【攻防世界】Crypto系列之flag_in_hand

【攻防世界】Crypto系列之flag_in_hand

这道题是个web页面,随便输入字符进行测试

这里的字符串不是flag哈!

我们查看页面源代码,代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

<html>
<head>
<title>Flag in your Hand</title>
<style type="text/css">
body {
padding-left: 30%;
}

#flag {
font-family: Garamond, serif;
font-size: 36px;
}

#flagtitle {
font-family: Garamond, serif;
font-size: 24px;
}

.rightflag {
color: green;
}

.wrongflag {
color: red;
}
</style>
<script src="script-min.js"></script>
<script type="text/javascript">
var ic = false;
var fg = "";

function getFlag() {
var token = document.getElementById("secToken").value;
ic = checkToken(token);
fg = bm(token);
showFlag()
}

function showFlag() {
var t = document.getElementById("flagTitle");
var f = document.getElementById("flag");
t.innerText = !!ic ? "You got the flag below!!" : "Wrong!";
t.className = !!ic ? "rightflag" : "wrongflag";
f.innerText = fg;
}
</script>
</head>
<body>
<h1>Flag in your Hand</h1>
<p>Type in some token to get the flag.</p>
<p>Tips: Flag is in your hand.</p>
<div>
<p>
<span>Token:</span>
<span><input type="text" id="secToken"/></span>
</p>
<p>
<input type="button" value="Get flag!" onclick="getFlag()" />
</p>
</div>
<div>
<p id="flagTitle"></p>
<p id="flag"></p>
</div>
</body>
</html>

这里有两个关键的函数对flag进行操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function getFlag() {
var token = document.getElementById("secToken").value;
ic = checkToken(token);
fg = bm(token);
showFlag()
}

function showFlag() {
var t = document.getElementById("flagTitle");
var f = document.getElementById("flag");
t.innerText = !!ic ? "You got the flag below!!" : "Wrong!";
t.className = !!ic ? "rightflag" : "wrongflag";
f.innerText = fg;
}

getflag()代码获取我们输入的token字符串,通过checkToken()和bm()进行处理,而showFlag()中判断的是ic是否为true,若为true则输出

我们在script.js中查看ic的值变换,代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function ck(s) {
try {
ic
} catch (e) {
return;
}
var a = [118, 104, 102, 120, 117, 108, 119, 124, 48,123,101,120];
if (s.length == a.length) {
for (i = 0; i < s.length; i++) {
if (a[i] - s.charCodeAt(i) != 3)
return ic = false;
}
return ic = true;
}
return ic = false;
}

只要满足a[i] - s.charCodeAt(i) = 3则ic=true,只需根据这个反推回正确的flag即可

代码如下:

1
2
3
4
5
6
7
a=[118, 104, 102, 120, 117, 108, 119, 124, 48,123,101,120]
b = ""
for i in a:
b+=chr(i-3)
print(b)

#b=security-xbu

在网页中提交token,返回flag

得到flag

1
RenIbyd8Fgg5hawvQm7TDQ
打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021-2024 John Doe
  • 访问人数: | 浏览次数:

让我给大家分享喜悦吧!

微信