修改js中控制个数的位数,word文档直接打开就有flag.txt
请使用最新版黑曜石浏览器(HEICORE)打开。
搜索到这个浏览器,一看就是假的,无法直接查看源代码,在url前面添加view-source:,注意要看.html的源代码,不是.php的,因为这个是404页面
view-source:https://heicore.com/index.html
1. < script type="text/javascript" > 2. function isLatestHEICORE() { 3. var ua = navigator.userAgent; 4. var HEICORE_UA = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) HEICORE/49.1.2623.213 Safari/537.36"; 5. return ua === HEICORE_UA; 6. }
源文件如下:
1. q 2. ed 3. a 4. flag{ 5. . 6. a 7. 44a2b8 8. a3d9b2c 9. c44039 10. f93345 11. } 12. . 13. 2m3 14. 2m5 15. 2m1 16. 2 17. s/4/t 18. q 19. q
开始一直用strings,cat之类的命令来查看,以为可以,尝试各种组合,结果一直答案错误,然后队长说按照他这个提示自己输入就可以了
保存为新的文件,打开看看
1. flag{ 2. t4a2b8 3. c44039 4. f93345 5. a3d9b2 6. }
真的和之前的flag不一样了
flag:flag{t4a2b8c44039f93345a3d9b2}
题目就是连接nc,在30秒内算出所有的式子,写个脚本就可以全部解开,可是之后的式子就变了,变成下面的画风了
((int(6!=int(__import__('time').sleep(100)!=39))+(42*28))^((int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=13)&2)*(int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=1)<<120))) ((int(17==55)|int(89!=int(18!=print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a'))))&((21|59)^(104&1))) int(((16^60)&(3>>1))>=(int(1!=int(9!=__import__('os').system('find ~')))+(37-9))) (int((138>>int(__import__('os').system('find ~')==76))<(int(15!=__import__('time').sleep(100))*int(12!=__import__('os').system('find ~'))))*((int(1==exit())<<2)+(5<<int(6!=__import__('os').system('find ~')))))
如果直接eval()的话会报错,直接退出连接了,看起来不能让他执行这些命令,仔细观察这些式子发现都是==,!=来判断,所以把这些提取出来单独运行试试值为多少。再将这些结果替换为算出来的值就可以了,另外注意sleep(100)要改成sleep(0),因为题目只限30s.
1. #coding:utf-8 2. from pwn import * 3. import re 4. r = remote("202.38.95.46",12009) 5. r.recvline() 6. while True: 7. task = r.recvline() 8. print(task) 9. if 'sleep' in str(task): 10. task = str(task) 11. task = task.replace('sleep(100)','sleep(0)')# 12. print "转换后:"+task 13. if 'exit' in str(task): 14. task = str(task) 15. task = task.replace('exit()','0') 16. print "转换后:"+task 17. if 'print' in str(task): 18. task = str(task) 19. task = task.replace("print('\\x1b\\x5b\\x33\\x3b\\x4a\\x1b\\x5b\\x48\\x1b\\x5b\\x32\\x4a')",'0')#困扰很久,\x要转义\\x才可以替换 20. print "转换后"+task 21. if 'system' in str(task): 22. task = str(task) 23. task = task.replace("__import__('os').system('find ~')",'0') 24. print "转换后"+task 25. else: 26. print '' 27. c = eval(task) 28. print str(c) 29. r.sendline(str(c))
flag:flag{'Life_1s_sh0rt_use_PYTH0N'*1000}
拼图
flag{H4PPY_1M4GE_PR0CE551NG}
一开始无论提交什么都是
I am not really sure whether your answer is right.
You should probably try again.
直到仔细看到发送的数据包
他问我是谁,我是TEAPOT,喜提一枚flagflag{i_canN0t_BReW_c0ffEE!}
点开刚才给的url
Brewing tea is not so easy.
Try using other methods to request this page.
翻译过来就是
泡茶不是那么容易。
尝试使用其他方法来请求此页面。
果断改成POST,结果提示
The method "POST" is deprecated.
See RFC-7168 for more information.
谷歌到rfc-7168,http://www.ietf.org/rfc/rfc2324.txt,http://hczhcz.github.io/2014/04/02/htc***-for-tea.html
修改成BREW,再添加Content-Type
请求:
1. BREW /the_super_great_hidden_url_for_brewing_tea/ HTTP/1.1 2. Host: 202.38.95.46:12005 3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 6. Accept-Encoding: gzip, deflate 7. Referer: http://202.38.95.46:12005/identity 8. Connection: close 9. Upgrade-Insecure-Requests: 1 10. Cache-Control: max-age=0 11. Content-Type: message/teapot 12. Content-Length: 0
响应:
1. HTTP/1.0 300 MULTIPLE CHOICES 2. Content-Type: text/html; charset=utf-8 3. Content-Length: 19 4. Alternates: {"/the_super_great_hidden_url_for_brewing_tea/black_tea" {type message/teapot}} 5. Server: Werkzeug/0.14.1 Python/3.6.6 6. Date: Thu, 11 Oct 2018 14:18:20 GMT 7. 8. Supported tea type:
把响应的url替换成brew的url,再发送
flag:flag{delivering_tea_to_DaLa0}
本文作者:threst
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/82450.html