刚点进来会一直加载,然后跳转到了/die
看一下刚进来页面的源代码
Welcome to Earth
AMBUSH!
You've gotta escape!
可以看到keycode == 27的时候会跳转到/chase/页面,27是键盘上的ESC键,当然我们也可以直接输入chase直接跳转到这个页面,然后查看chase页面的源码
Welcome to Earth
CHASE!
You managed to chase one of the enemy fighters, but there's a wall coming
up fast!
可以看到有个leftt,访问他
页面源代码
Welcome to Earth
SHOOT IT
You've got the bogey in your sights, take the shot!
点Take the shot会跳转到die
在注释里面可以看到shoot,访问
点击Continue跳转到door
页面源代码
Welcome to Earth
YOU APPROACH THE ALIEN CRAFT!
How do you get inside?
在最下面有个check_door函数,他是从上面的/static/js/door.js导入的
function check_door() {j
var all_radio = document.getElementById("door_form").elements;
var guess = null;
for (var i = 0; i < all_radio.length; i++)
if (all_radio[i].checked) guess = all_radio[i].value;
rand = Math.floor(Math.random() * 360);
if (rand == guess) window.location = "/open/";
else window.location = "/die/";
}
直接访问open
页面源代码
Welcome to Earth
YOU FOUND THE DOOR!
How do you open it?
查看/static/js/open_sesame.js
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
function open(i) {
sleep(1).then(() => {
open(i + 1);
});
if (i == 4000000000) window.location = "/fight/";
}
访问fight
同样的,得到
// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {
for (var i = 0; i < key.length; i++) {
let n = key.charCodeAt(i) % flag.length;
let temp = flag[i];
flag[i] = flag[n];
flag[n] = temp;
}
return flag;
}
function check_action() {
var action = document.getElementById("action").value;
var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];
// TODO: unscramble function
}
可以看到有flag,但是被打乱了
这里就可以对这个存放flag的数组进行排列了,python中组合用的是itertolls
中的combinations
,而排列则是permutations
脚本:
from itertools import permutations
flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]
item = permutations(flag)
for i in item:
k = ''.join(list(i))
if k.startswith('pctf{hey_boys') and k[-1] == '}':
print(k)
得到
flag为pctf{hey_boys_im_baaaaaaaaaack!}