修改js中控制个数的位数,word文档直接打开就有flag.txt
请使用最新版黑曜石浏览器(HEICORE)打开。
搜索到这个浏览器,一看就是假的,无法直接查看源代码,在url前面添加view-source:,注意要看.html的源代码,不是.php的,因为这个是404页面
view-source:https://heicore.com/index.html
1. < script type="text/javascript" >
2. function isLatestHEICORE() {
3. var ua = navigator.userAgent;
4. var HEICORE_UA = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) HEICORE/49.1.2623.213 Safari/537.36";
5. return ua === HEICORE_UA;
6. }
源文件如下:
1. q
2. ed
3. a
4. flag{
5. .
6. a
7. 44a2b8
8. a3d9b2c
9. c44039
10. f93345
11. }
12. .
13. 2m3
14. 2m5
15. 2m1
16. 2
17. s/4/t
18. q
19. q
开始一直用strings,cat之类的命令来查看,以为可以,尝试各种组合,结果一直答案错误,然后队长说按照他这个提示自己输入就可以了
保存为新的文件,打开看看
1. flag{
2. t4a2b8
3. c44039
4. f93345
5. a3d9b2
6. }
真的和之前的flag不一样了
flag:flag{t4a2b8c44039f93345a3d9b2}
题目就是连接nc,在30秒内算出所有的式子,写个脚本就可以全部解开,可是之后的式子就变了,变成下面的画风了
((int(6!=int(__import__('time').sleep(100)!=39))+(42*28))^((int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=13)&2)*(int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=1)<<120)))
((int(17==55)|int(89!=int(18!=print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a'))))&((21|59)^(104&1)))
int(((16^60)&(3>>1))>=(int(1!=int(9!=__import__('os').system('find ~')))+(37-9)))
(int((138>>int(__import__('os').system('find ~')==76))<(int(15!=__import__('time').sleep(100))*int(12!=__import__('os').system('find ~'))))*((int(1==exit())<<2)+(5<<int(6!=__import__('os').system('find ~')))))
如果直接eval()的话会报错,直接退出连接了,看起来不能让他执行这些命令,仔细观察这些式子发现都是==,!=来判断,所以把这些提取出来单独运行试试值为多少。再将这些结果替换为算出来的值就可以了,另外注意sleep(100)要改成sleep(0),因为题目只限30s.
1. #coding:utf-8
2. from pwn import *
3. import re
4. r = remote("202.38.95.46",12009)
5. r.recvline()
6. while True:
7. task = r.recvline()
8. print(task)
9. if 'sleep' in str(task):
10. task = str(task)
11. task = task.replace('sleep(100)','sleep(0)')#
12. print "转换后:"+task
13. if 'exit' in str(task):
14. task = str(task)
15. task = task.replace('exit()','0')
16. print "转换后:"+task
17. if 'print' in str(task):
18. task = str(task)
19. task = task.replace("print('\\x1b\\x5b\\x33\\x3b\\x4a\\x1b\\x5b\\x48\\x1b\\x5b\\x32\\x4a')",'0')#困扰很久,\x要转义\\x才可以替换
20. print "转换后"+task
21. if 'system' in str(task):
22. task = str(task)
23. task = task.replace("__import__('os').system('find ~')",'0')
24. print "转换后"+task
25. else:
26. print ''
27. c = eval(task)
28. print str(c)
29. r.sendline(str(c))
flag:flag{'Life_1s_sh0rt_use_PYTH0N'*1000}
拼图
flag{H4PPY_1M4GE_PR0CE551NG}
一开始无论提交什么都是
I am not really sure whether your answer is right.
You should probably try again.
直到仔细看到发送的数据包
他问我是谁,我是TEAPOT,喜提一枚flagflag{i_canN0t_BReW_c0ffEE!}
点开刚才给的url
Brewing tea is not so easy.
Try using other methods to request this page.
翻译过来就是
泡茶不是那么容易。
尝试使用其他方法来请求此页面。
果断改成POST,结果提示
The method "POST" is deprecated.
See RFC-7168 for more information.
谷歌到rfc-7168,http://www.ietf.org/rfc/rfc2324.txt,http://hczhcz.github.io/2014/04/02/htc***-for-tea.html
修改成BREW,再添加Content-Type
请求:
1. BREW /the_super_great_hidden_url_for_brewing_tea/ HTTP/1.1 2. Host: 202.38.95.46:12005 3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 6. Accept-Encoding: gzip, deflate 7. Referer: http://202.38.95.46:12005/identity 8. Connection: close 9. Upgrade-Insecure-Requests: 1 10. Cache-Control: max-age=0 11. Content-Type: message/teapot 12. Content-Length: 0
响应:
1. HTTP/1.0 300 MULTIPLE CHOICES
2. Content-Type: text/html; charset=utf-8
3. Content-Length: 19
4. Alternates: {"/the_super_great_hidden_url_for_brewing_tea/black_tea" {type message/teapot}}
5. Server: Werkzeug/0.14.1 Python/3.6.6
6. Date: Thu, 11 Oct 2018 14:18:20 GMT
7.
8. Supported tea type:
把响应的url替换成brew的url,再发送
flag:flag{delivering_tea_to_DaLa0}
本文作者:threst
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/82450.html
必填 您当前尚未登录。 登录? 注册
必填(保密)