BUUCTF之[b01lers2020]Welcome to Earth
一开始查看源码和访问robots.txt都没有看到可用的信息,但是后来观察到浏览器上多访问了一个目录/die/
,于是把它去看看能访问什么
这时候在查看源代码,可以看到有可疑的链接/chase/
用浏览器访问/chase/
发现很快又跳转回来,所以用BurpSuite抓包
访问完/door/
的时候,突然就找不到突破口了。这里一直卡了很久。后来看别人的WP才知道要访问这里的/static/js/door.js
JavaScript代码:
// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {
for (var i = 0; i < key.length; i++) {
let n = key.charCodeAt(i) % flag.length;
let temp = flag[i];
flag[i] = flag[n];
flag[n] = temp;
}
return flag;
}
function check_action() {
var action = document.getElementById("action").value;
var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];
// TODO: unscramble function
}
因为是顺序被打乱了,所以这里把flag还原就可以了
from itertools import permutations
flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]
item = permutations(flag)
for i in item:
k = ''.join(list(i))
if k.startswith('pctf{hey_boys') and k[-1] == '}':
print(k)