Add Testla's writeup (USTC-Hackergame#67)

Author: Testla

README.md

@@ -103,6 +103,7 @@
 | [Simplxs](players/Simplxs/README.md) | 总排名第 51 名 | Hackergame 启动、猫咪小测、更深更暗、旅行照片 3.0、赛博井字棋、奶奶的睡前 flag 故事、组委会模拟器、虫、JSON ⊂ YAML?、Git? Git!、HTTP 集邮册、Docker for Everyone、惜字如金 2.0、🪐 高频率星球、🪐 小型大语言模型星球（1）、🪐 低带宽星球（1）、Komm, süsser Flagge、为什么要打开 /flag 😡（1）、异星歧途、微积分计算小练习 2.0  |
 | [MirageTurtle](players/MirageTurtle/README.md) | 总排名第 100 名 | Hackergame 启动、猫咪小测、更深更暗、旅行照片 3.0、赛博井字棋、奶奶的睡前 flag 故事、组委会模拟器、虫、JSON ⊂ YAML?、Git? Git!、HTTP 集邮册、Docker for Everyone、惜字如金 2.0、🪐 高频率星球、🪐 小型大语言模型星球(1,2)、🪐 流式星球、🪐 低带宽星球(1)、Komm, süsser Flagge(1,2)、异星歧途 |
 | [ranwen](players/ranwen/README.md) | 一般通过 | Hackergame 启动、猫咪小测、更深更暗、旅行照片 3.0、赛博井字棋、奶奶的睡前 flag 故事、组委会模拟器、虫、JSON ⊂ YAML?、Git? Git!、HTTP 集邮册、Docker for Everyone、惜字如金 2.0、🪐 高频率星球、🪐 小型大语言模型星球、🪐 流式星球、🪐 低带宽星球(1)、Komm, süsser Flagge、异星歧途、为什么要打开 /flag 😡(1)、微积分计算小练习 2.0、O(1) 用户登录系统、链上猎手、小 Z 的谜题、黑客马拉松、不可加密的异世界 2 |
+| [Testla](players/Testla) | 总排名第 21 名 | Hackergame 启动、猫咪小测、更深更暗、旅行照片 3.0(1,2)、赛博井字棋、奶奶的睡前 flag 故事、组委会模拟器、虫、JSON ⊂ YAML?、Git? Git!、HTTP 集邮册、Docker for Everyone、惜字如金 2.0、🪐 高频率星球、🪐 小型大语言模型星球(1,2)、🪐 流式星球、🪐 低带宽星球(1)、Komm, süsser Flagge、为什么要打开 /flag 😡(seccomp 非预期解)、异星歧途、微积分计算小练习 2.0、O(1) 用户登录系统、小 Z 的谜题(1) |
 
 ## 其他资源
 

players/Testla/04-旅行照片 3.0/1.js

@@ -0,0 +1,49 @@
+const dates = [
+    '2023-06-02',
+    // '2023-06-03',
+    // '2023-06-04',
+    // '2023-06-09',
+    // '2023-06-10',
+    // '2023-06-11',
+    // '2023-06-15',
+    // '2023-06-16',
+    // '2023-06-17',
+    // '2023-06-18',
+    // '2023-06-23',
+    // '2023-06-24',
+    // '2023-06-25',
+];
+const acronyms = [
+    // 'NBI',
+    // 'NBIOC',
+    // 'BLC',
+    // 'OC',
+    // 'ICEP',
+    'ICRR',
+];
+
+function dateToString(date) {
+    return [
+        (date.getFullYear() + '').padStart(4, '0'),
+        (date.getMonth() + '').padStart(2, '0'),
+        (date.getDate() + '').padStart(2, '0'),
+    ].join('-');
+}
+
+// for (const date of dates) {
+let date = new Date(2023, 6, 1);
+while (date.getMonth() < 11) {
+    for (const acronym of acronyms) {
+        fetch(
+            'http://202.38.93.111:12345/',
+            {
+                "method": "POST",
+                "headers": {
+                    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+                },
+                "body": btoa(`Answer1=${dateToString(date)}&Answer2=${acronym}`) + '.txt',
+            }
+        );
+    }
+    date.setDate(date.getDate() + 1);
+}

players/Testla/08-虫/flag.png

@@ -0,0 +1,38 @@
+import json
+import pathlib
+
+import gradio as gr
+from transformers import AutoModelForCausalLM, AutoTokenizer
+
+root_dir = pathlib.Path('TinyStories-33M')
+model = AutoModelForCausalLM.from_pretrained(root_dir).eval()
+tokenizer = AutoTokenizer.from_pretrained(root_dir)
+
+
+def predict(message):
+    model_inputs = tokenizer.encode(message, return_tensors="pt")
+    model_outputs = model.generate(
+        model_inputs,
+        max_new_tokens=30,
+        num_beams=1,
+        pad_token_id=tokenizer.eos_token_id,
+    )
+    model_outputs = model_outputs[0, len(model_inputs[0]) :]
+    model_output_text = tokenizer.decode(model_outputs, skip_special_tokens=True)
+    return model_output_text
+
+
+def main() -> None:
+    with open(root_dir / 'vocab.json', 'r', encoding='utf-8') as f:
+        vocabulary = json.load(f)
+        for word in vocabulary:
+            if len(word) > 7:
+                continue
+            output = predict(word)
+            if 'accepted' in output:
+                print(word, output)
+                exit()
+
+
+if __name__ == "__main__":
+    main()

players/Testla/14-🪐 高频率星球/index.html

@@ -0,0 +1,94 @@
+import time
+
+# import IPython
+from scapy.all import *
+import scapy.layers.inet
+import scapy.sendrecv
+
+# ip = '127.0.0.1'
+# ip = '172.20.224.1'
+# ip = '202.38.93.111'
+ip = '192.168.23.1'
+# port = 8000
+port = 18081
+sport = 9030
+iface = 'hgovpn-guest'
+
+with open('s.txt', 'rb') as f:
+    payload = f.read()
+# payload = payload + b'\r\n' * 2
+
+#产生SYN包（FLAG = S 为SYN）
+ret = scapy.sendrecv.srp(
+    scapy.layers.inet.IP(dst=ip)
+        / scapy.layers.inet.TCP(dport=port,sport=sport,flags='S',seq=17),
+    verbose = False,
+    iface=iface,
+    timeout=1,
+)
+#响应的数据包产生数组([0]为响应，[1]为未响应)
+list = ret[0].res
+#第一层[0]位第一组数据包
+#第二层[0]表示发送的包，[1]表示收到的包
+#第三层[0]为IP信息，[1]为TCP信息，[2]为TCP数据
+tcpfields_synack = list[0][1][1].fields
+
+sc_sn = tcpfields_synack['seq'] + 1
+cs_sn = tcpfields_synack['ack']
+print(sc_sn)
+print(cs_sn)
+
+#发送ACK(flag = A),完成三次握手！
+scapy.sendrecv.srp(
+    scapy.layers.inet.IP(dst=ip)
+        / scapy.layers.inet.TCP(dport=port,sport=sport,flags='A',seq=cs_sn,ack=sc_sn),
+    verbose = False,
+    iface=iface,
+    timeout=0.01,
+)
+
+def reset() -> None:
+    scapy.sendrecv.send(
+        scapy.layers.inet.IP(dst=ip)
+            / scapy.layers.inet.TCP(dport=port,sport=sport,flags='R',seq=cs_sn,ack=sc_sn),
+        verbose = False,
+    )
+
+# packets = (
+#     scapy.layers.inet.IP(dst=ip)
+#         / scapy.layers.inet.TCP(dport=port, sport=sport, flags='PA', seq=cs_sn, ack=sc_sn)
+#         / payload
+# # ).fragment(20)
+# )
+
+t = (
+    scapy.layers.inet.IP(dst=ip)
+    / scapy.layers.inet.TCP(dport=port, sport=sport, flags='PA', seq=cs_sn, ack=sc_sn)
+    / payload[:1]
+)
+# t.show()
+# packets = t.fragment(20)
+packets = (t,)
+
+# print(packets)
+first = True
+for p in packets:
+    scapy.sendrecv.srp(p, verbose=False, iface=iface, timeout=0.01)
+    # if first:
+    #     time.sleep(4)
+    #     first = False
+    time.sleep(0.1)
+
+scapy.sendrecv.srp(
+    scapy.layers.inet.IP(dst=ip)
+        / scapy.layers.inet.TCP(dport=port, sport=sport, flags='PA', seq=cs_sn + 1, ack=sc_sn)
+        / payload[1:],
+    verbose = False,
+    iface=iface,
+    timeout=0.01,
+)
+
+# IPython.embed()
+
+# time.sleep(1)
+# reset()

players/Testla/15-🪐 小型大语言模型星球/local.py

@@ -0,0 +1,93 @@
+import itertools
+import z3
+
+
+bound = 5
+constraints = ((1, 1, 3), (1, 2, 2), (1, 2, 4), (1, 4, 4), (2, 2, 2), (2, 2, 3))
+count = [3, 4, 2, 2, 2, 3]
+num_constraints = sum(count)
+num_dims = len(constraints[0])
+arrange = [[[0 for i in range(3)] for j in range(num_dims)] for k in range(num_constraints)]
+
+def all_smt(s, initial_terms):
+    def block_term(s, m, t):
+        s.add(t != m.eval(t, model_completion=True))
+    def fix_term(s, m, t):
+        s.add(t == m.eval(t, model_completion=True))
+    def all_smt_rec(terms):
+        if z3.sat == s.check():
+            m = s.model()
+            yield m
+            for i in range(len(terms)):
+                s.push()
+                block_term(s, m, terms[i])
+                for j in range(i):
+                    fix_term(s, m, terms[j])
+                yield from all_smt_rec(terms[i:])
+                s.pop()
+    yield from all_smt_rec(list(initial_terms))
+
+
+solver = z3.Solver()
+a = []
+minus_1 = z3.Int('minus_1')
+solver.add(minus_1 == 6)
+index = 0
+for constraint, c in zip(constraints, count):
+    for _ in range(c):
+        element = [
+            [
+                z3.Int(f'a[{index}][{second_dim}][{0}]'),
+                z3.Int(f'a[{index}][{second_dim}][{1}]'),
+                minus_1,
+            ]
+            for second_dim in range(3)
+        ]
+        a.append(element)
+
+        for second_dim in range(3):
+            for k in range(2):
+                solver.add(0 <= element[second_dim][k])
+                solver.add(element[second_dim][k] <= 5)
+
+        # stage 2
+        for other_index in range(index):
+            solver.add(z3.Or(*(
+                z3.Or(
+                    element[second_dim][1] <= a[other_index][second_dim][0],
+                    a[other_index][second_dim][1] <= element[second_dim][0],
+                )
+                for second_dim in range(3)
+            )))
+
+        # stage 3
+        solver.add(z3.Or(*(
+            z3.And(*(
+                element[second_dim][1] - element[second_dim][0] == diff[second_dim]
+                for second_dim in range(3)
+            ))
+            for diff in set(itertools.permutations(constraint))
+        )))
+
+        index += 1
+
+for m in all_smt(solver, [a[i][j][k] for i in range(num_constraints) for j in range(num_dims) for k in range(2)]):
+    l = [
+        [
+            [
+                m[a[i][j][0]].as_long(),
+                m[a[i][j][1]].as_long(),
+                -1,
+            ]
+            for j in range(num_dims)
+        ]
+        for i in range(num_constraints)
+    ]
+    score = len(set((x, y, z) for i in range(num_constraints) for x, y, z in itertools.product(*l[i])))
+    print(f'{score=}')
+    l = sorted(l)
+    for i in range(num_constraints):
+        for j in range(num_dims):
+            for k in range(2):
+                print(l[i][j][k], end='')
+    print()

players/Testla/18-Komm, süsser Flagge/flag2.py

@@ -0,0 +1,94 @@
+import itertools
+import z3
+
+
+bound = 5
+constraints = ((1, 1, 3), (1, 2, 2), (1, 2, 4), (1, 4, 4), (2, 2, 2), (2, 2, 3))
+count = [3, 4, 2, 2, 2, 3]
+num_constraints = sum(count)
+num_dims = len(constraints[0])
+arrange = [[[0 for i in range(3)] for j in range(num_dims)] for k in range(num_constraints)]
+
+solver = z3.Solver()
+a = []
+minus_1 = z3.Int('minus_1')
+solver.add(minus_1 == 6)
+index = 0
+s = z3.EmptySet(z3.IntSort())
+for constraint, c in zip(constraints, count):
+    for _ in range(c):
+        element = [
+            [
+                z3.Int(f'a[{index}][{second_dim}][{0}]'),
+                z3.Int(f'a[{index}][{second_dim}][{1}]'),
+                minus_1,
+            ]
+            for second_dim in range(3)
+        ]
+        a.append(element)
+
+        for second_dim in range(3):
+            for k in range(2):
+                solver.add(0 <= element[second_dim][k])
+                solver.add(element[second_dim][k] <= 5)
+
+        # stage 2
+        for other_index in range(index):
+            solver.add(z3.Or(*(
+                z3.Or(
+                    element[second_dim][1] <= a[other_index][second_dim][0],
+                    a[other_index][second_dim][1] <= element[second_dim][0],
+                )
+                for second_dim in range(3)
+            )))
+
+        # stage 3
+        solver.add(z3.Or(*(
+            z3.And(*(
+                element[second_dim][1] - element[second_dim][0] == diff[second_dim]
+                for second_dim in range(3)
+            ))
+            for diff in set(itertools.permutations(constraint))
+        )))
+
+        # count cartesian product
+        for i in range(3):
+            for j in range(3):
+                for k in range(3):
+                    s = z3.SetAdd(s, element[0][i] * 7 ** 2 + element[1][j] * 7 + element[2][k])
+
+        index += 1
+
+score = z3.Sum(*(
+    z3.If(z3.IsMember(i * 7 ** 2 + j * 7 + k, s), 1, 0)
+    for i in range(7)
+    for j in range(7)
+    for k in range(7)
+))
+solver.add(score >= 157)
+
+check_result = solver.check()
+print(check_result)
+if check_result != z3.sat:
+    exit(1)
+m = solver.model()
+l = [
+    [
+        [
+            m[a[i][j][0]].as_long(),
+            m[a[i][j][1]].as_long(),
+            -1,
+        ]
+        for j in range(num_dims)
+    ]
+    for i in range(num_constraints)
+]
+print(f'{m[score]=}')
+score = len(set((x, y, z) for i in range(num_constraints) for x, y, z in itertools.product(*l[i])))
+print(f'{score=}')
+l = sorted(l)
+for i in range(num_constraints):
+    for j in range(num_dims):
+        for k in range(2):
+            print(l[i][j][k], end='')
+print()