思路

共5个知识点:

  1. 查看页面源码,看到有一个跳转到其它网页的链接

    <h1 id="title">HappyNewYearCTF <span class="year">2024</span>
        <a href="progress/js.php"></a>
    </h1>

  2. 查看页面源代码,可以看到一段 js代码对输入的口令进行校验,不过校验在客户端,而不是服务端,能够直接看到明文密码

    <script type="text/javascript">
        function check() {
            if (document.getElementById('passwd').value == "  ") {
                window.location.href = "false.php";
            } else {
                alert("密码错误");
            }
        }
    </script>

  3. 查看页面源代码,仍然可以看到一段 js代码对输入的口令进行校验,并且对密码进行了混淆,这里混淆算法很简单,可以手动计算,但不论混淆算法多么复杂,都可以将这段代码复制到控制台运算得到结果

    <script type="text/javascript">
        document.oncontextmenu = function () { return false };

        var a, b, c, d, e, f, g;
        a = 3.14;
        b = a * 2;
        c = a + b;
        d = c / b + a;
        e = c - d * b + a;
        f = e + d / c - b * a;
        g = f * e - d + c * b + a;
        a = g * g;
        a = Math.floor(a);

        function check() {
            if (document.getElementById("passwd").value == a) {
                window.location.href = a + ".php";
            } else {
                alert("密码错误");
                return false;
            }
        }
    </script>
    var a, b, c, d, e, f, g;
        a = 3.14;
        b = a * 2;
        c = a + b;
        d = c / b + a;
        e = c - d * b + a;
        f = e + d / c - b * a;
        g = f * e - d + c * b + a;
        a = g * g;
        a = Math.floor(a);
    =>得到密码a=424178

  4. 查看页面源代码,js 代码似乎经过特殊处理, 其中 eval() 时能执行系统命令的危险内容,仍然交给控制台处理

    <script type="text/javascript">
            eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 99, 104, 101, 99, 107, 40, 41, 123, 13, 10,09, 118, 97, 114, 32, 97, 32, 61, 32, 39, 100, 52, 49, 115, 53, 39, 59, 13, 10,09, 105, 102, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 66, 121, 73, 100, 40, 39, 112, 97, 115, 115, 119, 100, 39, 41, 46, 118, 97, 108, 117, 101, 61, 61, 97, 41, 123, 13, 10, 09, 09, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 97, 43, 34, 46, 112, 104, 112, 34, 59, 13, 10, 09, 125, 101, 108, 115, 101, 123, 13, 10, 09, 09, 97, 108, 101, 114, 116, 40, 34, 23494, 30721, 38169, 35823, 34, 41, 59, 13, 10, 09, 125, 13, 10, 125));
    </script>
    String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 99, 104, 101, 99, 107, 40, 41, 123, 13, 10,09, 118, 97, 114, 32, 97, 32, 61, 32, 39, 100, 52, 49, 115, 53, 39, 59, 13, 10,09, 105, 102, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 66, 121, 73, 100, 40, 39, 112, 97, 115, 115, 119, 100, 39, 41, 46, 118, 97, 108, 117, 101, 61, 61, 97, 41, 123, 13, 10, 09, 09, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 97, 43, 34, 46, 112, 104, 112, 34, 59, 13, 10, 09, 125, 101, 108, 115, 101, 123, 13, 10, 09, 09, 97, 108, 101, 114, 116, 40, 34, 23494, 30721, 38169, 35823, 34, 41, 59, 13, 10, 09, 125, 13, 10, 125)
    得到
    `function check(){\r\n\tvar a = 'd41s5';\r\n\tif(document.getElementById('passwd').value==a){\r\n\t\twindow.location.href=a+".php";\r\n\t}else{\r\n\t\talert("密码错误");\r\n\t}\r\n}`
    因此密码是d41s5

  5. 进入 d41s5.php 后,经过1s,跳转回上一页面,说明经过了重定向,可以在上一页面提交密码时用 BurpSuite 拦截流量,重新在 Repeater 发送

    GET /progress/d41s5.php HTTP/1.1
    Host: ctf.seek2.top:33527
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://ctf.seek2.top:33527/progress/424178.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close

    得到

    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Tue, 05 Mar 2024 11:13:56 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/5.6.40
    Content-Length: 810

    <!DOCTYPE HTML>
    <html lang="en">
    <head>
        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
        <meta http-equiv="refresh" content="1;url=424178.php">
    <!--    设置间隔1s重定向回页面424178.php-->
        <link rel="stylesheet" type="text/css" href="../assert/style.css">
        <link rel="stylesheet" type="text/css" href="../assert/progress.css">
        <title>d41s5.php</title>
    </head>

    <body>
        <div>
            <div><h1 id="title">HappyNewYearCTF <span class="year">2024</span></h1></div>
            <!--    Hint: go to 3BHE1.php-->
        </div>
        <div class="progress"><div class="progress-bar progress-bar-90"><span class="progress-value">距离红包雨还有10%</span></div></div>
    </body>

    <script type="text/javascript" src="../assert/dimension.js"></script>
    </html>

    根据提示前往页面 http://ctf.seek2.top:33527/progress/3BHE1.php ,点击下落的红包,获得 FLAG