Hackergame 2022 wp
Hackergame 2022 wp web(更
签到
web题
随意输入提交时发现get传参,将/?result=??1? 改为 2022
Xcaptcha
web题
点击人机验证后在1s内提交计算答案
做题过程:
1.检查源代码后点进提交页面的源代码查看到setTimeout时间限制,将view-source删掉进行抓包
可以看到发送过去的包验证失败
2.python爬虫进行发送
由于比赛token问题,可以看到无法爬虫成功
官方wp用session代替token:
import re
import requests
cookie = "session=.eJwVkMtOAmEMhd9ltkxC739r4oI4QLwQNTIa2IkhclGROEaI8d0ty56e037tb9UtD111VqFZIRD0IsRW1IBrMsUQNizmFiWUyQurgEtEcTdnc6KaCUCF_SR7oSBGdyyMKGA5Ek8J0RrDTz4lUjQQjdDiiK6umkuYCiEx1SGpZgUJYDlEChVnZRePRMHMJUUdgOLgBG7po0REylb6klvUDZRYa1IS0vAwdgpJVYgk4c3SpVIiA2FVXXW77fIjf5EXn02G7cXluJu9MXzt12Zzv1qOpP3pDq_N_PrmZXb7sL87jh-vdoun4wT6g_VwsBs1081H7_je6XfrQ9jum-fpor2bPjTfPRrD-6rZfG61f79qz6u_f-unW68.Y1-EWw.KC3X_Pptpp0_iEjja6EyMgCyGHc"
resp = requests.get('http://202.38.93.111:10047/xcaptcha',
headers={"Cookie": cookie})
text = resp.text
cookie = resp.headers['Set-Cookie']
mat = re.findall(r"(\d+)\+(\d+) 的结果是?", text)
r = requests.post('http://202.38.93.111:10047/xcaptcha', headers={
"Cookie": cookie
}, data={
"captcha1": int(mat[0][0])+int(mat[0][1]),
"captcha2": int(mat[1][0])+int(mat[1][1]),
"captcha3": int(mat[2][0])+int(mat[2][1]),
})
print(r.text)
3.js方向
for(var i = 1; i <= 3; i++){
a = document.getElementById('captchar'+i)
b = a.parentElement.children[0].innnerText
c = b.substr(0,b.length - 6).split('+')
a.value = (BigInt(c[0])+BigInt(c[1])).toString()
}
document.getElementById('submit').click();
在F12里面写入,但是手速太慢没成功
4.web另一角度,官方wp
from selenium import webdriver
import selenium
from selenium.webdriver.common.by import By
from selenium.webdriver.support.wait import WebDriverWait
import time
options = webdriver.ChromeOptions()
# options.add_argument("--headless")
def wait_page_load(driver):
WebDriverWait(driver, timeout=3).until(lambda d: d.find_element(By.TAG_NAME, "h1")) # https://www.selenium.dev/documentation/webdriver/waits/#explicit-wait
with webdriver.Chrome(options=options) as driver:
driver.get("http://202.38.93.111:10047/?token=" )
wait_page_load(driver)
driver.get("http://202.38.93.111:10047/xcaptcha")
wait_page_load(driver)
#source = driver.page_source
#print(source)
c1 = driver.find_element(By.CSS_SELECTOR, "[for=captcha1]").text.split()[0].split("+")
c2 = driver.find_element(By.CSS_SELECTOR, "[for=captcha2]").text.split()[0].split("+")
c3 = driver.find_element(By.CSS_SELECTOR, "[for=captcha3]").text.split()[0].split("+")
print(c1, c2, c3)
res1 = str(int(c1[0]) + int(c1[1]))
res2 = str(int(c2[0]) + int(c2[1]))
res3 = str(int(c3[0]) + int(c3[1]))
print(res1, res2, res3)
driver.execute_script(f"document.getElementById('captcha1').value='{res1}'")
driver.execute_script(f"document.getElementById('captcha2').value='{res2}'")
driver.execute_script(f"document.getElementById('captcha3').value='{res3}'")
#time.sleep(1)
driver.execute_script("document.getElementById('submit').click()")
wait_page_load(driver)
print(driver.page_source)
LaTeX 机器人
web题
对题目关键信息进行搜索
LaTeX为编辑格式,搜索对文件的读取,对根目录下文件操作
第二问未检索到相关信息,官方题解给出使用\detokenize,或\catcode
Flag 的痕迹
web题
仍然考察了信息收集能力,找到官方网址对其浏览历史的方式发现有关于diff的,查询后将url加入do=diff
链接: 官方网址 recent changes
猜数字
1.js方面 关于disable按钮
当没有输入数字时可以看到按钮是不可点击的状态,当此时打开控制台将input 后面的disable属性去掉即可成功获得flag
<input type="submit" id="submit" onclick="submit()" value="提交" disabled="">
2.IEEE 754 方面掌握情况
查看源代码及java代码可以发现
var isLess = guess < this.number - 1e-6 / 2;
var isMore = guess > this.number + 1e-6 / 2;
var isPassed = !isLess && !isMore;
//isPassed为标志位,理论上如果猜测结果与原数相差1e-6以内即为成功
而对于NaN来说,任意数a不等于NaN,且a < NaN 或 NaN < a 均不成立,抓包传入NaN 此方法尚未实践成功,抓包从html 页面下guess传入未成功
微积分计算小练习
web题
查看源代码可以发现,姓名处可以注入,且查看比对相应base64后发现html的姓名和分数为直接拼接
当