hackagame2018
簽到
修改js中控制個數的位數, word文件 直接開啟就有flag.txt
黑曜石瀏覽器
請使用最新版黑曜石瀏覽器(HEICORE)開啟。
搜尋到這個瀏覽器,一看就是假的,無法直接檢視原始碼,在url前面新增view-source:,注意要看.html的原始碼,不是.php的,因為這個是404頁面
view-source: ofollow,noindex" target="_blank">https://heicore.com/index.html
1.<script type="text/javascript">
2.function isLatestHEICORE() {
3.var ua = navigator.userAgent;
4.var HEICORE_UA = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) HEICORE/49.1.2623.213 Safari/537.36";
5.return ua === HEICORE_UA;
6.}
回到過去
原始檔如下:
1. q
2. ed
3. a
4. flag{
5. .
6. a
7. 44a2b8
8. a3d9b2c
9. c44039
10. f93345
11. }
12. .
13. 2m3
14. 2m5
15. 2m1
16. 2
17. s/4/t
18. q
19. q
開始一直用strings,cat之類的命令來檢視,以為可以,嘗試各種組合,結果一直答案錯誤,然後隊長說按照他這個提示自己輸入就可以了
儲存為新的檔案,開啟看看
1. flag{
2. t4a2b8
3. c44039
4. f93345
5. a3d9b2
6. }
真的和之前的flag不一樣了
flag:flag{t4a2b8c44039f93345a3d9b2}
貓咪剋星
題目就是連線nc,在30秒內算出所有的式子,寫個指令碼就可以全部解開,可是之後的式子就變了,變成下面的畫風了
((int(6!=int(__import__('time').sleep(100)!=39))+(42*28))^((int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=13)&2)*(int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=1)<<120)))
((int(17==55)|int(89!=int(18!=print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a'))))&((21|59)^(104&1)))
int(((16^60)&(3>>1))>=(int(1!=int(9!=__import__('os').system('find ~')))+(37-9)))
(int((138>>int(__import__('os').system('find ~')==76))<(int(15!=__import__('time').sleep(100))*int(12!=__import__('os').system('find ~'))))*((int(1==exit())<<2)+(5<<int(6!=__import__('os').system('find ~')))))
如果直接eval()的話會報錯,直接退出連線了,看起來不能讓他執行這些命令,仔細觀察這些式子發現都是==,!=來判斷,所以把這些提取出來單獨執行試試值為多少。再將這些結果替換為算出來的值就可以了,另外注意sleep(100)要改成sleep(0),因為題目只限30s.
1. #coding:utf-8
2. from pwn import *
3. import re
4. r = remote("202.38.95.46",12009)
5. r.recvline()
6. while True:
7.task = r.recvline()
8.print(task)
9.if 'sleep'in str(task):
10.task = str(task)
11.task = task.replace('sleep(100)','sleep(0)')#
12.print "轉換後:"+task
13.if 'exit' in str(task):
14.task = str(task)
15.task = task.replace('exit()','0')
16.print "轉換後:"+task
17.if 'print' in str(task):
18.task = str(task)
19.task = task.replace("print('\\x1b\\x5b\\x33\\x3b\\x4a\\x1b\\x5b\\x48\\x1b\\x5b\\x32\\x4a')",'0')#困擾很久,\x要轉義\\x才可以替換
20.print "轉換後"+task
21.if 'system' in str(task):
22.task = str(task)
23.task = task.replace("__import__('os').system('find ~')",'0')
24.print "轉換後"+task
25.else:
26.print ''
27.c = eval(task)
28.print str(c)
29.r.sendline(str(c))
flag:flag{'Life_1s_sh0rt_use_PYTH0N'*1000}
遊園會的集章卡片
拼圖
flag{H4PPY_1M4GE_PR0CE551NG}
我是誰
哲學思考
一開始無論提交什麼都是
I am not really sure whether your answer is right.
You should probably try again.
直到仔細看到傳送的資料包
他問我是誰,我是TEAPOT,喜提一枚 flagflag{i_canN0t_BReW_c0ffEE!}
Can I help me
點開剛才給的 url
Brewing tea is not so easy.
Try using other methods to request this page.
翻譯過來就是
泡茶不是那麼容易。
嘗試使用其他方法來請求此頁面。
果斷改成POST,結果提示
The method "POST" is deprecated.
See RFC-7168 for more information.
谷歌到rfc-7168, http://www.ietf.org/rfc/rfc2324.txt,http://hczhcz.github.io/2014/04/02/htcpcp-for-tea.html
修改成BREW,再新增Content-Type
請求:
1. BREW /the_super_great_hidden_url_for_brewing_tea/ HTTP/1.1 2. Host: 202.38.95.46:12005 3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 6. Accept-Encoding: gzip, deflate 7. Referer: http://202.38.95.46:12005/identity 8. Connection: close 9. Upgrade-Insecure-Requests: 1 10. Cache-Control: max-age=0 11. Content-Type: message/teapot 12. Content-Length: 0
響應:
1. HTTP/1.0 300 MULTIPLE CHOICES 2. Content-Type: text/html; charset=utf-8 3. Content-Length: 19 4. Alternates: {"/the_super_great_hidden_url_for_brewing_tea/black_tea" {type message/teapot}} 5. Server: Werkzeug/0.14.1 Python/3.6.6 6. Date: Thu, 11 Oct 2018 14:18:20 GMT 7. 8. Supported tea type:
把響應的url替換成brew的url,再發送
