#|【记】2021年第十二届极客大挑战


文章目录

  • 前言
  • 解题
    • RE
      • Re0
      • Re1
      • 刘壮桌面美化大师
      • 买Activity
      • 调试
      • easypyc
      • 珍惜生命
      • new_language
      • win32
    • WEB
      • Dark
      • Welcome2021
      • babysql
      • 蜜雪冰城甜蜜蜜
  • 后记

前言 极客大挑战对萌新还是很友好的,特别适合我这种

解题
RE Re0
F12就行,SYC{Welcome_to_Geek_challenge2021}

Re1
exe 文件,无壳,拖进 ida,
一个长度为60的数组,两个重要函数 enc0enc1
点进 enc0,一看就是 base64,在看看表,没有换表,
.rdata:0000000000405000 aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0

再进入 enc1 ,就是把 base64 之后的密文在进行一次异或,poc 脚本如下:
import base64str = [ 21, 113, 44, 4, 37, 113, 40, 16, 21, 44, 121, 40, 34, 45, 18, 38, 25, 45, 6, 58, 26, 20, 25, 112, 24, 114, 6, 57, 26, 22, 121, 112, 33, 7, 22, 38, 25, 45, 6, 58, 33, 24, 14, 38, 34, 114, 26, 38, 35, 45, 22, 114, 26, 24, 10, 58, 26, 24, 112, 125 ] flag = '' for s in str: s ^= 64 flag += chr(s)print(base64.b64decode(flag)) # b'SYC{XOR_and_base64_are_the_basis_of_reverse}'


刘壮桌面美化大师
根据主要类看出这道 APK 题就是签到题,在资源下找 String 即可,SYC{We1c0m3_t0_4ndRo1d_ReV3rse!}

买Activity
主要类就是 Decode,源码如下:
package com.sorrowrain.buyactivity; import kotlin.Metadata; import kotlin.jvm.internal.Intrinsics; @Metadata(mo12032d1 = {"\u0000\u0014\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0002\b?\u0002\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0006\u0010\u0003\u001a\u00020\u0004J\t\u0010\u0005\u001a\u00020\u0004H? ¨\u0006\u0006"}, mo12033d2 = {"Lcom/sorrowrain/buyactivity/Decode; ", "", "()V", "getDecodedFlag", "", "stringFromNative", "app_release"}, mo12034k = 1, mo12035mv = {1, 5, 1}, mo12037xi = 48) /* compiled from: Decode.kt */ public final class Decode { public static final Decode INSTANCE = new Decode(); public final native String stringFromNative(); private Decode() { }public final String getDecodedFlag() { String str = stringFromNative().toString(); int length = str.length(); String str2 = ""; int i = 0; while (i < length) { char charAt = str.charAt(i); i++; str2 = Intrinsics.stringPlus(str2, Character.valueOf((char) (charAt ^ 16))); } return str2; } }

主要内容就是一个简单的 XOR,但是这个字符串 str 要通过本地方法 stringFromNative() 来获取,众所周知,Java 的本地方法都是 C/C++ 写的,所以去找 so 文件反编译,或者直接动调拿到值,
p1 = "CSD!Os!yiyO#|iU`bu1" p2 = "Ikxc$dFdOCBq!Oh dtm" str = "" for i in range(0,19): str = str + p1[i] + p2[i]flag = "" for i in str: flag += chr(ord(i)^16)print(flag) # SYC{Th1s_4ct1Vity_iS_R3al1y_Exp0rted!}


调试
题面:
Intro && Hint: 提取码:Geek。 菜逼出题人本来想送你们一个flag, 但是却写错了代码, 这下怎么得到flag呢...(提示:安装linux虚拟机,在linux里才能运行)

题目和题面都暗示这道题是要调试的,因此多半就是 DEBUG;
先进入主函数看一下,就一个比较,按照正常的思路应该还要写一点啥的,所以先猜测是这一部分就是要调试的区域;
#|【记】2021年第十二届极客大挑战
文章图片

看一下结构图,果不其然:
#|【记】2021年第十二届极客大挑战
文章图片

现在的流程是走 ① 号路线了,那我们接下来要让它走 ② 号线,然后才能进行一个输出,即把 jnz 改成 jz 即可;
改完之后的主函数:
#|【记】2021年第十二届极客大挑战
文章图片

运行一遍之后就会拿到 flag:
#|【记】2021年第十二届极客大挑战
文章图片


easypyc
熟悉的样式,该怎么反编译就不多说了,pyinstxtractor.py 和 uncompyle6 的混合双打,
#|【记】2021年第十二届极客大挑战
文章图片

反编译后的源码如下:
whatbox = [0] * 256def aaaaaaa(a, b): k = [0] * 256 t = 0 for m in range(256): whatbox[m] = m k[m] = ord(a[(m % b)]) else: for i in range(256): t = (t + whatbox[i] + k[i]) % 256 temp = whatbox[i] whatbox[i] = whatbox[t] whatbox[t] = tempdef bbbbbbbbbb(a, b): q = 0 w = 0 e = 0 for k in range(b): q = (q + 1) % 256 w = (w + whatbox[q]) % 256 temp = whatbox[q] whatbox[q] = whatbox[w] whatbox[w] = temp e = (whatbox[q] + whatbox[w]) % 256 a[k] = a[k] ^ whatbox[e] ^ 102def ccccccccc(a, b): for i in range(b): a[i] ^= a[((i + 1) % b)] else: for j in range(1, b): a[j] ^= a[(j - 1)]if __name__ == '__main__': kkkkkkk = 'Geek2021' tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87] ssss = input('Please input your flag:') inp = [0] * len(ssss) if len(ssss) != 32: print('Length Error!!!!') exit(0) for i in range(len(ssss)): inp[i] = ord(ssss[i]) else: aaaaaaa(kkkkkkk, len(kkkkkkk)) bbbbbbbbbb(inp, 32) ccccccccc(inp, 32) for m in range(32): if tttttt[m] != inp[m]: raise Exception('sorry your flag is wrong') print('success!!!!!!') print('your flag is {}'.format(ssss))

这是个 RC4 算法嗷,其实我一开始也没注意,解出 flag 才发现的,just easy Rc4
有三个函数,其实需要逆向的只有一个 ccccccccc,我们先通过 aaaaaaa 拿到经过加密后的秘钥 whatbox,如下:
whatbox = [41, 244, 181, 212, 184, 237, 95, 117, 193, 26, 137, 126, 65, 122, 239, 250, 214, 112, 62, 207, 240, 227, 120, 48, 36, 148, 234, 150, 228, 165, 129, 174, 56, 190, 46, 127, 49, 43, 245, 130, 114, 34, 202, 27, 131, 224, 64, 160, 50, 153, 157, 206, 52, 91, 225, 58, 176, 14, 5, 147, 103, 12, 30, 146, 77, 61, 179, 85, 101, 71, 72, 210, 47, 253, 8, 98, 45, 7, 246, 67, 135, 18, 255, 168, 90, 139, 203, 2, 242, 32, 111, 22, 220, 102, 107, 138, 37, 169, 116, 28, 35, 156, 89, 173, 235, 185, 136, 31, 252, 29, 78, 63, 170, 25, 222, 19, 99, 44, 100, 124, 229, 144, 20, 221, 177, 232, 82, 163, 3, 249, 40, 93, 83, 68, 152, 223, 60, 54, 96, 97, 166, 94, 21, 16, 230, 154, 109, 178, 254, 92, 132, 155, 142, 1, 182, 243, 215, 197, 13, 0, 79, 151, 84, 187, 216, 180, 188, 175, 59, 66, 10, 106, 121, 183, 205, 42, 105, 204, 87, 86, 134, 189, 23, 241, 248, 118, 110, 211, 57, 158, 247, 231, 24, 218, 38, 149, 33, 15, 164, 217, 128, 115, 17, 233, 53, 236, 140, 51, 11, 208, 196, 55, 39, 172, 9, 76, 80, 226, 4, 70, 195, 108, 201, 69, 238, 123, 88, 145, 162, 125, 192, 219, 74, 161, 81, 198, 209, 73, 133, 186, 119, 251, 143, 200, 194, 171, 141, 104, 213, 113, 6, 159, 199, 167, 75, 191]

然后把 ccccccccc 逆向一下即可,poc 脚本如下:
def rebbbbbbbbbb(a, b): flag = "" q = 0 w = 0 e = 0 for k in range(b): q = (q + 1) % 256 w = (w + whatbox[q]) % 256 temp = whatbox[q] whatbox[q] = whatbox[w] whatbox[w] = temp e = (whatbox[q] + whatbox[w]) % 256 a[k] = chr(a[k] ^ whatbox[e] ^ 102) flag += a[k] print(flag)def reccccccccc(a,b): for j in range(b-1,0,-1): a[j] ^= a[(j-1)] else: for i in range(b-1,-1,-1): a[i] ^= a[((i + 1) % b)]if __name__ == '__main__':kkkkkkk = 'Geek2021' tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87] whatbox = [41, 244, 181, 212, 184, 237, 95, 117, 193, 26, 137, 126, 65, 122, 239, 250, 214, 112, 62, 207, 240, 227, 120, 48, 36, 148, 234, 150, 228, 165, 129, 174, 56, 190, 46, 127, 49, 43, 245, 130, 114, 34, 202, 27, 131, 224, 64, 160, 50, 153, 157, 206, 52, 91, 225, 58, 176, 14, 5, 147, 103, 12, 30, 146, 77, 61, 179, 85, 101, 71, 72, 210, 47, 253, 8, 98, 45, 7, 246, 67, 135, 18, 255, 168, 90, 139, 203, 2, 242, 32, 111, 22, 220, 102, 107, 138, 37, 169, 116, 28, 35, 156, 89, 173, 235, 185, 136, 31, 252, 29, 78, 63, 170, 25, 222, 19, 99, 44, 100, 124, 229, 144, 20, 221, 177, 232, 82, 163, 3, 249, 40, 93, 83, 68, 152, 223, 60, 54, 96, 97, 166, 94, 21, 16, 230, 154, 109, 178, 254, 92, 132, 155, 142, 1, 182, 243, 215, 197, 13, 0, 79, 151, 84, 187, 216, 180, 188, 175, 59, 66, 10, 106, 121, 183, 205, 42, 105, 204, 87, 86, 134, 189, 23, 241, 248, 118, 110, 211, 57, 158, 247, 231, 24, 218, 38, 149, 33, 15, 164, 217, 128, 115, 17, 233, 53, 236, 140, 51, 11, 208, 196, 55, 39, 172, 9, 76, 80, 226, 4, 70, 195, 108, 201, 69, 238, 123, 88, 145, 162, 125, 192, 219, 74, 161, 81, 198, 209, 73, 133, 186, 119, 251, 143, 200, 194, 171, 141, 104, 213, 113, 6, 159, 199, 167, 75, 191]reccccccccc(tttttt,32) rebbbbbbbbbb(tttttt,32)# SYC{Just_a_Eeeeeeasy_Rc4_right?}


珍惜生命
一个 pyc 文件,没有设陷阱,就是正常的 uncompyle6 反编译一下就好了,拿到源码如下:
def Challenge(): import sys print("Welcome to py's world") S = input('plz give me your flag:') Key = input('plz give me your key(string):') if len(S) != 51 or len(Key) != 8: print("the flag's or key's strlen...") sys.exit() else: tmp = S[4:50] KEY_cmp = 'Syclover' key = [] key_cmp = '' for i in Key: key.append(ord(i))try: key_cmp += chr((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14) key_cmp += chr((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801) key_cmp += chr((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924) key_cmp += chr(key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16) key_cmp += chr((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1) key_cmp += chr(key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40) key_cmp += chr(key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41) key_cmp += chr((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36) except ValueError: print("You know what I'm going to say...") sys.exit()if key_cmp != KEY_cmp: print("You know what I'm going to say...") sys.exit() flag = [ 113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23] for i in range(46): if ord(tmp[i]) ^ key[((i + 1) % len(key))] != flag[i]: print("You know what I'm going to say...") sys.exit()print('Yeah!Submit your flag in a hurry~')Challenge()

关键就在于拿到 key,用 z3 进行爆破:
from z3 import *KEY_cmp = 'Syclover' key = [BitVec('u%d'%i,32) for i in range(0,8)]s = Solver()s.add( ((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14) == ord(KEY_cmp[0])) s.add( ((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801) == ord(KEY_cmp[1])) s.add( ((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924) == ord(KEY_cmp[2])) s.add( (key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16) == ord(KEY_cmp[3])) s.add( ((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1) == ord(KEY_cmp[4])) s.add( (key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40) == ord(KEY_cmp[5])) s.add( (key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41) == ord(KEY_cmp[6])) s.add( ((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36) == ord(KEY_cmp[7]))if s.check() == sat: result = s.model()print (result)

拿到 key 值为 [83, 38, 121, 99, 64, 45, 54, 46],重新异或一下即可:
key = [83, 38, 121, 99, 64, 45, 54, 46] flag = 'SYC{' tmp = [ 113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]for i in range(46): flag += chr((tmp[i]) ^ key[((i + 1) % len(key))])flag += '}' print(flag)# SYC{W3$c0m3_T0_th3_py_w0r1d_@nd_z3_1s_s0000_g00d!!}


new_language
可能是好久没做题了,生疏了,看到 .net,我还扔进 ida,我就是傻逼;
扔进 dnSpy 这就是道签到题,扔进 ida 这就是道进阶题,源码如下:
using System; namespace new___language { // Token: 0x02000002 RID: 2 internal class geek { // Token: 0x06000002 RID: 2 RVA: 0x00002058 File Offset: 0x00000258 public static int getNumFromSBox(char index) { int num = (int)(index >> 4); int num2 = (int)(index & '\u000f'); return geek.sbox[num * 16 + num2]; }// Token: 0x06000003 RID: 3 RVA: 0x00002080 File Offset: 0x00000280 private static void Main(string[] args) { Console.WriteLine("input:"); string text = Console.ReadLine(); int[] array = new int[34]; int[] array2 = new int[] { 64, 249, 133, 69, 146, 253, 253, 207, 182, 4, 157, 207, 251, 4, 60, 81, 59, 77, 146, 77, 207, 26, 38, 207, 64, 77, 177, 77, 64, 195, 77, 253, 253 }; bool flag = text.Length != 38; if (!flag) { bool flag2 = text.Substring(0, 4) != "SYC{" || text.Substring(37, 1) != "}"; if (!flag2) { text = text.Substring(4, 33); for (int i = 0; i < 33; i++) { array[i] = geek.getNumFromSBox(text[i]); } for (int j = 0; j < 33; j++) { bool flag3 = array[j] != array2[j]; if (flag3) { return; } } Console.WriteLine("good"); } } }// Token: 0x04000001 RID: 1 private static int[] sbox = new int[] { 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22 }; } }

题面已经说是某种加密算法的一部分了,关键就是这两个循环:
for (int i = 0; i < 33; i++) { array[i] = geek.getNumFromSBox(text[i]); } for (int j = 0; j < 33; j++) { bool flag3 = array[j] != array2[j]; if (flag3) { return; } }

通过 getNumFromSBox 函数对输入的值进行逐个加密,然后再将这个加密的值作为索引,返回沙盒 sbox 对应下标的值,很简单,直接上 poc 脚本:
public static void main(String[] args) { int[] array2 = new int[] { 64, 249, 133, 69, 146, 253, 253, 207, 182, 4, 157, 207, 251, 4, 60, 81, 59, 77, 146, 77, 207, 26, 38, 207, 64, 77, 177, 77, 64, 195, 77, 253, 253 }; String flag = "SYC{"; for (int num : array2) { for (int i = 0; i < 128; i++) { char str = (char) i; if (getNumFromSBox(str) == num){ flag += str; } } } flag += "}"; System.out.println(flag); }/* SYC{right!!_y0u_c0mpIete_C#_reVer3e!!} */

沙盒 sboxgetNumFromSBox 函数自己记得加上去,太长了,这里就不放了;

win32
一个奇奇怪怪的 exe 文件,查壳,EP 区段:UPX1,
尝试 UPX 脱壳,拖进ida,
看一下主要功能函数,
LRESULT __fastcall sub_140011B80(HWND a1, UINT a2, WPARAM a3, LPARAM a4) { char *v4; // rdi __int64 i; // rcx unsigned int v6; // eax LRESULT v7; // rax LRESULT v8; // rdi char v10[32]; // [rsp+0h] [rbp-60h] BYREF char v11; // [rsp+60h] [rbp+0h] BYREF CHAR String[136]; // [rsp+70h] [rbp+10h] BYREF char v13[48]; // [rsp+F8h] [rbp+98h] BYREF char *Str1; // [rsp+128h] [rbp+C8h] BYREF struct tagPAINTSTRUCT Paint; // [rsp+150h] [rbp+F0h] BYREF HDC v16; // [rsp+1B8h] [rbp+158h] UINT v17; // [rsp+284h] [rbp+224h]v4 = &v11; for ( i = 92i64; i; --i ) { *(_DWORD *)v4 = -858993460; v4 += 4; } sub_1400113DE(&unk_1400240BE); strcpy(v13, "0123456789+/"); Str1 = 0i64; v17 = a2; if ( a2 == 1 ) { hWnd = CreateWindowExW(0, L"EDIT", 0i64, 0x50810000u, 0, 0, 390, 30, a1, (HMENU)0x12C, hInstance, 0i64); qword_14001E2B8 = (__int64)CreateWindowExW( 0, L"BUTTON", &word_14001AEB8, 0x50000000u, 0, 31, 390, 33, a1, (HMENU)0xC8, hInstance, 0i64); LABEL_17: v7 = 0i64; goto LABEL_18; } switch ( v17 ) { case 2u: PostQuitMessage(0); goto LABEL_17; case 0xFu: v16 = BeginPaint(a1, &Paint); EndPaint(a1, &Paint); goto LABEL_17; case 0x111u: v17 = (unsigned __int16)a3; if ( (unsigned __int16)a3 == 200 ) { GetWindowTextA(hWnd, String, 100); v6 = j_strlen(String); sub_1400110F5(String, v6, &Str1, v13); if ( !j_strcmp(Str1, Str2) ) MessageBoxW(0i64, &Text, &Caption, 0); else MessageBoxW(0i64, &word_14001AF20, &word_14001AF18, 0); } goto LABEL_17; } v7 = DefWindowProcW(a1, a2, a3, a4); LABEL_18: v8 = v7; sub_140011366(v10, &unk_14001ADD0); return v8; }

主要就是发送信息,对信息内容进行一个 base64 的加密,
import base64 str = 'U1lDe3kwdV9nM3RfQV9mMWFnX2J5X2N5YmVybG9hZmluZ19hdXRoMHJ9' print(base64.b64decode(str)) # SYC{y0u_g3t_A_f1ag_by_cyberloafing_auth0r}


WEB Dark
就用 tor 浏览器打开即可,其他浏览器应该是无法加载的,毕竟顾名思义嘛,SYC{hav3_fUn_1n_darK}

Welcome2021
#|【记】2021年第十二届极客大挑战
文章图片

题目提示看源码,
#|【记】2021年第十二届极客大挑战
文章图片

很清楚的说用 WELCOME 方式发送请求,
#|【记】2021年第十二届极客大挑战
文章图片

接着请求 f1111aaaggg9.php,
#|【记】2021年第十二届极客大挑战
文章图片

【#|【记】2021年第十二届极客大挑战】
babysql
一道 SQL 注入题,
#|【记】2021年第十二届极客大挑战
文章图片

直接 SQLMAP,懂得都懂,
#|【记】2021年第十二届极客大挑战
文章图片


蜜雪冰城甜蜜蜜
#|【记】2021年第十二届极客大挑战
文章图片

看到提示可以知道,点到第九号饮料就直接出 flag,但这里只有8个,然而它是有 id 的,根据 JS 分析得出,在提交时会获取被点击的图片的 id 号,直接修改前端页面的 id=9,在点击一下,


后记 后面出来的题就没有做了,现在做 RE 就是图一乐罢了

    推荐阅读