MISC:
验证码:
用token登录
输入好验证码就可以得到flag
Picture:
图片隐写,一下就想到binwalk或者winhex打开试试
![clip_image001[5]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102734258-1053288049.png "clip_image001[5]")
binwalk打开无果
![clip_image001[7]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102738268-2132627840.png "clip_image001[7]")
将这段数据ctrl+shift+c复制出来
用下面python脚本生成zip文件。
import zlib
import binascii
import base64
id=””
r = zlib.decompress(binascii.unhexlify(id))
r = base64.b64decode(result)
fount = open(r"2.zip","wb")
fount.write(r)
fount.close()
![clip_image002[5]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102741357-1091576485.jpg "clip_image002[5]")
压缩包提示。
根据这个“ZeroDivisionError:”搜索
![clip_image001[9]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102741939-2129525954.png "clip_image001[9]")
然就知道压缩密码了。
![clip_image002[7]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102742860-462274587.jpg "clip_image002[7]")
打开弹出这个信息。
然后又拿出winhex看了下
![clip_image001[11]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102743858-233102801.png "clip_image001[11]")
然后输入压缩密码打开
发现code文件如下
![clip_image002[9]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102745249-1066076088.jpg "clip_image002[9]")
Uuencode解码即可
得到flag:
![clip_image001[13]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102746063-333077156.png "clip_image001[13]")
RUN:
![clip_image001[15]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102746854-1597671557.png "clip_image001[15]")
根据提示,要沙箱逃逸?
然后getshell。
然后百度谷歌了遍
命令都是瞎凑的。
![clip_image002[11]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102747709-775214837.jpg "clip_image002[11]")
然后发现很多库和命令都被ban了。
逃逸这个词,一开始我不是很理解。
然后群里管理员说是有点web
可能这些命令都被‘过滤’了吧。
然后一个个试绕过。
![clip_image002[13]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102748544-1031657408.jpg "clip_image002[13]")
![clip_image002[15]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102749244-830624759.jpg "clip_image002[15]"){kind=small}
得到flag。
这里很坑的是func_globals也会被‘过滤’。
CRYPTO:
flag_in_your_hand:
下载文件解压
得到html和js
![clip_image002[17]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102749960-1915141252.jpg "clip_image002[17]")
![clip_image002[19]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102750765-1504769618.jpg "clip_image002[19]")
![clip_image001[17]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102751364-1416955067.png "clip_image001[17]")
算出
![clip_image001[19]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102752050-761365942.png "clip_image001[19]")
然后有个很坑的地方:这题的flag不是ciscn{}规范的。导致我按了很多次get flag按键,然后随便提交一个,导致被禁赛30min。
![clip_image001[21]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102752865-1010462910.png "clip_image001[21]")
得到flag。
Web:
easyweb:
![clip_image001[23]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102800670-1362537200.png "clip_image001[23]")
![clip_image002[21]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102801657-1580272757.jpg "clip_image002[21]")
复制这个token
![clip_image002[23]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102802929-1185456098.jpg "clip_image002[23]")
得到flag。