HGAME-week1-web部分wp

由 admin 发布

Hitchhiking_in_the_Galaxy

点进去题目是这样的

image-20210201192836606

burp 抓包 点击蓝色题目

得到

image-20210201193022856

更改请求方式为 POST 后

得到这样一句话

    只有使用"无限非概率引擎"(Infinite Improbability Drive)才能访问这里~

增加过后根据提示依次增加请求头

最后得到flag

image-20210201193255940

POST /HitchhikerGuide.php HTTP/1.1
Host: hitchhiker42.0727.site:42420
User-Agent: Infinite Improbability Drive
Referer: https://cardinal.ink
X-Forwarded-For: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://hitchhiker42.0727.site:42420/index.php
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

watermelon

根据知乎的一篇文章

https://zhuanlan.zhihu.com/p/347270183

hgame{do_you_know_cocos_game?}

搜索 t.prototype.createOneFruit = function (e)

增加一行 e = 1;

就会一直掉小番茄 点个大概15分钟就好了

image-20210131172442918

image-20210131171532058

image-20210131171535185

智商检测鸡

image-20210201190358123

根据题目要求

算数学题,需要做完100道题目,就能拿到flag

算一百道题显示是时间比较长的

那么,我们从源码入手吧,查看源码后得到了fuckmath.js 这样一个文件

image-20210201191153588

以下为文件内容

function getStatus(){
    $.ajax({
        type:"GET",
        url: "/api/getStatus", # 题目进度 
        dataType:"json",
        success:function(data){
            let solving = data['solving']
            $("#status").text(solving);
            if(solving === 100)
                getFlag();
        }
    });
}

function getQuestion(){
    $.ajax({
        type: "GET",
        url: "/api/getQuestion", # 获取题目
        dataType: "json",
        xhrFields: {
            withCredentials: true
        },
        crossDomain: true,
        success:function(data){
            $('#integral').html(data['question']);
        }
    });
}

function getFlag(){
    $.ajax({
        type: "GET",
        url: "/api/getFlag", # flag获取
        dataType: "json",
        success:function(data){
            $('#flag').html(data['flag']);
        }
    });
}

function init(){
    getQuestion();
    getStatus();
}

function submit(){
    $.ajax({
    type: "POST",
    url: "/api/verify", # 用户提交请求
    data: JSON.stringify({answer:parseFloat($('#answer').val())}),
    dataType: "json",
    contentType: "application/json;charset=utf-8",

知道 源码,以及一些api接口的功能后

试着来写一个python脚本

需要用的是 Python 算积分的库

流程

获取题目 - 计算结果 - 提交 - 获取flag

以下为脚本

# @time     : 2021/1/31 10:29
# @Author   : Yt
# @FileName : test.py

import sympy
import requests
import json
import re

# cookies = {"session": "session=eyJzb2x2aW5nIjoxfQ.YBZPfw.g4LYUPBy_nNiA4GOLnxvK2OkE4k"}
session = requests.session()


def get_timu():
    url = "http://r4u.top:5000/api/getStatus"
    req = session.get(url)
    print(req.text)
    url = "http://r4u.top:5000/api/getQuestion"
    reqs = session.get(url)
    # 用正则获取题目中的数字
    one = re.findall("-</mo><mn>([0-9]+)</mn>", reqs.text)
    two = re.findall("/mrow><mrow><mn>([0-9]+)</mn>", reqs.text)
    one1 = re.findall("/mo><mn>([0-9]+)</mn><mi>x<", reqs.text)
    two2 = re.findall("\+</mo><mn>([0-9]+)</mn><mo>", reqs.text)

    one = int(one[0])
    two = int(two[0])
    one1 = int(one1[0])
    two2 = int(two2[0])

    # print one, two, one1, two2
    # 计算答案
    x = sympy.symbols('x')
    res = sympy.integrate(one1 * x + two2, (x, -one, two))

    return res

# 提交
def submit(res):
    url = "http://r4u.top:5000/api/verify"
    headers = {'Content-Type': 'application/json'}
    data = {"answer": float(res)}
    print(res)

    submit = session.post(url, headers=headers, json=data)
    print(submit.text)


def flag():
    url = "http://r4u.top:5000/api/getFlag"

    submit = session.get(url)

    print(submit.text)


def main():
    for i in range(1, 101):
        res = get_timu()
        submit(res)
        flag()


if __name__ == '__main__':
    main()

  • 分类: CTF
  • 标签: wp

暂无评论

发表评论