octo-kumo
diff --git a/‎2025-just-ctf/forensics/baby-audio/index.md
Lines changed: 39 additions & 0 deletions b/‎2025-just-ctf/forensics/baby-audio/index.md
Lines changed: 39 additions & 0 deletions
diff --git a/‎2025-just-ctf/forensics/index.md b/‎2025-just-ctf/forensics/index.md
diff --git a/‎2025-just-ctf/index.md
Lines changed: 8 additions & 0 deletions b/‎2025-just-ctf/index.md
Lines changed: 8 additions & 0 deletions
diff --git a/‎2025-sekai-ctf/index.md
Lines changed: 16 additions & 0 deletions b/‎2025-sekai-ctf/index.md
Lines changed: 16 additions & 0 deletions
diff --git a/‎2025-sekai-ctf/misc/Discrepancy/index.md
Lines changed: 121 additions & 0 deletions b/‎2025-sekai-ctf/misc/Discrepancy/index.md
Lines changed: 121 additions & 0 deletions
@@ -0,0 +1,39 @@
+---
+created: 2025-08-02T07:59
+updated: 2025-08-02T08:01
+---
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1754136059/20250802080058804.png/d8b7482f3bfd07e54a251d6526de44ec.png)
+
+```python
+import numpy as np
+from scipy.io import wavfile
+import matplotlib.pyplot as plt
+
+rate, data = wavfile.read("morse1.wav")
+data = np.abs(data)
+data = np.array([np.max(data[i:i+1000]) for i in range(0, len(data), 1000)])
+data[data < 10000] = 0
+data[data > 0] = 1
+
+b_data = ''
+
+c = data[0]
+count = 1
+
+for value in data[1:]:
+    if value == c:
+        count += 1
+    else:
+        rep = round(count/10)
+        b_data += str(c) * rep
+        c = value
+        count = 1
+        
+bytes_list = [int(b_data[i:i+8], 2) for i in range(0, len(b_data), 8)]
+print(bytes(bytes_list))
+```
+
+```flag
+justCTF{The-track-name-is-Coldness-and-the-artist-is-The-Wanderer}
+```
@@ -0,0 +1,8 @@
+---
+created: 2025-08-02T03:31
+updated: 2025-08-02T03:33
+title: justCTF 2025
+---
+
+::ctf-overview
+::
@@ -0,0 +1,16 @@
+---
+created: 2025-08-16T12:23
+points: 957
+rank: 61
+title: SEKAI CTF 2025
+updated: 2025-08-17T20:46
+---
+
+Really enjoyed this CTF!
+
+> When would I be able to make fancy themes so unique and cute like SEKAI CTF?
+
+😭 the web challenges were so hard I'm not even sure I can call myself a web player anymore.
+
+::ctf-overview
+::
@@ -0,0 +1,121 @@
+---
+ai_date: 2025-08-17 20:46:37
+ai_summary: Exploited pickle protocol differences between Python and C implementations
+  to bypass restrictions
+ai_tags:
+- pickle
+- protocol
+- exploit
+created: 2025-08-16T08:40
+points: 100
+solves: 105
+title: Discrepancy
+updated: 2025-08-17T20:46
+---
+
+We are only allowed 8 bytes of input that has to somehow give different results in `pickle` `_pickle` and `pickletools`.
+
+I'm not gonna do this manually so let's brute force it.
+
+https://github.com/python/cpython/blob/3.13/Lib/pickletools.py#L1153
+
+Just brute forced length 2 ones, then cherry picked op codes that worked and looked nice and did a longer brute force with a subset of opcodes.
+
+```python
+import io, itertools, time
+from io import BytesIO
+import pickle, _pickle, pickletools
+from contextlib import redirect_stdout
+
+def py_ok(data: bytes) -> bool:
+    class SafePyUnpickler(pickle._Unpickler):
+        def find_class(self, module_name, global_name):
+            raise RuntimeError("blocked")
+    try:
+        SafePyUnpickler(BytesIO(data)).load()
+        return True
+    except Exception:
+        return False
+
+def c_ok(data: bytes) -> bool:
+    class SafeCUnpickler(_pickle.Unpickler):
+        def find_class(self, module_name, global_name):
+            raise RuntimeError("blocked")
+    try:
+        SafeCUnpickler(BytesIO(data)).load()
+        return True
+    except Exception:
+        return False
+
+def dis_ok(data: bytes) -> bool:
+    try:
+        f = io.StringIO()
+        with redirect_stdout(f):
+            pickletools.dis(data)
+        return True
+    except Exception:
+        return False
+answers = dict()
+alphabet = [0x88, 0x2e, 0x28, 0x90, 0x8f, 0x62, 0x61, 0x80, 0x95, 0x00, 0xff, 0x01, 0x7f]
+
+def test_bytes(b):
+    s = bytes(b)[:8]
+    py = py_ok(s); c = c_ok(s); d = dis_ok(s)
+    return (py,c,d)
+
+start = time.time()
+checked = 0
+for L in range(1, 9):
+    print(f"Length {L}...")
+    for tup in itertools.product(alphabet, repeat=L):
+        checked += 1
+        candidate = bytes(tup)[:8]
+        res = test_bytes(candidate)
+        if answers.get(res) is None:
+            answers[res] = candidate
+            print(f"Found {res} -> {candidate.hex()}")
+            if len(answers) == 2**3:
+                print("Found all answers!")
+                exit(0)
+```
+
+```
+Length 1...
+Found (False, False, False) -> 88
+Length 2...
+Found (True, True, True) -> 882e
+Found (False, False, True) -> 282e
+Length 3...
+Found (True, True, False) -> 88882e
+Length 4...
+Found (False, True, True) -> 8828902e
+Found (True, False, True) -> 888f622e
+Length 5...
+Found (False, True, False) -> 888828902e
+Found (True, False, False) -> 88888f622e
+Found all answers!
+```
+
+```python
+# ncat --ssl discrepancy.chals.sekai.team 1337
+from pwn import *
+
+answers = {(False, False, False): b'\x88', (True, True, True): b'\x88.', (False, False, True): b'(.', (True, True, False): b'\x88\x88.', (False, True, True): b'\x88(\x90.', (True, False, True): b'\x88\x8fb.', (False, True, False): b'\x88\x88(\x90.', (True, False, False): b'\x88\x88\x8fb.'}
+conn = remote("discrepancy.chals.sekai.team", 1337, ssl=True)
+req = [(True,True,False),
+       (False,True,True),
+       (True,False,True),
+       (False,False,True),
+       (False,True,False)]
+for res in req:
+    print(conn.recvline())
+    conn.sendline(answers[res].hex().encode())
+
+print(conn.recvall().decode())
+
+# SEKAI{p1ckleeeeeeeee_3a01fea10fb01a88c1cd554e7372f21ced43b497}
+```
+
+```flag
+SEKAI{p1ckleeeeeeeee_3a01fea10fb01a88c1cd554e7372f21ced43b497}
+```