Author:颖奇L’Amore

Blog:www.gem-love.com

五天前打的,题都非常简单,当时刚打完De1CTF比较累,一直懒得写WP。今天打网鼎,结果上了两波题都没web(无语),抽个空来把wp写一下

一共5+1个web(其中一个题不在web分类内),都是签到题


Are you the Master? 1 (546pt)

打开之后没东西,查看html源码:

<!DOCTYPE html>
<h1><b>Hello</b></h1><h2>Welcome to the best collision</h2><br><img src='extras/lol.webp'><!--view.php may help you -->

来到view.php:

<!DOCTYPE html>
<?php
    include "./ans.php";
    error_reporting(0);
    echo "<h1><b>Hello</b></h1><h2>Welcome to the best collision</h2>";
    $black_list = "/admin|guest|limit|by|substr|mid|like|or|char|union|select|greatest|%00|\'|";
    $black_list .= "=|_| |in|<|>|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";
    if(preg_match($black_list, $_GET['one'])) exit(":P"); 
    if(preg_match($black_list, $_GET['two'])) exit(":P");
    $one=$_GET['one'];
    $two=$_GET['two'];
    if($one!=$two)
    {
        if(md5($one)==md5($two))
        {
            echo $ans;
        }
        else
        {
            echo "<br><img src='extras/easyhmm.webp'>";
        }
    }
    else
    {
        echo "<br><img src='extras/lol.webp'>";
    }
?>
<!--view.php may help you -->

只有源码,没有echo的结果,也没有highlight_file()等,这是index.php的源码,view.php里只是highlight_file('index.php'),所以还要回主页去碰撞

非常简单的md5的碰撞,构造0e开头的md5也行,用数组也行,两种方法:

?one[]=1&two[]=2

?one=s878926199a&two=s155964671a

之后得到:

<img src='..' height='200px' width='200px' onclick='alert(String.fromCharCode(104,116,116,112,115,58,47,47,116,105,110,121,117,114,108,46,99,111,109,47,121,56,116,52,104,121,52,117))'>

点击一下就会出现:

https://tinyurl.com/y8t4hy4u

点开之后是谷歌云盘,可以下载两个东西,但是没有flag,然后突然想起来题目flag是填个url

flag: zh3r0{https://tinyurl.com/y8t4hy4u}


PIzza (50pt)

一个验证:

<form action="index.html" method="post">
<input type="text" id="pass" size="8" />
<br/>
<input type="submit" value="Check" onclick="verify(); return false;" />
</form>
</div>
</div>
<script src="res/script.js"></script>

访问script.js看下js源码:

function verify() {
    checkpass = document.getElementById("pass").value;
    split = 4;
    if (checkpass.substring(split*7, split*8) == '}') {
      if (checkpass.substring(split*6, split*7) == '3st1') {
        if (checkpass.substring(split*5, split*6) == 'h3_b') {
         if (checkpass.substring(split*4, split*5) == '1s_7') {
          if (checkpass.substring(split*3, split*4) == '1ta_') {
            if (checkpass.substring(split*2, split*3) == 'rgar') {
              if (checkpass.substring(split, split*2) == '0{Ma') {
                if (checkpass.substring(0,split) == 'zh3r') {
                  alert("You got the flag!")

可以看到是把flag给substring()了,所以直接拼起来即可:

flag:zh3r0{Margar1ta_1s_7h3_b3st1}


Cake (50pt)

注释:

<!--I think I saw a robot running with it-->

robots.txt:

User-agent: *
Disallow: /gdakdshlghuighuhgds.html

访问得到flag:zh3r0{R0b0t_St0l3_My_P1um_C4k3}


Tasty Snacks (50pt)

直接cookie得到flag:zh3r0{CooK13s_4r3_7asty}


pasta (150pt)

查看源码,有jsfuck,解一下:

if (document.forms[0].sauce.value == "4ma7r1ci4na" && document.forms[0].type.value == "Rig4t0n1") document.location = "drhgbonaygaocvnwyrub.html"

直接访问drhgbonaygaocvnwyrub.html得到flag:zh3r0{4ma7r1ci4na_is_4ws0m3}


Ice Cream (150pt)

Find out which is my favorite ice cream. It may contain a flag.

I have told it to my name server friends.

Author Finch

没给url,但是题目关键字有name server,之前y老师出的MetasequoiaCTF Rabbit Hole题目就是把隐藏信息藏在了TXT记录里,所以dig一下:

zh3r0{Str4wberry_1c3cream_1s_4ws0me}

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/2314.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

分类: CTF

颖奇L'Amore

Most of the time is also called Y1ng. Cisco Certified Internetwork Expert - Routing and Switching. CTF player for team r3kapig. Forcus on Web Security. Islamic Scholar. Be good at sleeping and fishing in troubled waters.

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

在此处输入验证码 : *

Reload Image