% ssh-keygen -t ed25519 -f test
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:NeYtBvyhXH8QwBs2qTXySfBWGQHBPwE3BBTR0rZ+HiQ <redacted>
The key's randomart image is:
+--[ED25519 256]--+
| .=X&O+ |
| ...%o*o |
| oBOX.o |
| ..X+=E.. |
| S =.o+. |
| . ...o |
| o . |
| . |
| |
+----[SHA256]-----+
% cat test.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/99+jnYPCQvNgb/4BeckKITWKsKihl5HvHlSvfkYc1 <redacted>
ここで発生したトラブルというのは、競技中に参加者からローカルでは動いたが、リモートでは503を返して動かない解法があると問い合わせがあったというものでした。503といえば、初手でサーバの負荷を疑うところですが、ひとまずメモリサイズを大きくしてみても状況は変わりません。
Cloud Run のトラブルシューティング | Cloud Run のドキュメント | Google Cloud には、メモリ不足やアプリケーション側のリクエストのタイムアウト、単にリクエスト数を捌けないなどの可能性があると書かれています。
なぜかレスポンスを返せずに打ち切られているようでしたが、競技中はその原因がわからず、想定解は変わらずリモートに対しても動いており、参加者からも別の方法で解けたという報告があったため対応できず、そのままとなりました。
% docker run --rm -ti oven/bun:1.0.14-slim bun repl
Welcome to Bun v1.0.14
Type ".help" for more information.
[!] Please note that the REPL implementation is still experimental!
Don't consider it to be representative of the stability or behavior of Bun overall.
> await Bun.file('/etc/passwd').text()
'root:x:0:0:root:/root:/bin/bash\n' +
...
% docker run --rm -ti --runtime=runsc oven/bun:1.0.14-slim bun repl
Welcome to Bun v1.0.14
Type ".help" for more information.
[!] Please note that the REPL implementation is still experimental!
Don't consider it to be representative of the stability or behavior of Bun overall.
> await Bun.file('/etc/passwd').text()
(ここでコンテナごと停止)
% docker run --rm -ti --runtime=runsc oven/bun:canary-slim bun repl
Welcome to Bun v1.0.16
Type ".help" for more information.
[!] Please note that the REPL implementation is still experimental!
Don't consider it to be representative of the stability or behavior of Bun overall.
> await Bun.file('/etc/passwd').text()
'root:x:0:0:root:/root:/bin/bash\n' +
...
import curses
M = [0x445856DB, 0x4C230304, 0x0022449F, 0x671A96B7, 0x6C5644F7, 0x7FF46287, 0x6EE9C829, 0x5CDA2E72, 0x00000000, 0x698E88C9, 0x33E65A4F, 0x50CC5C54, 0x1349831A, 0x53C88F74, 0x25858AB9, 0x72F976D8]
numbers = {}
for i, x inenumerate(sorted(M)):
numbers[x] = i
x = 0
y = 2
moves = []
screen = curses.initscr()
defprint_map():
for i, x inenumerate(M):
screen.addstr('%2d ' % numbers[x])
if i > 0and (i + 1) % 4 == 0:
screen.addstr('\n')
screen.refresh()
defmove():
global x, y
c = screen.getch()
screen.erase()
if c == ord('k'):
if y <= 0:
returnFalse
[M[4*y+x], M[4*(y-1)+x]] = [M[4*(y-1)+x], M[4*y+x]]
y -= 1
moves.append('U')
returnTrueelif c == ord('j'):
if y >= 3:
returnFalse
[M[4*y+x], M[4*(y+1)+x]] = [M[4*(y+1)+x], M[4*y+x]]
y += 1
moves.append('D')
returnTrueelif c == ord('h'):
if x <= 0:
returnFalse
[M[4*y+x], M[4*y+x-1]] = [M[4*y+x-1], M[4*y+x]]
x -= 1
moves.append('L')
returnTrueelif c == ord('l'):
if x >= 3:
returnFalse
[M[4*y+x], M[4*y+x+1]] = [M[4*y+x+1], M[4*y+x]]
x += 1
moves.append('R')
returnTruereturnFalsewhileTrue:
if M == sorted(M):
break
print_map()
move()
curses.endwin()
print(''.join(moves))
first bloodでした。syscall numberがチェックされるのは\x0f\x05の命令のみなので、cs syscallのようなCS prefixをつけた命令を使うことで任意のsyscallを実行できるようになります。ただし、syscall自体はpythonのlibc.syscall経由で呼ばれるのでメモリマップ自体は別で、よくあるスタック上に文字列を置いて/bin/shを実行するようなシェルコードはそのままは動きません。mmapでメモリを確保しておいて、そこにreadで/bin/sh\0を書き込んでおき、execveを実行するようにしました。
from typing import Optional
# having_letters, word_n = 'bbroeaitxfgitr', 3# having_letters, word_n = 'kafhaaaleoercpspsghr', 4
having_letters, word_n = 'earrabarkwtpdiaapdkoucsovhst', 5
having_letters = having_letters.lower()
words = open('words').read().splitlines()
search_candidates_memo = {}
defsearch_candidates(having_letters: str):
if having_letters in search_candidates_memo:
return search_candidates_memo[having_letters]
candidates = []
for word in words:
word_letters = list(word)
having_letters_list = list(having_letters)
ok = Truefor wl in word_letters:
if wl notin having_letters_list:
ok = Falsebreakdel having_letters_list[having_letters_list.index(wl)]
if ok:
candidates.append(word)
search_candidates_memo[having_letters] = candidates
return candidates
defdfs(having_letters: str, word_n: int, result: Optional[list[str]] = None):
if result isNone:
result = []
if word_n == 0andlen(having_letters) == 0:
return result
candidates = search_candidates(having_letters)
for candidate in candidates:
having_letters_list = list(having_letters)
for cl in candidate:
del having_letters_list[having_letters_list.index(cl)]
result = dfs(''.join(having_letters_list), word_n - 1)
if result isnotNone:
return result + [candidate]
returnNoneprint(dfs(having_letters, word_n))
Oct 21, 2023 8:49:22 PM com.google.cloud.datastore.emulator.firestore.CloudFirestore main
SEVERE: Exiting due to unexpected exception.
com.google.cloud.datastore.core.exception.DatastoreException: Message missing required fields: kind_info[0].kind
at com.google.cloud.datastore.util.leveldb.ExportImportUtil.parseBackupFile(ExportImportUtil.java:378)
at com.google.cloud.datastore.util.leveldb.ExportImportUtil.fetchEntities(ExportImportUtil.java:88)
at com.google.cloud.datastore.emulator.firestore.CloudFirestore.init(CloudFirestore.java:181)
at com.google.cloud.datastore.emulator.firestore.CloudFirestore.startLocally(CloudFirestore.java:115)
at com.google.cloud.datastore.emulator.firestore.CloudFirestore.main(CloudFirestore.java:96)
Caused by: com.google.protobuf.InvalidProtocolBufferException: Message missing required fields: kind_info[0].kind
at com.google.protobuf.UninitializedMessageException.asInvalidProtocolBufferException(UninitializedMessageException.java:79)
at com.google.protobuf.AbstractParser.checkMessageInitialized(AbstractParser.java:73)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:91)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:96)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:48)
at com.google.cloud.datastore.util.leveldb.ExportImportUtil.parseBackupFile(ExportImportUtil.java:376)
... 4 more
[solved] NEMU
reg自体の元々のサイズはint32_tだけど各命令ではuint64_tで読み書きするので4バイト分はみでるというバグ
https://gist.github.com/akiym/a4b816c93c3b201cca4ed35368e6f6e4
RicSec{me0w_i_am_n3mu_n3mu_c4tt0}