4-25 WP整理

AliyunCTF 2024 - 帕鲁情绪管理

nc链接上去过掉proof看到如下交互

sha256(("zqonds929lsi1d19ayrm6xdxogid" + "????").encode()) = 447dedc4395aae3f6344689b6fdeadc71d7759c3d9b5071ce318267ed587ce97
Please input the answer: 
Do you want to training? (y/n) y
sentiment: neutral, text: @united can you please follow for a DM?
sentiment: neutral, text: @JetBlue what's good with a Miami terminal?
sentiment: neutral, text: @USAirways Is $99 companion ticket benefit of Premier World MasterCard still limited to USAirways flights or do AA now qualify as well?
sentiment: neutral, text: @united sorry, wrong link for the bag : http://t.co/pZAl4wtrEZ Thats the one i meant
sentiment: neutral, text: @united Hi, I am flying domestic first from SEA to HNL. Can I pay to use the lounge before I fly or this is just for international? Thanks
sentiment: neutral, text: @united - it is possible to make a ticket change via Twitter? Traveling internationally and can't make calls... Thanks in advance!
sentiment: neutral, text: @united can I get your service desk # at IAD?
sentiment: neutral, text: @SouthwestAir fortunately didn't have to. The flight took off on time.
sentiment: neutral, text: @virginamerica spruce moose!
sentiment: neutral, text: “@JetBlue: Our fleet's on fleek. http://t.co/FVYzjLDTON” 🚶🚶🚶🚶
sentiment: positive, text: @SouthwestAir flt 3867 crew  #OrangeCounty to #Denver is The #BEST! Weather delay but pilots just invited the kids to see the cockpit! #luv
sentiment: positive, text: @SouthwestAir beautiful view flying into San Jose, CA this evening http://t.co/SxVaGbRTlI
sentiment: positive, text: @AmericanAir thank you we got on a different flight to Chicago.
sentiment: positive, text: @JetBlue of course !!!!
sentiment: positive, text: .@USAirways thanks!
sentiment: positive, text: @SouthwestAir filing it now. Thank you for your response.
sentiment: positive, text: @SouthwestAir thank you!!!
sentiment: positive, text: @SouthwestAir thank you :-)
sentiment: positive, text: @JetBlue We had 2 great flights into and out of the Bahamas, even during the bad weather in the northeast, thanks for the great service!!!
sentiment: positive, text: @united thank you for the help!!
sentiment: negative, text: @USAirways chose you for a flight with very time sensitive arrival And you drop the ball. What gives? CLT #667 good way to lose my business
sentiment: negative, text: @SouthwestAir I need to reschedule a flight and I've been on hold for almost an hour. This is ridiculous. Is there a best number to call?
sentiment: negative, text: @united thnx for quick reply but don't think you can assist. Our intl grp will be put to considerable inconvenience today.
sentiment: negative, text: @united do you teach your gate agents 2 lie? Or do they just learn on their own? There was overhead space for my bag,  didn't have to check
sentiment: negative, text: @AmericanAir FYI...call stilling getting dropped.  After an hour of continuous dialing. Attempted to Cancelled Flight online but not able to. HELP!!!
sentiment: negative, text: @united its 2015. How can my flight from a major city already be Cancelled Flightled 24 hours before departure due to weather??  Backup planes??
sentiment: negative, text: @AmericanAir Oh that seems to have undone the seat selections in MCE. We only wanted the CX card on there to select the free seats
sentiment: negative, text: @AmericanAir tried ringing but told me to try again Late Flightr. I'm supposed to be leaving in an hour...
sentiment: negative, text: @united 2 hour flight from FLL to Ewr, 1242, now waiting 1 hour plus for bags, no sign yet. What gives????
sentiment: negative, text: @SouthwestAir What's happened to your customer service? 2 Cancelled Flightled flights in 2 days & an uninformed and unapologetic staff. #nolove #cali
sentiment: negative, text: @AmericanAir thanks! I hope we get movies. Tv's were broke on the flight over
sentiment: negative, text: @united - with airport self checkin your only option I'm now your employee. Training was a bitch. Send my paycheck asap.
sentiment: negative, text: @AmericanAir lost my wife's luggage and nobody gives you and answer, all they say is go here or call there.
sentiment: negative, text: @usairways is your clt departures delayed? Hoping I can make my connection after a lengthy take off delay and endless taxi-ing here at clt
sentiment: negative, text: @JetBlue do you REALLY think it's okay to sit kids away from parents?! Srsly?! Esp after your landing gear failure?? http://t.co/x6SYW3MDVu
sentiment: negative, text: @AmericanAir This entire process took sooooo long that no decent seats are left.  #customerservice
sentiment: negative, text: @AmericanAir will not let me reuse my ticket.  Thus I have booked my vacation with Delta!  Never flying on American again......
sentiment: negative, text: @JetBlue thanks for making me miss an important dinner tonight. 2 hr delay and now 20 min on Tarmac... #worst
sentiment: negative, text: @AmericanAir Now your site is not working! WTF
sentiment: negative, text: @USAirways No I was there 12 hrs early! Send me an email to share my experience You don't want this blasting here.
Now, Do you want to start challenge? (y/n)

初步想法使用BERT进行分类，后来经过crazyman测试，发现每次交互给出的训练集都不同，大数据量的数据集发现是公开数据集

Twitter上对于美国各大航空公司的态度（Kaggle数据集）：这是一个对于美国各大航空公司存在问题的情感分析任务。该数据集爬取了2015年2月的推文，贡献者们将其分类为积极、消极和中立，对于那些分类为消极态度的推文，还会给出原因（例如“飞机晚点”或“服务态度差”等）。（2.5MB）

也不需要模型去预测了，直接从数据集读取Label

import hashlib
import string
from pwn import *

from transformers import pipeline
import pandas as pd


def sha256_brute(cipher,h):
    table = string.ascii_letters+string.digits
    for a in table :
        for b in table :
            for c in table :
                for d in table :
                    input_string = cipher + a + b + c + d
                    sha256_hash = hashlib.sha256(input_string.encode()).hexdigest()
                    if str(sha256_hash) == h :
                        return a+b+c+d

  	
                
if __name__ == "__main__":
    sh = remote('misc0.aliyunctf.com',9999)
    context(log_level='debug')


    #classifier = pipeline("text-classification", model="distilbert/distilbert-base-uncased-finetuned-sst-2-english")
    df = pd.read_csv('Tweets.csv', header=None)

    s = sh.recvline()
    c = s[9:28+9].decode()
    h = s[61:61+64].decode()
    ans = sha256_brute(c,h)
    sh.sendlineafter(b'Please input the answer: ',ans.encode())

    sh.sendlineafter(b'Do you want to training? (y/n) ',b'n')
    sh.sendlineafter(b'Now, Do you want to start challenge? (y/n) ',b'y')


    
    for i in range(15):
        q = sh.recvline()
        #ans = classifier(str(q[20:]))
        data = q[19:].decode().replace('\n', '')
        filtered_df = df[df[10] == data]
        print(filtered_df)
        sh.sendlineafter(b'Please input the answer: ',filtered_df[1].item().encode())


    sh.recvall()

UMassCTF 2024 - Stop the voices

题目的思路特别的好（比国内某些训练题强多了

题目代码如下：

from PIL import Image
import numpy as np

img = Image.open('FLAG.png').convert('L')
arr = np.asanyarray(img)


def normalize(mat):
    return (mat - mat.min()) / (mat.max() - mat.min()) * 255


for i in range(400):
    noise = np.random.normal(arr, 200)
    noise = normalize(noise)
    noise = noise.astype(np.uint8)
    im = Image.fromarray(noise)
    im.save(f"./samples/{i}.png")

题目先将图片转化为二维矩阵数组，然后重复进行了两步操作，1）对数组进行正态分布，2）对数组进行归一化

关于正态分布

noise = np.random.normal(arr, 200)这行代码的作用是：根据提供的数组arr作为均值，生成一个标准差为200的正态分布随机噪声数组，并将这个数组赋值给变量noise。

正态分布将每个点的数据，以200的标准差进行了正态分布化，重复400次操作后，我们认为大样本统计下，频率趋近于概率

如下实验可以直观说明：

>>> import numpy as np
>>> a = np.array([[55]])
>>> l = []
>>> for i in range(400):
...     l.append(np.random.normal(a,200)[0][0])
...
>>> np.mean(l)
55.36077467515244

关于归一化

下面的实验可以说明，他只是对图片进行了对比度增强

from PIL import Image
import numpy as np

img = Image.open('Cain.png').convert('L')
arr = np.asanyarray(img)

def normalize(mat):
    return (mat - mat.min()) / (mat.max() - mat.min()) * 255

noise = normalize(arr)
noise = noise.astype(np.uint8)
im = Image.fromarray(noise)
im.show()

在本题中，归一化其实只是把数据从过大或过小的数据，归一到了（0，1）区间。导致丢失了部分数据，其实不影响。

最后

因此，我们只需要把400张图片叠起来，取每个像素点的均值，是可以发现像素仍然是满足正态分布的，接着在PS调整色阶即可

最后拿到flag

UMASS{#id31n9_L1k3_@_c#Am3_le0n}

Grey Cat The Flag 2024 Qualifiers - All About Timing

题目代码

import time
import random

random.seed(int(time.time()))

print("Guess the number I'm thinking of? It's all about the timing")
x = input("Your guess:")

n = random.randint(1000000000000000, 10000000000000000-1)

if int(x) == n:
    with open("flag.txt") as f:
        print(f.readline())
else: 
    print(f"Wrong answer! The number I was thinking of was {n}\nRemember it's all about the timing!")

种子确定代表着随机数序列确定，思路是链接上去瞬间查看时间戳，根据电脑和网络可能是 \(±x\) 误差内，爆破x确定种子，完成伪随机数预测

from pwn import *
import time
import random

sh = remote("challs.nusgreyhats.org", 31111)
random.seed(int(time.time())-1)
n = random.randint(1000000000000000, 10000000000000000-1)
print(n)

context.log_level = 'debug'

back1 = sh.recvuntil("Guess the number I'm thinking of? It's all about the timing\nYour guess:")
sh.sendline(str(n).encode('utf-8'))
flag = sh.recvall()

Grey Cat The Flag 2024 Qualifiers - Poly Playground

题目代码

Welcome to the Polynomial Playground, where you'll embark on an exhilarating journey of polynomial creation! Get ready to flex your mathematical muscles as you craft intricate equations from a given set of roots. Are you up for the challenge?

In this mind-bending adventure, your task is to construct polynomials using a set of provided roots. Armed with your mathematical prowess and creativity, you'll delve into the world of polynomial composition and unlock the secrets of equation crafting.

From simple quadratics to complex higher-degree polynomials, each level presents a new set of roots waiting to be transformed into an elegant equation. But don't be fooled by the simplicity of the task; as you progress, the challenge will intensify, requiring you to employ strategic thinking and mathematical precision.

How to Play:

1. You'll be given a set of `n` roots for each level.
2. Utilize your mathematical knowledge to construct a polynomial equation that has the provided roots. You can assume that repeated roots will be given as repeats.
3. Channel your creativity and problem-solving skills to craft elegant and efficient equations.
4. Submit your polynomial creations as a comma-separted list of `n+1` coefficients starting with the highest order (which should always be 1).
Are you ready to unleash your inner mathematician and become a master polynomial architect? Prepare to explore the depths of equation construction, unlock the beauty of mathematical expression, and emerge victorious in the Polynomial Playground!
Here's your first problem...

来自shenghuo2提供的代码（万能的生蚝王啊！

from pwn import *
context.log_level = 'debug'
r = remote('challs.nusgreyhats.org',31113)
# 多项式的标准形式是 ax^2 + bx + c
def polynomial_from_roots(roots):
    # 多项式初始为(x - root[0])
    coef = [1, -roots[0]]
    # 对每个后续的根进行多项式扩展
    for root in roots[1:]:
        # 新的多项式系数列表，初始为0
        new_coef = [0] * (len(coef) + 1)
        # 扩展多项式 (x - root) * (现有的多项式)
        for i in range(len(coef)):
            new_coef[i] += coef[i]  # x乘以现有系数
            new_coef[i+1] += -root * coef[i]  # root乘以现有系数并加到下一个系数
        coef = new_coef
    return str(coef).replace("[",'').replace("]",'')

# 计算多项式系数
while True:
    r.recvuntil(b'Roots: ')
    roots = eval(f"[{r.recvline().strip().decode()}]")
    print(roots)
    r.sendlineafter(b':',polynomial_from_roots(roots).encode())

r.interactive()