Dream light ctf game breakthrough
Introduction: To play this game, you need to have basic knowledge of JS, encoding and decoding, XSS, SQL injection, image steganography, reverse analysis, etc...
Game address : http://monyer.com/game/game1
Enter level 1:
Entrance Tips: Please click on the link to enter the first level: the connection is on the left → ← the connection is on the right. But looked and found a clickable link, so do the normal thing: inspect the element (or view the page source), at which point "first.php" comes into view.
Get the entrance address of the first level: http://monyer.com/game/game1/first.php
Enter level 2:
Except for a text input box and a submit button, there is no prompt for the title. Therefore, the basic operation is still performed first: inspect the element and find the keyword "hello.php".
The answer is: hello
Get the entry address of the second level: http://monyer.com/game/game1/hello.php
Enter the third level:
Basic operation: Check the elements, and analyze the js code to know that the jump address of the next level is related to the a variable, which needs to be calculated. The calculation process given by the code is cumbersome, and honest people can choose to calculate by hand; give a little trick: in You can directly view the value of the variable on the console. It can be seen that the value of a is: 424178 (see the figure below for the steps)
and the answer is: 424178
to get the entry address of the third level: http://monyer.com/game/game1/424178.php
Enter level 4:
It is the previous routine again, first check the elements, analyze the code, and find a sentence: eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,99,104,101,99,107,40,41,123,13,10,09,118,97,114,32,97,32,61,32,39,100,52,103,39,59,13,10,09,105,102,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,116,120,116,39,41,46,118,97,108,117,101,61,61,97,41,123,13,10,09,09,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,97,43,34,46,112,104,112,34,59,13,10,09,125,101,108,115,101,123,13,10,09,09,97,108,101,114,116,40,34,23494,30721,38169,35823,34,41,59,13,10,09,125,13,10,125));Among them, String.fromCharCode() refers to converting the value in the brackets into a corresponding string, and the function of eval() is to use the content in the brackets as js code Execution, so the idea of solving the problem is to know what the js code string converted from that large number is, and analyze it to get the answer.
View the converted code string: Execute the original function String.fromCharCode(102,117,110,99,116,…) directly on the console; (see the figure below)
Analysis shows that the link address of the next level is related to the value of variable a, which is: d4g
The answer is : d4g
gets the entry address of the 4th level: http://monyer.com/game/game1/d4g.php
to enter the 5th level:
This level is a bit trivial. After coming to this level through the address obtained from the previous level, it will automatically jump back to the previous level soon. It seems that it is time to test the hand speed: check the source code before jumping: analyze the source code, and
again Meet the eval() function:
the answer is: 3BHE1
gets the entry address of level 5: http://monyer.com/game/game1/3BHE1.php
Enter level 6:
The prompt says that the password is hidden in the page. First, check the elements, look around expectantly and find nothing meaningful, so proceed to the next routine operation: check the page request, response header, cookies and other information. Sure enough, a sentence: the password for the next level is asdf came into view (see the picture below)
Submit the answer: asdf
Get the entry address of the 6th level: http://monyer.com/game/game1/asdf.php
Enter the 7th level :
The title gives a defaced google search image, guessing based on the existing information that the answer should be the name of a magazine website, and the summary information of the magazine is revealed in the picture: Get the latest fashion, beauty, dating, and health tips...
So go directly to Google first:
Submit the answer: Seventeen, the result is 404 errors, the initial judgment may be the reason for capitalization, change it to: seventeen and submit it.
Answer: seventeen
gets the entry address of level 7: http://monyer.com/game/game1/seventeen7.php
Enter level 8:
The question prompt is too obvious, MD5? Good guy, go directly to cmd5.com :
Answer: eighteen8
Submit to get the entry address of level 8: http://monyer.com/game/game1/seventeen7.php
Here the official has dug another small hole. After submitting the answer, the page displays Not Found, making the solver think that the answer is wrong. In fact, if you look carefully, you will find that this 404 is different from the normal 404. Check the elements further, and there are easter eggs: the entry address of the next level is given: prime numbers within 10000 and .php
enter the 9th level:
According to the easter eggs in the previous level, I learned that to solve this question, you need to find the sum of prime numbers within 10,000. It is a difficult programming question for freshmen. I have the code (Python):
def zhishu(num=None):
if num is None or num == 1 or num < 0:
return 0
i = 2
while True:
if i == num:
return num
elif num % i != 0:
i += 1
elif num % i == 0 and num != i:
break
return 0
def sum():
sum = 0
for i in range(10000):
sum += zhishu(i)
return sum
print(sum())
Running result: 5736396 (see the picture below)
to get the entrance address of the 9th level: http://monyer.com/game/game1/5736396.php
Enter the tenth level:
Sure enough, programmers know more about programmers? I dare not cut the whole picture, I am afraid of being blocked:
According to the topic, guess is that the picture is steganographic, so in order to solve the problem, I have to save the picture to the computer, and then choose to open it as: notepad++ (many tools are available, winhex, etc.) After opening, check the content, the password is hidden in the
beauty Inside the meat:
The answer is: MonyerLikeYou_the10level
Get the entry address of level 10: http://monyer.com/game/game1/MonyerLikeYou_the10level.php
Enter level 11:
According to the prompt, it is certain that the cookie content needs to be modified. Finally, I can sacrifice my HackBar. Check the element directly, select HackBar, and then click "Load URL", and then change the value of username in the cookie from "simpleuser" to Become "admin", and finally execute Execute:
After execution, the page will give the answer directly: doyouknow, after submitting the answer, enter the 11th level.
Enter level 12:
Because the session is set by the server according to different requests from the client, we cannot modify the session directly, but we can let the server set a different session by modifying the request. According to the prompt, analyze the value of the parameter action in the URL "show_login_false"
, It can be guessed that there should be another value of "show_login_true", so modify the url and submit, the result is as follows:
Submit the answer: smartboy, pass.
Enter the 13th level:
The title gives a long string of uppercase and lowercase letters and numbers. According to experience, first Base64 decoding:
decisively perform URL decoding on the obtained result:
Matryoshka started, and Base64 decoding on the result again:
Yes ,,,, for this result, URL decoded:
so beautiful ~
So I submitted the answer: sobeautiful.php, and found that the page did not jump, but just printed the submitted content on the page, so I tried to directly modify the url to: monyer.com/game/game1/sobeautiful.php, the result: Prompt to prohibit
theft Link, it seems that the 13th level needs to jump from the page of the 12th level. (Note: Anti-leeching is to detect from which page the user jumps to the current page, and intercept if it is not an internal page jump.)
Now that there is a text input box and a submit button, you can use XSS to construct a tag to jump to the target url:
<a href="sobeautiful.php">sobeautiful.php</a>
Pass:
enter level 14:
first check the element:
find a sql statement, guess sql injection blindly, try to submit:'or 1=1'
It takes no effort to get everything:
Submit the answer: whatyouneverknow
to enter the 15th level:
According to the topic, click the hyperlink to download the Crackme program, then run the program, and find that registration is required, fill in a registration code and try to register, but the result fails: Ever since,
PEid checks the shell, kali unpacks, OD reverses the operation, and finds two strings Suspicious strings: 9eeee9eb50eff979, ipasscrackme.asp, the first guess is the registration code, the second is the answer, try to register, success:
Submit the answer: ipasscrackme.asp, the result is 404 error, try to remove the .asp suffix and submit again, prompt: you failed to set cookies to admin in the end.
It seems that the answer is "ipasscrackme" is correct, but the permissions are wrong, so use Hackbar to directly modify the url and cookie, and then resend:
Pass: