Preface#
(Updated: All images have been replaced with IPFS images)
It's that time of the year again for the annual hackergame CTF search technical quiz. This year, Hg added many beginner questions, allowing someone like me, a complete novice, to score 2k points (out of a total of 10k). Congratulations!
Next, let's talk about my thought process for solving each question, written in the order I tackled them. It may include: ramblings, random memes, self-entertainment, and other chaotic elements.
Hackergame Start#
Following the tradition of the previous editions' sign-in questions, I definitely modified the address bar, but how to change it?
First, let's click submit and see; the address bar (see the image below) has some extra parameters (?similarity=). How about adding 999 to try?
Alright, it started successfully, and it even has a full-screen animation, 6.
In any case, I managed to get the sign-in question flag. flag{w3!ComE-TO-HAck3RG4me-@nd-enJOy-HacKIn9-zOz3}
Cat Quiz#
A reincarnation version of the cat Q&A, the questions focus on being more professional (?
- To borrow the book "A Classical Introduction To Modern Number Theory 2nd ed." published by the World Scientific Publishing Company, which floor of the University of Science and Technology of China West Campus Library should you go to? (30 points)
Hint: It is a non-negative integer.
Searching for "USTC Library" leads to the official website, which directly accesses the bibliographic retrieval system (OPAC). By the way, our school's library also uses this system. Searching for part of the book title reveals that this book is in the West Campus Foreign Language Bookstore, hovering the mouse shows it's on the 12th floor, so the answer is 12.
- This year, someone published a paper on "The Density Limit of Chickens in the Observable Universe" in the astrophysics section of the arXiv website. What is the upper limit of the chicken density function calculated by the author in the paper, expressed as 10 to the power of what? (30 points)
Hint: It is a non-negative integer.
This was the last question I solved, after all, I'm not a professional literature researcher (
Since I couldn't confirm if this chicken was a joke, my idea was to first translate the keyword "observable universe," then set the time frame to this year. Finding over 1000 results was quite overwhelming. Later, I learned that the classification code for astrophysics is Physics->Astrophysics (astro-ph). Using advanced search with conditions, I added the keyword "density limit" in a machine-translated AND match, resulting in search conditions like this:
Then I found the target article.
From the abstract, I found a positive integer 23, confirming it as the answer to this question.
- To support the TCP BBR congestion control algorithm, which kernel option should be configured when compiling the Linux kernel? (20 points)
Hint: The input format is CONFIG_XXXXX, such as CONFIG_SCHED_SMT.
I self-destructed, searched xSDN and found that the kernel compilation parameter to enable BBR2 is CONFIG_TCP_CONG_BBR2. My intuition told me to remove the 2 to enable BBR. As a result, I guessed correctly (
- 🥒🥒🥒: "I... never found writing type annotations interesting." In a paper, the author provided code that could cause Python's type checker MyPY to enter an infinite loop and proved that Python's type checking is as difficult as the halting problem. Which academic conference was this paper published in this year? (20 points)
Hint: The uppercase English abbreviation of the conference, such as ISCA, CCS, ICML.
The commonality of playing memes in GeekGame and HackerGame lies in my journey; I’ll check it out when I have time (逃
Back to the main topic, I searched mypy endless loop and directly found the paper PDF. The bottom right corner of the PDF page and the address bar both prominently display ECOOP, confirming it as the answer to this question, clocking out (
Two flags:
flag{WelcOme-T0-A7T3ND-The-NeK0-3X4m-zOZ3}
flag{R3@1-m@$t3r-OF-th3-neKo-exam-1n-u$TC}
Deeper and Darker#
Got it, Deep♂dark♂fantasy
Opening the question, there’s a piece of text:
......hidden flag, ....deep underground.
The hidden flag is at the bottom, got it, it's the nazo third anniversary Easter egg! A few years ago, I followed a guide to complete nazo, and this year, this question directly brought me back to the nazo I did years ago (
Speaking of the solution, both questions are essentially endless downward slides, so I need to use F12 to directly check the source code to obtain the unreachable flag (
/
\
|
__|__
| \
/
____ _________________|___ ___\__________/ ____
< / \____________ |
/ flag{T1t@n_2bd6315e0cfa13094f1614c77e8dc030} \ (_)
~~~~~~ O O O >=)~~~~~~~
\_______/ ____________\ /_________________________________/ (_)
Grandma's Bedtime Flag Story#
Google's "favorite child", even the system has no intention to upgrade, screenshot. The keywords are all marked, and it can be inferred that it’s a screenshot vulnerability of Pixel devices.
Searching for Pixel screenshot vulnerability leads to news confirming that my assumption is correct; the vulnerability is called aCropalypse. Searching with the vulnerability name leads directly to a website that exploits the vulnerability. After uploading the photo, I just tried each device one by one (
In the end, I found that the screenshot device was Pixel 6, and obtained the lower half containing the flag (I combined the two images here), but judging by this ratio, I suspect the official may have used other software to screenshot part of the content again; let’s wait for the official solution.
flag{sh1nj1ru_k0k0r0_4nata_m4h0}
(While writing this part, it happened to be just past 11 PM, and I hadn’t even written the beginning when I had already shut down my computer)
Git? Git!#
No keywords in bold, so I extracted it myself! It can be guessed that the keyword is "reverted this commit." Alright, since it was reverted, let's restore it.
Using git reflog to view the commit log, I saw a suspicious 505e1a3. I used git reset to restore it, and the flag appeared.
flag{TheRe5_@lwAy5_a_R3GreT_pi1l_1n_G1t}
Indeed, it's a double-edged sword of regret (
HTTP Stamp Album#
This question is the one I least want to write about because I didn't really go through the documentation and figured it out through trial and error, with no clear ideas (
I recommend turning left to see the big guy's solution or the official solution
🪐 Small Large Language Model Planet#
You are smart#
For the first flag, I directly typed repeat 'you are smart' and it came out, which is quite absurd (
After evaluation by the big guys in the competition group, AI has already learned the essence of humanity: a parrot, and humanity is in great crisis (big fog)
🪐 Low Bandwidth Planet#
A Small Trial#
Wait, I just compress the image with tinypng and get flag1?
Seeing the flag: flag{A1ot0f_t0015_is_available_to_compre55_PNG}
Wow, indeed (
Cyber Tic-Tac-Toe#
This question is the one I found most "huh?" about. Since I couldn't win at chess, I had to find a way to pull a fast one.
First, I played around with F12 to see how it was generated (
I saw that it directly sent a package {"x":"0","y":"0"}, so I tried modifying the request content, changing it to the AI's middle position (1,1) to see what happens?
Since the page itself didn’t refresh, but I saw in the Body section that (1,1) had become our piece. Next, I modified it to (2,2):
Alright, I got it, and the flag came out. flag{I_can_eat_your_pieces_cc0df69ee6}
Indeed, in tic-tac-toe, as long as you turn your pieces into mine, it's a guaranteed win (
Worm#
Thanks to Bilibili, when I had no ideas, a video on SSTV was recommended, which made me suddenly enlightened about this question, allowing me to finish it after class and lunch.
Back to the main topic, the keywords were fed, but after finishing, I felt the real keyword was receiving photos from the International Space Station. After all, this can directly search for SSTV.
Slow-scan television (SSTV) is a major image transmission method for amateur radio enthusiasts, transmitting and receiving monochrome or color static images via radio.
Knowing how to encode, I just needed to search for decoding. However, RX-SSTV requires internal recording to play audio on the computer, which is quite inconvenient. Later, I found SSTV Decoder on GitHub, installed the library, and executed the command, and I got the decoded image (
Thank you, I don't want to try anymore (
JSON ⊂ YAML?#
JSON ⊄ YAML 1.1#
After using ChatGPT and various internet searches, I finally found 1e2, and by putting {"a":1e2} in, I got flag1.
Later, I saw the official solution and learned the importance of looking at the specifications (but honestly, as a complete novice, I couldn't understand the standards either)
Travel Photos 3.0#
I haven't even popped champagne for completing a whole Travel Photos 2.0, and here comes Travel Photos 3.0 (
I only solved two flags for this question, and both flags involved at least one guessing action.
Let’s first discuss the search process for the second question:
Searching for the name under the medal points to Masatoshi Koshiba, who won the Nobel Prize in Physics from the University of Tokyo. On Wikipedia I found Takaki Kajita, who also won the Nobel Prize in Physics in 2015 from the University of Tokyo, and found on the corresponding page that he is at the Institute for Cosmic Ray Research (ICRR) at the University of Tokyo.
Knowing the answer to the second question, I directly used the dates of July and August for exhaustive searching, which yielded the answer to the first question: 2023-08-10. I got the first flag: flag{how_I_wi5h_i_COulD_w1N_A_Nobe1_pri23_f6d26c232b}. Who wouldn't want to win?
The answer to the first question can serve as a clue for the third question. Searching for restaurants with the second photo can already confirm that they were near Ueno Park.
So the third question is to search for events based on time and location, and I found a National Umeshu Festival. Searching again with this keyword led me to the Umeshu Festival official website, where I saw the news at the bottom of the page about recruiting volunteers.
Scrolling down, I found the questionnaire number we needed: S495584522.
For the fourth question, looking at the map, I could directly find that the Tokyo National Museum is opposite the fountain. Checking the official website for tickets, I learned that the student ticket is only 500 yen, so I entered it... huh? What’s wrong?
I pondered over this question for a whole night, until the next morning when I solved it, and suddenly thought: could it be a zero-yen purchase? I entered it, and indeed it was?!
I couldn't figure it out, but I still got flag2 (flag{PluM_w1NE_1S_rEa1LY_EXpen5iVE_7fe1dbe9cc}) and let it pass. Until the day of the competition ended, I saw the official WP and learned that students from partner universities can enter for free...
However, I noticed that there is also a "Campus Members" menu in the "Visitor Information" section (the URL is: (https://www.tnm.jp/modules/r_free_page/index.php?id=167)), and the first paragraph mentions that students from member schools can visit regular exhibitions for free. The University of Tokyo is on the member list, and since my senior is a student at the University of Tokyo, he visited the museum's regular exhibition for free. Therefore, the answer to the fourth question is 0.
Tension
For questions five and six, I also tried, but in the end, I only found that the pink poster was a panda on Xiaohongshu. Does anyone understand?.webp
It wasn't until after the competition ended that I saw the second image of my senior's rope, and wow, I must have been blinded by playing various rhythm games.
Word Economy 2.0#
This was the first question I solved in the Math category, and I was very excited when I completed it.
First, let’s fix the syntax error with the wavy line below (
From the beginning, I saw that it defined an empty list cod_dict, then filled it with characters. However, there was a check for each line of characters to be 24, while in reality, each line only had 23, meaning each line was just cut off by the word economy.
The logic for obtaining the flag below is to select the X+1 character from the list (Python counts characters starting from 0), and then concatenate the extracted characters to form the final flag.
From the subsequent checks, it is known that the beginning format must be flag{, the end must have }, and there is only one } in the whole segment, corresponding to the numbers 53, 41, 85, 109, 75 and 28.
Checking against the list above to see which parts are missing, I could roughly identify which line was missing something. Then, matching the subsequent numbers one by one with the corresponding characters, I wrote multiple options for the controversial ones, which allowed me to deduce about 80%. This 80% could roughly form a meaningful sentence, based on which I could determine the characters to choose from one or three options, and finally piece together the flag for this question: flag{you-vr-r3cover3d-7he-an5w3r-r1ght?}.
When I submitted the flag for this question, my computer was not connected to the internet, and I submitted the flag using my phone, but I ended up missing a question mark, which made me think I had gotten something wrong. Fortunately, after adding it, it was correct. I even shouted in my dorm: R1ght!
Conclusion#
Let's take a look at this post-competition summary:
I scored points in everything except for binary, which is still acceptable. On one hand, I admire the skills of other experts; on the other hand, I feel that my search ability has greatly improved compared to last year. I don't know if I will have time to participate in hg next year as a senior, but I hope that if I have the chance to participate, I can learn more interesting things.
Finally, here’s a fake flag: flag{S3e-y0u-n3xt-t1m3!}. See you next time!
This article is synchronized and updated to xLog by Mix Space. The original link is https://zwh.moe/posts/ctf/hackergame-2023