest request = (HttpWebRequest) WebRequest.Create(url);
            request.Method = &quot;GET&quot;;
            request.ContentType = &quot;text/html; charset=UTF-8&quot;;
            request.Headers.Add(&quot;Cookie&quot;,
                &quot;DOKU_PREFS=list#rows#sort#name; session=.eJwVUMlOQlEM_Ze3fomdBxIXjAaeQkwkuFVAERRlUEiM_-5l0UV7eob2tzouz8eqVaGZAycoJSaFOmudiOgSxEnCaoJBEGASQBGWyEqeUVsIOKNbEjMHm6ISuCF4hCgpMCDWKeFg7KSFV7RUkpQQ1dQJIAiNhWtCAHQPJODwIh3JnGacWeYlH1qAa01paCmFqiAeZYNQSrGrkCIVZwvlOkAA1b0ku8CRfrktUVNY_CJ_Marq6vi5WW7LJ0qrrbv-fXfYhdVksu-s50t88nOzHTSLKc5uD_PhwTk-9DmaMXzvbmD30H5rb86jEze9_SI63psNBuNpu1ntOuv-y9do-_izf7866XQ1X2_Pr9fX1d8_HZBbKQ.Y1z_TA.Fhw3bYP9PAmTMnAvS2sTAg0ut3E&quot;);
            HttpWebResponse response = (HttpWebResponse) request.GetResponse();
            Session = response.Headers.Get(name: &quot;set-cookie&quot;);
            Stream myResponseStream = response.GetResponseStream();
            StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding(&quot;utf-8&quot;));
            string retString = myStreamReader.ReadToEnd();
            myResponseStream.Close();
            myResponseStream.Close();
            return retString;
        }

public static string PostHttp(string url, string postData)
        {
            HttpWebRequest request = (HttpWebRequest) WebRequest.Create(url);
            var data = Encoding.ASCII.GetBytes(postData);
            request.Method = &quot;POST&quot;;
            request.ContentType = &quot;application/x-www-form-urlencoded&quot;;
            request.ContentLength = data.Length;
            request.Headers.Add(&quot;Cookie&quot;, Session);
            using (var stream = request.GetRequestStream())
            {
                stream.Write(data, 0, data.Length);
            }

var response = (HttpWebResponse) request.GetResponse();
 Stream myResponseStream = response.GetResponseStream();
 StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding(&quot;utf-8&quot;));
 string retString = myStreamReader.ReadToEnd();
 myResponseStream.Close();
 myResponseStream.Close();
 return retString;
 }
 }
}</code></pre><img src="http://blog.siscon.top/usr/uploads/2022/10/3465610245.png" alt="image.png" title="image.png" style="">即可得到flag：<code>flag{head1E55_br0w5er_and_ReQuEsTs_areallyour_FR1ENd_45339267b3}</code><h3>旅行照片2.0</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/4126348878.png" alt="image.png" title="image.png" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/2990872115.png" alt="image.png" title="image.png" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/2860477464.jpg" alt="travel-photo" title="travel-photo" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/1879517977.png" alt="image.png" title="image.png" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/2925813024.png" alt="image.png" title="image.png" style=""><h4>第一问</h4>上传至exif信息网站即可获得<img src="http://blog.siscon.top/usr/uploads/2022/11/562254955.png" alt="image.png" title="image.png" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/1286162828.png" alt="image.png" title="image.png" style="">即可获得答案：<img src="http://blog.siscon.top/usr/uploads/2022/11/2706090631.png" alt="image.png" title="image.png" style=""><h4>第二问</h4>通过分析照片上远处建筑物牌子上的字即可发现信息<img src="http://blog.siscon.top/usr/uploads/2022/11/256631648.png" alt="image.png" title="image.png" style="">看出来是<code>ZOZOXXXXXXX Staduim</code> 谷歌得到是<code>zozo marine stadium</code> 题目上说是拍照人所在地点的邮政编码 <del>（并非体育馆邮政编码）</del> <img src="http://blog.siscon.top/usr/uploads/2022/11/1106536565.png" alt="image.png" title="image.png" style=""> 得到附近酒店邮编为2610021 <del>（体育馆邮编是2610020）</del>通过上一题juice sm6115＋xiaomi可搜到是红米Note9，闪光灯位置也可以通过反光看出来很吻合。 所以答案为<code>2340x1080</code>难点在于航班，首先看到是下午六点二十三分左右拍摄得到，是日本东京时间，所以搜索flightaware在时间点附近的航班逐一排除即可。根据飞机飞向可得是东北方向，所有离港航班均会经过此处，进港航班全部排除掉，所以暴力搜索可得<img src="http://blog.siscon.top/usr/uploads/2022/11/740507792.png" alt="image.png" title="image.png" style="">即可得到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/1280484382.png" alt="image.png" title="image.png" style=""><h3>Latex机器人</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/4158412681.png" alt="image.png" title="image.png" style="">谷歌Latex inject得到<img src="http://blog.siscon.top/usr/uploads/2022/11/3786809500.png" alt="image.png" title="image.png" style="">所以得到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/4292659139.png" alt="image.png" title="image.png" style="">第二问不会，当时想着是要执行shell的<pre><code>\immediate\write18{}</code></pre>结果试了好久也没尝试出来。<h3>Flag的痕迹</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/2501368420.png" alt="image.png" title="image.png" style="">这一题是随便尝试出来的，首先尝试了<code>?rev=1666291980</code> 因为发现规律是rev的赋值是修改的时间戳，结果发现<img src="http://blog.siscon.top/usr/uploads/2022/11/2777693091.png" alt="image.png" title="image.png" style="">然后又尝试了<img src="http://blog.siscon.top/usr/uploads/2022/11/433231131.png" alt="image.png" title="image.png" style="">发现revision相关的功能都寄了走投无路之下，尝试了<code>http://202.38.93.111:15004/doku.php?id=start&amp;rev=1666292040&amp;do=diff</code>diff功能是比对两次文件的修改<img src="http://blog.siscon.top/usr/uploads/2022/11/527970507.png" alt="image.png" title="image.png" style="">拿到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/2298279391.png" alt="image.png" title="image.png" style=""><h3>线路板</h3><a class="no-external-link" href="http://blog.siscon.top/usr/uploads/2022/11/140817484.zip" target="_blank">下载zip</a><img src="http://blog.siscon.top/usr/uploads/2022/11/949151096.png" alt="image.png" title="image.png" style="">用kicad打开<code>ebaz_sdr-F_Cu.gbr</code>，打开显示边界可以看出来flag<img src="http://blog.siscon.top/usr/uploads/2022/11/3606363598.png" alt="请输入图片描述" title="请输入图片描述" style=""><h3>Flag自动机</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/3974522267.png" alt="image.png" title="image.png" style=""><a class="no-external-link" href="http://blog.siscon.top/usr/uploads/2022/11/1169476291.zip" target="_blank">下载zip</a><img src="http://blog.siscon.top/usr/uploads/2022/11/3355314476.png" alt="image.png" title="image.png" style="">个人认为是这场比赛最满意的一题，因为是人生中第一次做出binary。打开软件，发现点不到狠心读取。用ida打开 经过分析可得exit函数引用如下 <img src="http://blog.siscon.top/usr/uploads/2022/11/716526983.png" alt="请输入图片描述" title="请输入图片描述" style="">分析主要函数在sub_401510<img src="http://blog.siscon.top/usr/uploads/2022/11/454856463.png" alt="image.png" title="image.png" style="">考虑动态调试干掉前面判断 用x32附加进程<img src="http://blog.siscon.top/usr/uploads/2022/11/2235893450.png" alt="image.png" title="image.png" style="">把401840之前的函数全部nop掉，让他进入执行即可得到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/2082983270.png" alt="image.png" title="image.png" style=""><h3>杯窗鹅影</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/2920822173.png" alt="image.png" title="image.png" style=""><h4>第一问</h4>很简单，写个读取文件的c就好了<pre><code>#include &lt;stdio.h&gt;

int main(void)
{
 int ch;
 FILE *fp;
 fp = fopen(&quot;/flag1&quot;, &quot;r&quot;);
 while ((ch = fgetc(fp)) != EOF)
 {
 putchar(ch);
 }
 return 0;
}</code></pre>得到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/1472327891.png" alt="image.png" title="image.png" style=""><h4>第二问(NOT SOLVED)</h4>当时考虑的是使用win32api的CreatProcess函数创建/readflag进程，结果不知道为什么在服务器端一直都无法调起进程，导致这问完全不会了）思路就这么僵死了<h3>惜字如金</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/1403727726.png" alt="image.png" title="image.png" style=""><h4>第一问</h4>HS384脚本如下<pre><code>#!/usr/bin/python3

# Th siz of th fil may reduc after XZRJification

from bas64 import urlsaf_b64encod
from hashlib import sha384
from hmac import digest
from sys import argv

def check_equals(left, right):
    # check whether left == right or not
    if left != right: exit(0x01)

def sign(fil: str):
    with open(fil, &#039;rb&#039;) as f:
        # import secret
        secret = b&#039;ustc.edu.cn&#039;
        check_equals(len(secret), 39)
        # check secret hash
        secret_sha384 = &#039;ec18f9dbc4aba825c7d4f9c726db1cb0d0babf47f&#039; +\
                        &#039;a170f33d53bc62074271866a4e4d1325dc27f644fdad&#039;
        check_equals(sha384(secret).hexdigest(), secret_sha384)
        # generat th signatur
        return digest(secret, f.read(), sha384)

if __nam__ == &#039;__main__&#039;:
 try:
 # check som obvious things
 check_equals(&#039;creat&#039;, &#039;cr&#039; + &#039;at&#039;)
 check_equals(&#039;referer&#039;, &#039;refer&#039; + &#039;rer&#039;)
 # generat th signatur
 check_equals(len(argv), 2)
 sign_b64 = urlsaf_b64encod(sign(argv[1]))
 print(&#039;HS384 sign:&#039;, sign_b64.decod(&#039;utf-8&#039;))
 except (SystemExit, Exception):
 print(&#039;Usag&#039; + &#039;e: HS384.py &lt;fil&#039; + &#039;e&gt;&#039;)</code></pre>可以看出来这是一份被惜字如金过的脚本，观察secret应该是有39位的，且有供验证secret具体值的sha384，所以分析secret被惜字如金前的排列组合首先分为两类：一类是辅音字母消除，一类是元音字母消除 元音字母分为两种：一类是原先就没有e的，另一种是e跟在c后面的，也就是<code>ustce.edu.cn</code>,一类是e在n后面的，也就是<code>ustc.edu.cne</code>，最后一种是包含两种状态<code>ustce.edu.cne</code>。辅音字母包含s,t,c,d,c,n重复的状态，也就是有可能为<code>ussstttttcc.eduuuu.cccccccccn</code>这种组合，也就是说，可以循环遍历每一位上所有组合并叠加，符合总位数为39位，进行sha384和脚本中的验证值中的一串数字作为比较即可（选择数字是因为数字不会被惜字如金）。以下是寻找secret值的脚本<pre><code>// us |a| t |b| c |c|.ed |d| u.c |e| n |f|
//39
// ustc.edu.cn

using System.Security.Cryptography;
using System.Text;
using Utils.Encrypt;

namespace ConsoleApp1;

public static class Program
{
    public static void Main()
    {
        string sa = &quot;us&quot;;
        string sb = &quot;t&quot;;
        string sc = &quot;c&quot;;
        string sd = &quot;.ed&quot;;
        string se = &quot;u.c&quot;;
        string sf = &quot;n&quot;;
        string result = &quot;&quot;;
        //no e
        {
            for (int a = 0; a &lt;= 28; a++)//s
            {
                for (int b = 0; b &lt;= 28; b++)//t
                {
                    for (int c = 0; c &lt;= 28; c++)//c
                    {
                        for (int d = 0; d &lt;= 28; d++)//d
                        {
                            for (int e = 0; e &lt;= 28; e++)//c
                            {
                                for (int f = 0; f &lt;= 28; f++)//n
                                {
                                    if (a + b + c + d + e + f == 28)
                                    {
                                        result += sa;
                                        for (int i = 0; i &lt; a; i++)
                                        {
                                            result += &quot;s&quot;;
                                        }
                                        result += sb;
                                        for (int i = 0; i &lt; b; i++)
                                        {
                                            result += &quot;t&quot;;
                                        }
                                        result += sc;
                                        for (int i = 0; i &lt; c; i++)
                                        {
                                            result += &quot;c&quot;;
                                        }
                                        result += sd;
                                        for (int i = 0; i &lt; d; i++)
                                        {
                                            result += &quot;d&quot;;
                                        }
                                        result += se;
                                        for (int i = 0; i &lt; e; i++)
                                        {
                                            result += &quot;c&quot;;
                                        }
                                        result += sf;
                                        for (int i = 0; i &lt; f; i++)
                                        {
                                            result += &quot;n&quot;;
                                        }
                                        if (Hash.SHA384(result).Contains(&quot;62074271866&quot;))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = &quot;&quot;;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        sa = &quot;us&quot;;
        sb = &quot;t&quot;;
        sc = &quot;c&quot;;
        sd = &quot;e.ed&quot;;
        se = &quot;u.c&quot;;
        sf = &quot;n&quot;;
        result = &quot;&quot;;
        
        //ustce.edu.cn
        //e after c
        {
            for (int a = 0; a &lt;= 27; a++)
            {
                for (int b = 0; b &lt;= 27; b++)
                {
                    for (int c = 0; c &lt;= 27; c++)
                    {
                        for (int d = 0; d &lt;= 27; d++)
                        {
                            for (int e = 0; e &lt;= 27; e++)
                            {
                                for (int f = 0; f &lt;= 27; f++)
                                {
                                    if (a + b + c + d + e + f == 27)
                                    {
                                        result += sa;
                                        for (int i = 0; i &lt; a; i++)
                                        {
                                            result += &quot;s&quot;;
                                        }

result += sb;
                                        for (int i = 0; i &lt; b; i++)
                                        {
                                            result += &quot;t&quot;;
                                        }

result += sc;
                                        for (int i = 0; i &lt; c; i++)
                                        {
                                            result += &quot;c&quot;;
                                        }

result += sd;
                                        for (int i = 0; i &lt; d; i++)
                                        {
                                            result += &quot;d&quot;;
                                        }

result += se;
                                        for (int i = 0; i &lt; e; i++)
                                        {
                                            result += &quot;c&quot;;
                                        }

result += sf;
                                        for (int i = 0; i &lt; f; i++)
                                        {
                                            result += &quot;n&quot;;
                                        }

if (Hash.SHA384(result).Contains(&quot;62074271866&quot;))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = &quot;&quot;;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        sa = &quot;us&quot;;
        sb = &quot;t&quot;;
        sc = &quot;c&quot;;
        sd = &quot;.ed&quot;;
        se = &quot;u.c&quot;;
        sf = &quot;n&quot;;
        result = &quot;&quot;;
        
        //ustc.edu.cne
        //e after n
        {
            for (int a = 0; a &lt;= 27; a++)
            {
                for (int b = 0; b &lt;= 27; b++)
                {
                    for (int c = 0; c &lt;= 27; c++)
                    {
                        for (int d = 0; d &lt;= 27; d++)
                        {
                            for (int e = 0; e &lt;= 27; e++)
                            {
                                for (int f = 0; f &lt;= 27; f++)
                                {
                                    if (a + b + c + d + e + f == 27)
                                    {
                                        result += sa;
                                        for (int i = 0; i &lt; a; i++)
                                        {
                                            result += &quot;s&quot;;
                                        }

result += &quot;e&quot;;
                                        if (Hash.SHA384(result).Contains(&quot;62074271866&quot;))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = &quot;&quot;;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        sa = &quot;us&quot;;
        sb = &quot;t&quot;;
        sc = &quot;c&quot;;
        sd = &quot;e.ed&quot;;
        se = &quot;u.c&quot;;
        sf = &quot;n&quot;;
        result = &quot;&quot;;
        //ustce.edu.cne
        //e after c and n
        {
            for (int a = 0; a &lt;= 26; a++)
            {
                for (int b = 0; b &lt;= 26; b++)
                {
                    for (int c = 0; c &lt;= 26; c++)
                    {
                        for (int d = 0; d &lt;= 26; d++)
                        {
                            for (int e = 0; e &lt;= 26; e++)
                            {
                                for (int f = 0; f &lt;= 26; f++)
                                {
                                    if (a + b + c + d + e + f == 26)
                                    {
                                        result += sa;
                                        for (int i = 0; i &lt; a; i++)
                                        {
                                            result += &quot;s&quot;;
                                        }

result += &quot;e&quot;;
                                        if (SHA384Encrypt(result).Contains(&quot;a825c&quot;))
                                        {
                                            Console.WriteLine(result);
                                        }
                                        result = &quot;&quot;;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    
    /// &lt;summary&gt;
    /// SHA384加密，不可逆转
    /// &lt;/summary&gt;
    /// &lt;param name=&quot;str&quot;&gt;string str:被加密的字符串&lt;/param&gt;
    /// &lt;returns&gt;返回加密后的字符串&lt;/returns&gt;
    public static string SHA384Encrypt(string str)
    {
        SHA384 sha384 = SHA384CryptoServiceProvider.Create();
        return Convert.ToBase64String(sha384.ComputeHash(Encoding.Default.GetBytes(str)));
    }

public static void Run()
 {
 
 }
}</code></pre>是的，极其暴力的搜索，最终得到答案：<code>usssttttttce.edddddu.ccccccnnnnnnnnnnnn</code> 有了secret即可拿到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/1845378065.png" alt="image.png" title="image.png" style=""><h4>第二问(NOT SOLVED)</h4>不会）））<h3>光与影</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/2035470504.png" alt="image.png" title="image.png" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/2353248703.png" alt="image.png" title="image.png" style="">打开之后分析render-main.js 发现主要调用的是fragment-shader.js的文件 打开文件发现是shader相关内容定位分析到这个函数最可疑 <img src="http://blog.siscon.top/usr/uploads/2022/11/4010053943.png" alt="image.png" title="image.png" style="">经过写unity的经验，trans代表transform，pTO变量后面还有scale字样，猜测pTO可能是flag有关的参数。 修改scale的值发现flag被拉伸<img src="http://blog.siscon.top/usr/uploads/2022/11/2867829886.png" alt="image.png" title="image.png" style="">调整trans的值发现flag有位移修改如下，即可使flag偏移出来<img src="http://blog.siscon.top/usr/uploads/2022/11/2393466968.png" alt="image.png" title="image.png" style="">得到flag<img src="http://blog.siscon.top/usr/uploads/2022/11/2395757112.png" alt="image.png" title="image.png" style=""><h3>片上系统</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/1735810575.png" alt="image.png" title="image.png" style=""><a class="no-external-link" href="http://blog.siscon.top/usr/uploads/2022/11/2708194796.zip" target="_blank">下载题目附件</a><h4>第一问</h4>朋友介绍了SDCARD_SPI模式的原理和信号特征，打开pulseview，打开文件并调整为SD Card(SPI Mode) 调整信道对应如下<img src="http://blog.siscon.top/usr/uploads/2022/11/3247650356.png" alt="image.png" title="image.png" style="">得到扇区信号如下<img src="http://blog.siscon.top/usr/uploads/2022/11/1442777713.png" alt="image.png" title="image.png" style=""><code>FF FF FF FF FF FF 01 FF FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF FF FF FF FE 37 01 10 20 13 01 C1 FF EF 00 00 01 37 15 00 20 67 00 05 00 6F 00 40 00 B7 07 00 20 83 A8 87 0B B7 07 00 20 83 A5 47 0A B7 07 00 20 03 AF 47 0B B7 07 00 20 83 AE 07 0B B7 07 00 20 03 A8 C7 09 13 05 10 00 13 86 08 20 13 0E 10 00 13 03 70 00 83 A7 05 00 E3 8E 07 FE 23 20 AF 00 23 A0 CE 01 83 A7 05 00 E3 8E 07 FE 93 87 08 00 13 07 08 00 83 A6 07 00 13 07 47 00 93 87 47 00 23 2E D7 FE E3 98 C7 FE 13 05 15 00 13 08 08 20 E3 12 65 FC B7 12 00 20 67 80 02 00 67 80 00 00 00 10 00 20 14 20 00 96 10 20 00 96 00 20 00 96 08 10 00 96 04 10 00 96 00 10 00 96 00 00 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 6C 61 67 7B 30 4B 5F 79 6F 75 5F 67 6F 54 5F 74 68 33 5F 62 34 73 49 63 5F 31 64 45 34 5F 63 61 52 52 79 5F 30 4E 7D B0 E5 FF</code>使用十六进制转文本即可查看到末尾flag<img src="http://blog.siscon.top/usr/uploads/2022/11/2379991114.png" alt="image.png" title="image.png" style=""><h4>第二问(NOT SOLVED)</h4>依旧不会）<h3>企鹅拼盘</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/1000673758.png" alt="image.png" title="image.png" style=""><a class="no-external-link" href="http://blog.siscon.top/usr/uploads/2022/11/998276512.zip" target="_blank">题目附件下载</a><h4>第一问</h4>暴力尝试得出）<img src="http://blog.siscon.top/usr/uploads/2022/11/1061253229.png" alt="image.png" title="image.png" style=""><img src="http://blog.siscon.top/usr/uploads/2022/11/4034805529.png" alt="image.png" title="image.png" style=""><h4>第二问第三问(NOT SOLVED)</h4>不会）<h3>火眼金睛的小 E</h3><img src="http://blog.siscon.top/usr/uploads/2022/11/2774195720.png" alt="image.png" title="image.png" style=""><h4>第一问</h4><img src="http://blog.siscon.top/usr/uploads/2022/11/1465860844.png" alt="image.png" title="image.png" style="">下载两个binary文件bindiff分析，软件使用不再展开详细讲解<img src="http://blog.siscon.top/usr/uploads/2022/11/3021834729.png" alt="image.png" title="image.png" style="">ps：如果有找不到的match函数需要在unmatched列表里找大致相同的<img src="http://blog.siscon.top/usr/uploads/2022/11/1673681142.png" alt="image.png" title="image.png" style=""><h4>第二问第三问(NOT SOLVED)</h4>依旧不会）<h3>后记</h3>今年会做的题目也就只有这些了）有些题目是有思路的，但是碍于自身知识欠缺，并没有解出，直到看官方题解才恍然大悟，哦~ 原来是这样的。那么今年就到这里了，我们明年HackerGame再见w~

友情链接

前言

签到

猫咪问答喵

家目录里的秘密

HeiLang

Xcaptcha

旅行照片2.0

第一问

第二问

Latex机器人

Flag的痕迹

线路板

Flag自动机

杯窗鹅影

第一问

第二问(NOT SOLVED)

惜字如金

第一问

第二问(NOT SOLVED)

光与影

片上系统

第一问

第二问(NOT SOLVED)

企鹅拼盘

第一问

第二问第三问(NOT SOLVED)

火眼金睛的小 E

第一问

第二问第三问(NOT SOLVED)

后记

2 条评论

发表评论 取消回复 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

USTC HackerGame 2022 Writeup

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款