文章

[极客大挑战 2019]EasySQL admin' or 1=1# [极客大挑战 2019]Havefun f12看源码 <!-- $cat=$_GET['cat']; echo $cat; if($cat=='dog'){ echo 'Syc{cat_cat_cat_cat}'; } --> /?cat=dog [HCTF 2018]WarmUp 看源码 <!--source.php--> <?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?> hint.php ...

Misc 泄漏的时间与电码(三血) 把log和chal的加密脚本直接扔给ai def solve(): timings = [ 1.110270, 0.924169, 1.139244, 0.670085, 0.915054, 1.154452, 0.224613, 0.329060, 0.774615, 0.279617, 0.954166, 0.430143, 0.414914, 1.224826, 1.310686, 1.265828, 0.110950, 1.225669, 1.404647, 0.575287, 1.455927, 0.975492, 0.305642, 0.835893, 1.245893, 0.569651, 1.060266, 0.149129, 0.844243, 1.294104, 0.079101, 0.914897, 1.025389, 0.270495, 0.225577, 0.654189, 1.385665, 0.755860, 0.450597, 0.950750, 0.839268, 1.015624, 0.895000, 0.794687, 1.064966, 1.200042, 0.559413, 0.980588, 0.525959, 0.514992, 0.629261, 0.489585, 1.089786, 0.880690, 1.374392, 0.789075, 0.814771, 1.455273, 1.050996, 0.234891, 1.074220, 0.099300, 1.319762, 0.935773, 0.454985, 0.425895, 0.704892, 1.095786, 1.165433, 1.295589, 0.749113, 0.885320, 1.244904, 0.659642, 0.635889, 0.435427, 0.520476, 0.870549, 0.890145, 1.125522, 1.064915, 0.399210, 0.865873 ] class LFSR: def __init__(self): self.lfsr = 0x92 def step(self): bit = ((self.lfsr >> 0) ^ (self.lfsr >> 2) ^ (self.lfsr >> 3) ^ (self.lfsr >> 4)) & 1 self.lfsr = (self.lfsr >> 1) | (bit << 7) return self.lfsr machine = LFSR() flag = "" inv_31 = pow(31, -1, 256) print(f"{'Time':<12} | {'Ops':<5} | {'Char':<5}") print("-" * 30) for t in timings: ops = round(t / 0.005) if ops % 2 == 0: base_ops = ops - 10 else: base_ops = ops - 10 - 30 val = ((base_ops - 85) * inv_31) & 0xFF k = machine.step() char_code = val ^ k char = chr(char_code) flag += char # 打印时间对应关系 print(f"{t:<12.6f} | {ops:<5} | {char:<5}") print("-" * 30) print(f"[+]Recovered: \n{flag}") if __name__ == "__main__": solve() ...

Misc Signin 直接改成?score=100就获得flag了 Speak Softly Love 是一个web端的系列社工题，给的是一个MP4 可以看到给到视频里面是东芝，题目的提示是8086,去油管检索一下看到原视频 第一问-视频ID:8ssDGBTssUI 这里用gpt检索一下这个人的信息，得到ip Mateusz Viste - homepage 他的页面说的是利用svn，dump一下他的网站 ...

题目：siem 某企业内网被攻破了，请分析出问题并给出正确的flag 虚拟机系统密码：wazuh-user/wazuh 账号密码admin/admin 介绍 wazuh/wazuh: Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads. ...

Week1 web Level 24 Pacman 直接去找源码，控制台赋值 _SCORE=100000 _LIFE=true; 得到之后进行base64,栅栏密码解密 Level 47 BandBomb 上传恶意EJS文件 创建一个包含EJS代码的文件，内容为读取flag的代码： aaa.ejs <%= process.env.FLAG || require('fs').readFileSync('/flag', 'utf8') %> 使用POST请求上传此文件到/upload接口。 ...