banner
MoeMagicMango

MoeMagicMango

Seeker, In searching of darkness.
github
steam
HomeArchives

My Hackergame 2024 WriteUp | HackerGame First Experience

#HackerGame202439
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author shares their experience participating in a CTF (Capture The Flag) competition for the first time, expressing feelings of inadequacy but also enjoyment. They detail various challenges faced during the event, including finding flags through specific commands and web searches related to the University of Science and Technology of China (USTC) and Hackergame events. They mention using tools like `ls`, `cat`, and `env` to retrieve flags, and reference various online resources and write-ups to solve problems. The author also discusses methods for solving specific challenges, including using Google Lens, searching for keywords, and manipulating data formats. They conclude with reflections on coding practices and the challenges of working with character encodings. Overall, the experience is a mix of learning, problem-solving, and community engagement.

This is my first time participating in such a CTF competition this year, I'm really bad at it, and I can't write many things awww

But I'm very happy to participate this time! I hope to continue playing next year aww

Check-in#

First, click to start, then it's obvious that changing false to true is enough.

image

Check-in again#

According to the question, first find the recruitment page of the CTF team at the University of Science and Technology of China.

After checking, it is https://www.nebuu.la/

Using ls -all, I found the second .flag, and using cat I got it.

Using env, I could get the first flag.

flag{0k_175_a_h1dd3n_s3c3rt_f14g___please_join_us_ustc_nebula_anD_two_maJor_requirements_aRe_shown_somewhere_else}
flag{actually_theres_another_flag_here_trY_to_f1nD_1t_y0urself___join_us_ustc_nebula}

Tip: If you use sudo -i, you will be taken to a certain anime page (((

Cat Q&A (Hackergame 10th Anniversary Edition)#

  1. Take the keyword Hackergame 2015, the night before, pre-competition lecture.

After digging a bit, I can get this page https://lug.ustc.edu.cn/wiki/sec/contest.html

image

  1. Check the event records at https://lug.ustc.edu.cn/wiki/lug/events/hackergame/

It can be found that there were 2682 people (2019 hg).

  1. The popular search term for Hackergame 2018 became the top search in the USTC library that month.

This idea actually came from digging into the hg 2018 writeup.

https://github.com/ustclug/hackergame2018-writeups/blob/master/misc/others.md

It was mentioned here (

  1. Keywords USENIX Security, academic conference, University of Science and Technology of China (USTC), email spoofing attack.

https://www.usenix.org/conference/usenixsecurity24/

After digging into the conference, I found this paper.

https://www.usenix.org/conference/usenixsecurity24/presentation/ma-jinrui

After reading through it, I found it was 336.

image

Tip: I realized after watching it a dozen times that it was directly written; I had been calculating 6*16 like that, what a pain.

  1. This is really too hot. png

https://github.com/torvalds/linux/commits/master/MAINTAINERS

Click into the Maintainer's commit record to find it.

https://github.com/torvalds/linux/commit/6e90b675cf942e50c70e8394dfb5862975c3b3b2

You can get commit 6e90b67.

  1. Large language models will break down the input into individual tokens and continue calculating. How many tokens will the HTML source code of this webpage be broken down into by Meta's Llama 3 70B model's tokenizer?

I had no good ideas, so I simply searched for Liama 3 70B Tokenizer.

https://huggingface.co/meta-llama/Meta-Llama-3-8B/discussions/116

Emm, I didn't want to run it, so I found this.

https://lunary.ai/llama3-tokenizer

After running it manually, I got 1835.

But after trying it, it was wrong, so I randomly tried between 1840-1820 and found 1833 (

flag{@_GOØD_CΛT_1$_the_CA7_Who_CΛn_pΛs5_7HE_QUI2}
flag{TEN_y34rs_OF_ha©keЯ9AM3_ØMede7Øu_w!7h_И3k0_qu!z}

The Box That Can't Be Opened#

I downloaded meshlab and viewed it with meshlab (

After finishing, I uninstalled meshlab, and I was too lazy to download it back to take a screenshot (

flag{Dr4W_Us!nG_fR3E_C4D!!w0W}

Too Many Daily Papers!#

image

Confused, then I processed it with an editor to remove xwx.

Comparing Big and Small Kings#

What a little monkey mental calculation for Hackergame 2024.

My method is quite simple:

      fetch('/submit', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({inputs}),
      })

From the submission, I learned that it sends an array of inputs, which contains the characters > <.

Every time it opens, it requests the question from http://202.38.93.141:12122/game.

I wrote a Python script, and then within 10 seconds, I could submit([input]) in the console.

Why? Because I found that using Python directly would say the data was abnormal and wouldn't give the flag (

with open("test.txt", "r", encoding="utf-8") as file:
    data = json.load(file)

values = list(data["values"])

answers = []
for data in values:
    if data[0] > data[1]:
        answers.append('>')
    elif data[0] < data[1]:
        answers.append('<')
    else:
        print("Throw new err?")
        
print(answers)

PaoluGPT#

I don't know how I did it, but I did get it (

1' or contents like '%flag%'

Originally, I was going to inject this, but for some reason, it seems to miss the second one?

flag{zU1_xiA0_de_11m_Pa0lule!!!_73a5cee3f9}
flag{enJ0y_y0uR_Sq1_&_1_would_xiaZHOU_hUI_guo_657f7eaad1}

After thinking, I realized that the code I wrote before could also be injected like this (scary).

Travel Photos 4.0#

The annual search engine magic question (

  1. Question 1-2

For question 1, I was lazy and directly searched for the south gate of the north campus xxx several times, and then passed.

For question 2, just search on Bilibili, it's super fast x.

  1. Question 3-4

  2. It's obvious, the trash can has a label "Liang'an Garden".

Just search for those parks in Liang'an, I forgot which one specifically.

  1. Directly obtained through Google Lens.

https://m.ytszg.com/article/hubei/a10965.html

Three Gorges of the Yangtze River Tanzi Ridge Scenic Area.

  1. Using Baidu to search for images, I found this video on Bilibili.

After comparing, I finally concluded it was Jishuitan Hospital.

  1. The first result from Google Lens is this website.

https://www.china-emu.cn/Trains/Model/detail-26012-201-F.html

Solved x.

Narrow Wide Characters#

UTF 16 LE -> UTF 8

Read UTF16LE as UTF8.

Get Z:/TheFlag.

In the end, it's this => 㩚瑜敨汦条.

But we need to let it end, so we need to add a /0 to stop it.

After thinking about it, I hit a space and passed.

flag{wider_char_isnt_so_great_e2ed6a125e}

Node.js is Web Scale#

// GET /api/store - Retrieve the current KV store
app.get("/api/store", (req, res) => {
  res.json(store);
});

// POST /set - Set a key-value pair in the store
app.post("/set", (req, res) => {
  const { key, value } = req.body;

  const keys = key.split(".");
  let current = store;

  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (!current[key]) {
      current[key] = {};
    }
    current = current[key];
  }

  // Set the value at the last key
  current[keys[keys.length - 1]] = value;

  res.json({ message: "OK" });
});

Hmm?

__proto__.cmd cat /flag

Then let it read the flag directly.

image

Words Are Precious 3.0#

I only managed to solve the first question awa>

It seems to be some kind of specification, with a strict 80 characters per line.

Then I wrote a thing to read each line's length and adjusted one by one.

image

The second question seems to utilize gzip compression because

Uploading files regardless of using LF or CRLF line endings, and whether or not a separate newline character is added at the end, has no effect on the matching result.

But I couldn't build it up x.

Secrets That Can't Be Obtained#

At first, I thought, directly

base64 secret > file.txt

Just 512 kb, that's nothing (

Then I thought, can I achieve extreme compression through qrss, first upload it.

After packing it into a 70kb single file and uploading it, I used it about four or five times to get it done.

The method of uploading used Pyautogui, the code is as follows.

import time
import pyautogui

with open('hash.txt', 'r', encoding='utf-8') as file:
    content = file.read()

time.sleep(10)
pyautogui.typewrite(content, interval=0.0001)

Not to Mention About Me Starting from Scratch Balbalabala#

Then I saw that it was a comparison thing, some kind of enhanced version of wordle, English majors were ecstatic

In the grand hall of Hackergame 2024, where the walls are lined with screens showing the latest exploits from the cyber world, contestants gathered in a frenzy, their eyes glued to the virtual exploits. The atmosphere was electric, with the smell of freshly brewed coffee mingling with the scent of burnt Ethernet cables. As the first challenge was announced, a team of hackers, dressed in lab coats and carrying laptops, sprinted to the nearest server room, their faces a mix of excitement and determination. The game was on, and the stakes were high, with the ultimate prize being a golden trophy and the bragging rights to say they were the best at cracking codes and hacking systems in the land of the rising sun.

This is the original text.

Finally#

I really had a lot of fun this time, even though I was terrible, I’ll come back to play again next year.

This article is synchronized and updated to xLog by Mix Space. The original link is https://lemonkoi.one/posts/tech/hackergame-2024-exp

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.