[b01lers2020]Welcome to Earth
进入网页,查看源代码:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
</head>
<body>
<h1>AMBUSH!</h1>
<p>You've gotta escape!</p>
<img src="/static/img/f18.png" alt="alien mothership" style="width:60vw;" />
<script>
document.onkeydown = function(event) {
event = event || window.event;
if (event.keyCode == 27) {
event.preventDefault();
window.location = "/chase/";
} else die();
};
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function dietimer() {
await sleep(10000);
die();
}
function die() {
window.location = "/die/";
}
dietimer();
</script>
</body>
</html>
发现还有/chase/
页面,输入url:
http://0ea6ac6c-7a7b-4791-b966-0a21b513f4eb.node4.buuoj.cn:81/chase/
打开Burp Suite拦截,防止页面变化,查看源代码:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
</head>
<body>
<h1>CHASE!</h1>
<p>
You managed to chase one of the enemy fighters, but there's a wall coming
up fast!
</p>
<button onclick="left()">Left</button>
<button onclick="right()">Right</button>
<img
src="/static/img/Canyon_Chase_16.png"
alt="canyon chase"
style="width:60vw;"
/>
<script>
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function dietimer() {
await sleep(1000);
die();
}
function die() {
window.location = "/die/";
}
function left() {
window.location = "/die/";
}
function leftt() {
window.location = "/leftt/";
}
function right() {
window.location = "/die/";
}
dietimer();
</script>
</body>
</html>
又发现还有/leftt/
页面:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
</head>
<body>
<h1>SHOOT IT</h1>
<p>You've got the bogey in your sights, take the shot!</p>
<img
src="/static/img/locked.png"
alt="locked on"
style="width:60vw;"
/>
</br>
<button onClick="window.location='/die/'">Take the shot</button>
<!-- <button onClick="window.location='/shoot/'">Take the shot</button> -->
</body>
</html>
发现/shoot/
页面:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
</head>
<body>
<h1>YOU SHOT IT DOWN!</h1>
<p>Well done! You also crash in the process</p>
<img src="/static/img/parachute.png" alt="parachute" style="width:60vw;" />
<button onClick="window.location='/door/'">Continue</button>
</body>
</html>
发现/door/
页面:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
<script src="/static/js/door.js"></script>
</head>
<body>
<h1>YOU APPROACH THE ALIEN CRAFT!</h1>
<p>How do you get inside?</p>
<img src="/static/img/ship.png" alt="crashed ship" style="width:60vw;" />
<form id="door_form">
"176" />176
<input type="radio" name="side" value="177" />177
...
</form>
<button onClick="check_door()">Check</button>
</body>
</html>
发现/static/js/door.js
文件,输入url:
/static/js/door.js
得到js
文件:
function check_door() {
var all_radio = document.getElementById("door_form").elements;
var guess = null;
for (var i = 0; i < all_radio.length; i++)
if (all_radio[i].checked) guess = all_radio[i].value;
rand = Math.floor(Math.random() * 360);
if (rand == guess) window.location = "/open/";
else window.location = "/die/";
}
发现/open/
页面:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
<script src="/static/js/open_sesame.js"></script>
</head>
<body>
<h1>YOU FOUND THE DOOR!</h1>
<p>How do you open it?</p>
<img src="/static/img/door.jpg" alt="door" style="width:60vw;" />
<script>
open(0);
</script>
</body>
</html>
发现/static/js/open_sesame.js
文件,输入url:
/static/js/open_sesame.js
得到js
文件:
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
function open(i) {
sleep(1).then(() => {
open(i + 1);
});
if (i == 4000000000) window.location = "/fight/";
}
发现/fight/
页面:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
<script src="/static/js/fight.js"></script>
</head>
<body>
<h1>AN ALIEN!</h1>
<p>What do you do?</p>
<img
src="/static/img/alien.png"
alt="door"
style="width:60vw;"
/>
</br>
<input type="text" id="action">
<button onClick="check_action()">Fight!</button>
</body>
</html>
发现/static/js/fight.js
文件,输入url:
/static/js/fight.js
得到js
文件:
// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {
for (var i = 0; i < key.length; i++) {
let n = key.charCodeAt(i) % flag.length;
let temp = flag[i];
flag[i] = flag[n];
flag[n] = temp;
}
return flag;
}
function check_action() {
var action = document.getElementById("action").value;
var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];
// TODO: unscramble function
}
使用python
进行全排列并选择符合条件的排列:
from itertools import permutations
flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]
item = permutations(flag)
for i in item:
k = ''.join(list(i))
if k.startswith('pctf{hey_boys') and k[-1] == '}':
print(k)
References