|
日常刷题,打开场景,发现图片过了一段时间会变,看来有js代码
emmm,这题属于是送分题,找路径啥的属实没意思,不妨直接看最后的python脚本呢?
看页面内容
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
</head>
<body>
<h1>AMBUSH!</h1>
<p>You've gotta escape!</p>
<img src="/static/img/f18.png" alt="alien mothership" style="width:60vw;" />
<script>
document.onkeydown = function(event) {
event = event || window.event;
if (event.keyCode == 27) {
event.preventDefault();
window.location = "/chase/";
} else die();
};
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function dietimer() {
await sleep(10000);
die();
}
function die() {
window.location = "/die/";
}
dietimer();
</script>
</body>
</html>
关键代码
if (event.keyCode == 27) {
event.preventDefault();
window.location = "/chase/";
} else die();
};
给了chase目录,访问页面
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function dietimer() {
await sleep(1000);
die();
}
function die() {
window.location = "/die/";
}
function left() {
window.location = "/die/";
}
function leftt() {
window.location = "/leftt/";
}
function right() {
window.location = "/die/";
}
下一个hint:
leftt目录,访问
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
</head>
<body>
<h1>YOU SHOT IT DOWN!</h1>
<p>Well done! You also crash in the process</p>
<img src="/static/img/parachute.png" alt="parachute" style="width:60vw;" />
<button onClick="window.location='/door/'">Continue</button>
</body>
</html>
下一关:访问/door/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
<script src="/static/js/door.js"></script>
</head>
<body>
<h1>YOU APPROACH THE ALIEN CRAFT!</h1>
<p>How do you get inside?</p>
<img src="/static/img/ship.png" alt="crashed ship" style="width:60vw;" />
<form id="door_form">
"176" />176
<input type="radio" name="side" value="177" />177
...
</form>
<button onClick="check_door()">Check</button>
</body>
</html>
看来我们要在里面选一个数字,调用的是check_door函数,逻辑在/static/js/door.js里,先看看内容
function check_door() {
var all_radio = document.getElementById("door_form").elements;
var guess = null;
for (var i = 0; i < all_radio.length; i++)
if (all_radio[i].checked) guess = all_radio[i].value;
rand = Math.floor(Math.random() * 360);
if (rand == guess) window.location = "/open/";
else window.location = "/die/";
}
下一关:/open/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
<script src="/static/js/open_sesame.js"></script>
</head>
<body>
<h1>YOU FOUND THE DOOR!</h1>
<p>How do you open it?</p>
<img src="/static/img/door.jpg" alt="door" style="width:60vw;" />
<script>
open(0);
</script>
</body>
</html>
同样:/static/js/open_sesame.js
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
function open(i) {
sleep(1).then(() => {
open(i + 1);
});
if (i == 4000000000) window.location = "/fight/";
}
想都不用想,傻子才去真做呢。/fight/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Earth</title>
<script src="/static/js/fight.js"></script>
</head>
<body>
<h1>AN ALIEN!</h1>
<p>What do you do?</p>
<img
src="/static/img/alien.png"
alt="door"
style="width:60vw;"
/>
</br>
<input type="text" id="action">
<button onClick="check_action()">Fight!</button>
</body>
</html>
访问/static/js/fight.js
// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {
for (var i = 0; i < key.length; i++) {
let n = key.charCodeAt(i) % flag.length;
let temp = flag[i];
flag[i] = flag[n];
flag[n] = temp;
}
return flag;
}
function check_action() {
var action = document.getElementById("action").value;
var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];
// TODO: unscramble function
}
emmmmm,终于是是没有下一关的目录了,看一下逻辑,就是个简单的排列组合
那么写爆破代码,目的是要找以pctf{hey_boys_im开头和ck!}结尾的特定字符串,这就是一个全排列问题,直接拿python的模块permutations来做了
from itertools import permutations
flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]
item = permutations(flag)
for i in item:
k = ''.join(list(i))
if k.startswith('pctf{hey_boys_im') and k.endswith == 'ck!}':
print(k)
得到flag:pctf{hey_boys_im_baaaaaaaaaack!}
参考视频链接:https://www.bilibili.com/video/BV1DL411P7aJ/
|