2. 程式人生 > >百度杯二月Reverse場Project的writeup

百度杯二月Reverse場Project的writeup

阿新 發佈:2019-01-07

在看完題解之後學習的一發,然後全部按照自己的writeup再次整理做題,鞏固一發

開啟IDA和OD,希望搜尋到有用的字串(Input the flag的提示資訊),但是發現根本找不到,搜尋strings會找到這個:

根據查到的資料,這24個字元構成了一種編碼方式:base24

所以找到這個字串的使用的地方:00404820函式處

可以看到如下幾個特徵:


這兒是很明顯的兩位一個值,然後把v6和v7拼起來的(相當於base24解碼),最終存在了v15裡面(v5是個變數值,作為計數器使用的)

那麼,我們需要構造的輸入,是兩位兩位一組的,然後使用base24解碼,可以得到某種需要處理的值

看到這裡四個方向,然後v8的值是v15 & 0xf,主要是底下一個是加號,一個是減號,然後的跳轉都是LABEL_11

上面的兩個跳轉都是LABEL_14,可以猜想到是不是4個方向,上下左右控制的(百度杯好多這種方向題)

那麼,v8是控制步長的,v15>>4是控制方向的

看到0xC的404AA0函式,有這種的程式碼:

可以猜想,40A6EC這個值是記錄我在迷宮裡總共走了多少步的,40A018這個值是記錄我在迷宮裡的位置的(這個17,就會是一行總共17個元素,相當於向下走了一行)

根據這樣的方向,0xC對應向下,0xE對應向上,0xD對應向左,0xF對應向右

那麼地圖的資料從哪兒來的?

看到v3這個值,是由四個資料構成的,然後我們找到這些資料的所在地方,根據資料計算得到地圖:

所以起點在(1,0),終點在(15,16)

然後再看到我們的結束條件是什麼?

我們在迷宮中總的移動步數是54步,最終的位置座標是271,也就是(15,16)

那麼我們只需要得到行走的路徑(使用ACM的廣搜或者深搜都是可以的)

然後得到往上走幾步,往下走幾步的一個移動路徑,使得可以滿足:從起點到終點的移動總步數為54步

因為這個會是整數值,比如3表示往右走3步,17表示往下走一步

然後根據題意得四個方向以及base24編碼的加密原理,對我們的移動路徑加密即可

路徑為:

( 1 , 0 )--> ( 1 , 1 )--> ( 1 , 2 )--> ( 1 , 3 )--> ( 2 , 3 )--> ( 3 , 3 )--> ( 3 , 4 )--> ( 3 , 5 )--> ( 2 , 5 )--> ( 1 , 5 )--> ( 1 , 6 )--> ( 1 , 7 )--> ( 1 , 8 )--> ( 1 , 9 )--> ( 1 , 10 )--> ( 1 , 11 )--> ( 2 , 11 )--> ( 3 , 11 )--> ( 4 , 11 )--> ( 5 , 11 )--> ( 5 , 10 )--> ( 5 , 9 )--> ( 5 , 8 )--> ( 5 , 7 )--> ( 5 , 6 )--> ( 5 , 5 )--> ( 6 , 5 )--> ( 7 , 5 )--> ( 7 , 4 )--> ( 7 , 3 )--> ( 8 , 3 )--> ( 9 , 3 )--> ( 9 , 2 )--> ( 9 , 1 )--> ( 10 , 1 )--> ( 11 , 1 )--> ( 12 , 1 )--> ( 13 , 1 )--> ( 13 , 2 )--> ( 13 , 3 )--> ( 13 , 4 )--> ( 13 , 5 )--> ( 14 , 5 )--> ( 15 , 5 )--> ( 15 , 6 )--> ( 15 , 7 )--> ( 15 , 8 )--> ( 15 , 9 )--> ( 15 , 10 )--> ( 15 , 11 )--> ( 15 , 12 )--> ( 15 , 13 )--> ( 15 , 14 )--> ( 15 , 15 )--> (15 , 16)

路徑整數值為: 
goto = [3,34,2,-34,6,68,-6,34,-2,34,-2,68,4,34,11]

最終的flag為: 
X6T7X7W7X2T4V2T7V7T7V7T4X4T7XT

然後附錄上自己的py程式碼: 
d_6a0 = [0x87,0xae,0x99,0x3c,0x59,0x41,0x2e,0x1d,0x84,0x23,0x30,0x23,0x26,0x10,0x83,0x5,0x29,0x9d,0xa0,0x16,0xdb,0x41,0x72,0xe7,0x4f,0x64,0x7b,0x8b,0xfe,0x4b,0xff,0x8b,0xf8,0x70,0xa8,0xf3,0x1d,0x20,0x4,0x2a,0x46,0x12,0x74,0x17,0xaa,0x2f,0x23,0xd,0x8e,0xce,0xd5,0x1c,0xe8,0x34,0x7a,0xfa,0x27,0x40,0xe2,0x81,0x3a,0xcb,0xaf,0xff,0x6,0x3,0xe0,0xdd,0x43,0xe9,0xd8,0x9b,0x39,0x52,0xdb,0x57,0x9c,0x73,0x98,0x80,0x46,0xdd,0xa5,0xd8,0xec,0x51,0xde,0x98,0xd7,0x18,0x3d,0xd8,0x7e,0x6,0xdd,0xa0,0x5c,0xd0,0xcd,0x27,0x1f,0x39,0xc6,0x79,0x0,0x93,0xde,0x68,0xd8,0x57,0x53,0x7f,0x10,0x5a,0x3c,0x2c,0x58,0xd8,0x71,0xaa,0x6c,0x7c,0x2e,0x54,0x31,0x74,0x15,0x50,0xd,0xd1,0x88,0x4e,0x98,0xca,0x71,0x99,0xdc,0xf4,0x7e,0x22,0x1b,0x95,0xb,0xfb,0x18,0xea,0x70,0x41,0x8e,0x2b,0x35,0x54,0x32,0xe3,0xff,0xf4,0x75,0x2a,0xbb,0xeb,0x70,0x73,0xc,0x3b,0x90,0x9c,0x31,0x66,0x8c,0xfd,0xd6,0xe6,0x82,0x2e,0xba,0x97,0xdc,0xa2,0x8e,0xd,0xe9,0x72,0x85,0x7,0x1d,0xe2,0x20,0x6c,0x3d,0xa,0x8d,0xa9,0x1,0x5b,0x91,0xb5,0xa2,0x8b,0xd5,0xdc,0x20,0xd5,0x3f,0x7e,0x14,0xae,0x97,0x25,0xfd,0xf,0x43,0x2f,0x12,0xbc,0xc5,0x28,0x2a,0x62,0x35,0xf,0xfc,0x99,0xf6,0x35,0xda,0xc0,0xf,0xe9,0x49,0x49,0x6,0x1d,0x37,0xfa,0x0,0xab,0x47,0xd7,0xc2,0x15,0x39,0x42,0xeb,0x5e,0x13,0x16,0x66,0x82,0xc5,0x89,0x41,0xd2,0x34,0xf9,0x73,0x73,0x4a,0x6,0xcd,0x6,0xc7,0xe9,0xd2,0xc9,0xec,0x69,0xd8,0x4,0x32,0x21,0x43,0xc7,0xc6,0xf0,0x9,0x90,0x11,0xde,0xfe,0xc1,0xef,0x9e,0xac,0x22,0xfd,0x92,0x61,0x59,0x1e]
d_2c0 = [0x10,0x27,0x1b,0x44,0x2e,0x30,0x99,0x7f,0x1f,0xb8,0xb1,0xab,0x78,0x90,0x3a,0x58,0x9e,0x1d,0x9b,0x5d,0x58,0x55,0x3,0x7e,0x28,0x3,0x1a,0x13,0x1c,0x11,0x77,0x27,0x60,0x6,0x93,0x5f,0x56,0xe,0x7d,0x5c,0x29,0x7a,0x10,0x62,0x9e,0x87,0xa3,0xb9,0x6b,0x63,0xbf,0x53,0x4d,0xad,0x16,0xb0,0x15,0x7c,0x71,0xbf,0x2,0xa4,0x2b,0x46,0x55,0x74,0x9d,0x43,0xa1,0x83,0x99,0x94,0x62,0x2d,0x5b,0x14,0x4f,0x18,0x3c,0x7,0x33,0xbc,0x29,0xb8,0x78,0x22,0x94,0xa0,0x5,0x2b,0x69,0x8a,0x4a,0x55,0x44,0x75,0x18,0xba,0xa1,0x3a,0x77,0x99,0x94,0x2e,0x72,0x59,0xba,0xa,0xb6,0x4b,0x6f,0x9,0x9b,0x30,0x41,0x92,0x2,0xbb,0x25,0x97,0xa0,0x58,0xa9,0x3d,0x99,0xac,0x6a,0x7d,0x51,0x5f,0x7,0xa,0x3f,0x58,0x15,0xb4,0x3,0x47,0x14,0x4c,0x79,0xa9,0x62,0x89,0x8e,0x87,0x2f,0xaa,0x12,0x40,0xb1,0x9d,0x4f,0x89,0x99,0x20,0x1a,0xb2,0x85,0x26,0x27,0xab,0x77,0x7c,0x21,0x6,0x46,0xac,0x3a,0x3e,0x13,0x21,0x0,0xb9,0x7f,0x4d,0xb2,0x8a,0x1b,0x88,0x51,0x3a,0x21,0x3a,0x7a,0x48,0xa1,0x7a,0xb2,0xae,0xbd,0x77,0x83,0x26,0x19,0x17,0x7,0xad,0xe,0x5f,0x42,0x7,0x5e,0x13,0x34,0x3,0xad,0x9e,0x6f,0x40,0x2e,0x73,0x27,0x70,0x5b,0x75,0x48,0x1c,0x69,0x95,0x8c,0x29,0x3b,0x3a,0x4c,0x19,0x56,0xa5,0x16,0x94,0x95,0x55,0x1,0x29,0x1d,0x28,0x3d,0x90,0x94,0x44,0x6e,0x32,0x8e,0x35,0xbb,0x2a,0x88,0x57,0xa1,0x4e,0x99,0x77,0x8e,0xa9,0xa5,0xb5,0x2b,0x8b,0x14,0x6c,0xb9,0x44,0x43,0x15,0x9f,0x2c,0xb9,0xa9,0x2,0x66,0x5c,0x86,0x97,0xa6,0xa4,0x14,0xb5,0xb1,0x51,0xa8,0x6f,0xa4,0x19,0xa9,0x20,0x38,0xa5,0xb1,0x7]
d_410 = [0x4c,0x11,0x29,0x16,0x5d,0x51,0x4d,0x3e,0x6f,0x3e,0x59,0x65,0x57,0x2c,0x5d,0x2c,0x46,0x56,0x3b,0x41,0x40,0x0,0x36,0x25,0x50,0x5a,0x4c,0x33,0x79,0x28,0x46,0x5e,0x6f,0x20,0xd,0x3a,0x8,0x13,0x3f,0x3e,0x6d,0x50,0x2,0x48,0x15,0x46,0x19,0x61,0x74,0x68,0x35,0x42,0x6f,0x56,0xd,0x18,0x14,0x39,0x30,0x5,0x8,0x6e,0x1a,0x67,0x40,0x68,0x6,0x5c,0x74,0x4f,0x4,0x6,0x51,0x6d,0x4b,0xb,0x6f,0x4b,0x50,0x60,0x2,0x17,0x18,0x48,0x54,0x49,0x4a,0x17,0x73,0x7,0x8,0x3c,0x26,0x45,0x7f,0x7e,0x26,0x30,0x3d,0x6,0xb,0x4d,0x43,0x1e,0x5,0x5d,0x5c,0x38,0x4c,0x5,0x2d,0x32,0x5a,0x2b,0xc,0x58,0x57,0x23,0x16,0x2b,0x55,0xb,0x7b,0x61,0x3d,0x73,0x1d,0x2c,0x9,0x42,0x5a,0x3f,0x34,0x54,0x25,0xf,0x6f,0x68,0x5c,0x56,0x16,0x3a,0x55,0x5e,0x62,0x6c,0x3b,0x7c,0x60,0x2a,0x18,0x5a,0x22,0xe,0x32,0x7a,0x34,0x41,0x1b,0x78,0x51,0x64,0x4,0x10,0x57,0x2e,0x52,0x5f,0x79,0x56,0x74,0x6e,0x34,0x33,0x73,0x6c,0x4,0x22,0x4a,0x3b,0x57,0x28,0x79,0x2f,0x42,0x58,0x55,0x12,0x73,0x77,0x22,0x6b,0x67,0x5f,0x63,0x7f,0x5d,0x21,0x71,0x19,0xa,0x6e,0x4b,0x7,0xe,0x38,0x2d,0x65,0x27,0x14,0x64,0x1e,0x24,0x63,0x60,0x2f,0x1d,0x31,0xb,0x2e,0x62,0x5d,0x59,0xb,0x31,0x7a,0x20,0x17,0x2c,0x76,0x2b,0x42,0x9,0x79,0xa,0x29,0xc,0x10,0x2b,0x50,0x32,0xb,0x2f,0x2b,0x30,0x24,0x76,0x64,0x1b,0x61,0x7c,0x58,0x69,0x3b,0x69,0x63,0x18,0x7f,0x63,0x5d,0x2d,0x75,0x27,0x64,0x60,0x40,0x58,0x5c,0x16,0x5,0x16,0x35,0xf,0x4f,0x53,0x6c,0x61,0x32,0x62,0x55,0x25,0x2f,0x51,0x17,0x70,0x58,0x79,0x78,0x5]
d_550 = [0x4a,0x77,0x58,0x61,0x19,0x1f,0x69,0x23,0x2b,0x5c,0x27,0x22,0x6,0x53,0x5b,0x30,0x70,0x2a,0x0,0xa,0x43,0x13,0x3b,0x74,0x17,0xd,0x15,0x65,0x69,0x31,0x42,0x4e,0x29,0x55,0x2d,0x72,0x42,0x1b,0x39,0x38,0x1,0x17,0x61,0x2c,0x1e,0x62,0x66,0x52,0x70,0x45,0x34,0xc,0x36,0x42,0x5f,0x32,0x1e,0x3,0x63,0x39,0x30,0x0,0x6a,0x51,0x13,0xf,0x77,0x41,0x6d,0x1b,0x3c,0x8,0x9,0x11,0x34,0x37,0x63,0x1f,0x53,0x27,0x72,0x4a,0x73,0x17,0x3f,0x29,0x0,0x21,0x5f,0x2b,0x4c,0x16,0xe,0xe,0x1a,0x57,0x1e,0x39,0x2f,0x16,0x5d,0x52,0xe,0x39,0x6c,0x6c,0x7,0x2a,0x21,0x16,0xe,0x43,0x30,0x3e,0x70,0x66,0x2,0x40,0x3d,0x11,0x77,0x18,0xc,0x8,0x6b,0x64,0x62,0x1,0x53,0x4c,0x35,0x4,0x73,0x3e,0x3f,0x1d,0x6f,0x4a,0xd,0x18,0x4b,0x1,0x13,0x14,0x33,0x0,0x23,0x6f,0x3b,0x40,0x6b,0x6f,0x5a,0x5b,0x34,0x5a,0x3b,0x56,0x23,0x55,0x6,0x73,0x77,0x36,0x5a,0x6c,0x25,0x6b,0x3d,0x6c,0x50,0x59,0x4d,0x64,0x51,0x6e,0x69,0x5,0x4a,0x4a,0x60,0x1f,0x2a,0xd,0x24,0x51,0x2b,0x3,0x1c,0x2c,0xe,0x72,0x1b,0x1e,0x25,0x23,0x48,0x4,0x6a,0x6a,0x58,0x64,0x16,0x65,0x11,0x75,0xc,0x55,0x6a,0x3a,0x8,0x3d,0x10,0x69,0x3d,0x2e,0x44,0x4c,0x50,0x6b,0xd,0x52,0x74,0x4,0x65,0x5f,0x39,0x35,0x33,0x66,0x68,0x5,0x2d,0x5a,0x13,0x5a,0x6e,0x36,0x2a,0x1,0x24,0x64,0x35,0x40,0x77,0x17,0x77,0x71,0x48,0x65,0x5b,0x4c,0x50,0x15,0x6c,0x62,0x49,0xe,0x76,0xc,0x51,0x38,0x6a,0x78,0x13,0x5,0x9,0x51,0x1a,0x42,0x9,0xc,0x41,0x6,0x59,0x17,0x42,0x3c,0x4c,0x13,0x5a,0xa,0x63,0x73,0x6c,0x51,0x4a,0x6f,0x13]

t = []
for i in xrange(289):
    tmp = ((d_6a0[i] ^ d_2c0[i]) - d_410[i]) & 0xff
    if tmp == d_550[i]:
        t += [i]
#print t

s = ''
mp = ''
for i in xrange(289):
    if i in t:
        s += '0'
        mp += '0'
    else:
        s += '1'
        mp += '1'
    if i % 17 == 16:
        s += '\n'
    else:
        s += ' '
print s

mapsize = 30
dirsize = 4
a = [[0] * mapsize for i in range(mapsize)]
dx = [1,0,0,-1]
dy = [0,1,-1,0]

def printans(i,j):
    global point
    point += 1
    x = i - dx[a[i][j] - 1]
    y = j - dy[a[i][j] - 1]
    if x == 1 and y== 0:
        print '(',x,',',y,')-->',
        return
    else:
        printans(x,y)
    print '(',x,',',y,')-->',
    
def printans2(i,j):
    global goto
    x = i - dx[a[i][j] - 1]
    y = j - dy[a[i][j] - 1]
    if x == 1 and y== 0:
        goto += [a[i][j]]
        return
    else:
        printans2(x,y)
        #print a[i][j],
        goto += [a[i][j]]

def getans(i,j):
    global a
    #global flag
    #if flag == True:
        #return
    if i==15 and j==16:
        print 'Yes'
        printans(i,j)
        print '(15 , 16)'
        printans2(i,j)
        #flag = True
        return
    else:
        for k in range(0,dirsize):
            newi = i + dx[k]
            newj = j + dy[k]
            if (newi > 0 and newi < 17 and newj > 0 and newj < 17 and mp[newi*17+newj] == '0' and a[newi][newj] == 0):
                a[newi][newj] = k+1
                getans(newi,newj)

point = 1
goto = []
simple = []
getans(1,0)
print goto

dirc = [0,17,1,-1,-17]
tmp = 0
number = 0
for i in goto:
    if number == 0:
        tmp = i
        number += 1
    elif i == tmp:
        number += 1
    else:
        simple += [dirc[tmp] * number]
        tmp = i
        number = 1
simple += [dirc[tmp] * number]
print simple

string = 'BCDFGHJKMPQRTVWXY2346789'
def decode(num):
    global flag
    if num > 0:
        if num % 17 == 0:
            flag += string[0xc] + string[23 - num / 17]
        else:
            flag += string[0xf] + string[23 - num]
    else:
        if num % 17 == 0:
            flag += string[0xe] + string[23 + num / 17]
        else:
            flag += string[0xd] + string[23 + num]
flag = ''
for i in simple:
    decode(i)
print flag

題目連結:

官方題解:

相關推薦

二月ReverseProject的writeup

在看完題解之後學習的一發,然後全部按照自己的writeup再次整理做題,鞏固一發 開啟IDA和OD,希望搜尋到有用的字串(Input the flag的提示資訊),但是發現根本找不到,搜尋strings會找到這個: 根據查到的資料,這24個字元構成了一種編碼方式:base

二月web-include By Assassin [檔案包含漏洞]

開啟題目連結可以看到 這就是典型的檔案包含漏洞(當然題目中也是告訴你了,就是檔案包含漏洞),之前不是很瞭解檔案包含漏洞是什麼,在這裡實現了一下。 大概找了一下,有位大哥小小總結了一下技巧 1.基本的檔案包含漏洞: code : * 包含同路徑下的

2017-九月-upload

Upload 題目描述: 提示flag在flag.php中。應該是檔案包含型別。 進入題目: 首先嚐試進入flag.php檔案 http://e72bd1791da64736ae8929a2cac71695278337f40de044bb.game.ichun

”CTF比賽 2017 二月(Misc Web)

函數 ext time() info erro 一段 hello span clas 爆破-1: 打開鏈接,是502 我直接在後面加個變量傳參數:?a=1 出了一段代碼 var_dump()函數中,用了$$a,可能用了超全局變量GLOBALS 給hello參數

2017 二月第一週WP

1.禍起北荒 題目: 億萬年前 天子之子華夜,被父神之神末淵上神告知六荒十海之北荒西二旗即將發生一場“百度杯”的諸神之戰 他作為天族的太子必須參與到此次諸神之戰定六荒十海 華夜臨危受命,馬上帶著火鳳凰飛行到北荒“西二旗” 卻沒想到這六荒之首北荒西二旗果然名不虛傳,這是一個位於六層虛數空間上的時空大陸 他需要

i春秋 ”CTF比賽(二月) Misc&&web題解 By Assassin

爆破-1 開啟題目我們直接就看到原始碼,加上註釋如下 <?php include "flag.php"; //包含flag.php這個檔案 $a = @$_REQUEST['hello']; //$a

”CTF比賽 九月_YeserCMS

AD query live username 發現 data tps 報錯 註入 題目在i春秋ctf大本營 題目的提示並沒有什麽卵用,打開鏈接發現其實是easycms,百度可以查到許多通用漏洞 這裏我利用的是無限報錯註入 訪問url/celive/live/header

”CTF比賽 九月_123(文件備份,爆破,上傳)

lag 註釋 alt png 一個 頁面 圖片 比賽 src 題目在i春秋ctf訓練營 翻看源碼,發現提示: 打開user.php,頁面一片空白,參考大佬的博客才知道可能會存在user.php.bak的備份文件,下載該文件可以得到用戶名列表 拿去burp爆破:

”CTF比賽 九月_Test(海洋cms前臺getshell)

OS 技術分享 href 連接 post ive s/4 九月 hive 題目在i春秋ctf訓練營 又是一道cms的通用漏洞的題,直接去百度查看通用漏洞 這裏我使用的是以下這個漏洞: 海洋CMS V6.28代碼執行0day 按照給出的payload,直接訪問url+/sea

”CTF比賽 十月_Login

array flag -s mysql base ssi ech ken pan 題目在i春秋ctf大本營 打開頁面是兩個登錄框,首先判斷是不是註入 嘗試了各種語句後,發現登錄界面似乎並不存在註入 查看網頁源代碼,給出了一個賬號 用帳密登陸後,跳轉到到member.php

2018小訓—“”CTF比賽_九月_SQLi

sci ase dex https lock concat 圖片 數據庫 ack 題目源:  i春秋CTF大本營 小工具:  Burp Suite(抓包神器) 思路點用黃色加粗標記,操作點用綠色加粗標記 解題的流程:     1.點進去一片空白習慣性,看源碼。<!--

i春秋——“”CTF比賽 十月——Login

cat dex this HERE session wake ima base64 query 根據頁面源碼提示的 test1 test1 登錄 刷新此頁面並抓包,有個show=0值得關註 在發送的包的header中加一句show:1,即可得到member.ph

i春秋——“”CTF比賽 九月——123(Apache解析pht,phtml,php3等 php別名)

正則 並不是 src 內容 img 直接 ctf inf bubuko 網頁源碼提示用戶信息在user.php中,直接訪問是不會有顯示的,於是查找相應的備份文件,vim交換文件等,最後發現/user.php.bak 用burp采用如下配置開始爆破 最後爆破

i春秋——“”CTF比賽 九月——Test(海洋cms / seacms 任意代碼執行漏洞)

jpg com ctf比賽 ima 命令 () nbsp 上傳 菜刀 打開發現是海洋cms,那就搜索相關漏洞 找到一篇介紹海洋cms的命令執行漏洞的文章:https://www.jianshu.com/p/ebf156afda49 直接利用其中給出的poc /sea

i春秋 “”CTF比賽 十月 web題 Backdoor

解釋 而不是 tro base href alt backdoor pri eat 0x00: 打開題目,題目中告訴我們這題是文件泄露。 0x01: 通過掃描目錄,發現可以掃到的有3個文件 index.php flag.php robots.txt 但是瀏覽flag.

i春秋-十月-EXEC

進入網站,檢視原始碼,發現是用vim編輯,而抓包沒有有效資訊,加引數也無果。百度查了一下vim能形成什麼檔案。找到答案說,用vim編輯文字xxx.php中途退出,會自動建立一個檔案.xxx.php.swp。然後我們下載這個檔案。 用 vim -r 命令恢復檔案,得到原始碼: <html&g

i春秋-十月-vld

檢視原始碼,有提示,index.php.txt  ,  進入得到文字。 不太看得懂,後來百度,大致就是,flag1=.......&flag2=......&flag3=...... ,傳給index.php. 得到下一步,1chunqiu.zip。下載下來,檢視原始碼

i春秋-十月-fuzzing

1. 開啟連結,提示 show me key,抓包,傳值key=1,GET請求沒有用,而POST請求有返回。 2.將md5值直接拿去解密,得到key=ichunqiu105    OK,進入下一步。 3.得到提示, 拿到x0.txt的原始碼:發現正好是解密函式。 4.

i春秋 “”CTF比賽 十月Not Found

https://www.ichunqiu.com/battalion?t=1&r=0 這道題目考察的是HTTP的幾種請求方法,當我們使用GET方法請求網站根目錄時,會出現404錯誤,在返回頁面中出現X-Method欄位,值為haha,其實這就是在提示我們考慮請求方法,HTTP

i春秋 “”CTF比賽 十月 Exec

https://www.ichunqiu.com/battalion?t=1&r=0 進入題目連結,是一隻貓咪 檢視網頁原始碼: <html> <head> <title>blind cmd exec</title> &