web1
Right click to view the source code to get the flag
web2
The right button is disabled, you can ctrl+u to view the source code to get the flag
web3
Capture the packet to get the flag
web4
The topic hints that in robots, you can scan it out with dirsearch
Visit robots.txt
Then visit /flagishere.txt to get the flag
web5
The title prompts that the source code is leaked, and then scan it with dirsearch
Visit index.phps to get the flag
web6
Or scan with dirsearch
Visit www.zip
Visit /fl000g.txt to get the flag
web7
Git leaks or use dirsearch to scan them out
Just visit
web8
Continue to scan with dirsearch
Just visit
web9
Same steps as above, scan out /index.php.swp
web10
Find the flag in the cookie
web11
Official tip: Domain names can actually hide information, for example, flag. ctfshow .com hides a message
Due to dynamic updates, the txt record will change, and the question directly gives the answer
web12
Scanned out robots.txt with dirsearch
Go to /admin/ again, there is a login page, which requires an account number and password, guess the account number is admin, pull to the bottom to find the password
web13
found at the bottom of the page
Click to find the login address and account password, log in to get the flag
web14
Visit the editor according to the title prompt
You can read any file
web15
Visit the /admin page (can be scanned by dirsearch) to find the background login system, click to change the password
Ask in which city, there is a QQ at the end of the homepage
Found in Xi'an after searching
After submitting, you will get the password, user name teacher admin, log in and get the flag
web16
Visit /tz.php (dirsearch can scan)
Click to enter phpinfo and search for ctfshow to get the flag
web17
Access backup.sql (dirsearch can be scanned)
web18
View js
unicode decoding dedaoflag
web19
view source code
Submit to get the flag
web20
unicode decoding dedaoflag
web19
view source code
Submit to get the flag
web20
Visit /db/db.mdb and open the search flag with Notepad