MISC:
验证码:
用token登录
输入好验证码就可以得到flag
Picture:
图片隐写,一下就想到binwalk或者winhex打开试试
![clip_image001[5]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102734679-1440399183.png "clip_image001[5]")
binwalk打开无果
![clip_image001[7]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102738883-1724567380.png "clip_image001[7]")
将这段数据ctrl+shift+c复制出来
用下面python脚本生成zip文件。
import zlib
import binascii
import base64
id=””
r = zlib.decompress(binascii.unhexlify(id))
r = base64.b64decode(result)
fount = open(r"2.zip","wb")
fount.write(r)
fount.close()
![clip_image002[5]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102741643-1804382919.jpg "clip_image002[5]")
压缩包提示。
根据这个“ZeroDivisionError:”搜索
![clip_image001[9]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102742270-1570943481.png "clip_image001[9]")
然就知道压缩密码了。
![clip_image002[7]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102743507-1036963222.jpg "clip_image002[7]")
打开弹出这个信息。
然后又拿出winhex看了下
![clip_image001[11]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102744518-90927843.png "clip_image001[11]")
然后输入压缩密码打开
发现code文件如下
![clip_image002[9]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102745554-1319231503.jpg "clip_image002[9]")
Uuencode解码即可
得到flag:
![clip_image001[13]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102746401-1790497017.png "clip_image001[13]")
RUN:
![clip_image001[15]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102747245-1227228.png "clip_image001[15]")
根据提示,要沙箱逃逸?
然后getshell。
然后百度谷歌了遍
命令都是瞎凑的。
![clip_image002[11]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102748250-371876446.jpg "clip_image002[11]")
然后发现很多库和命令都被ban了。
逃逸这个词,一开始我不是很理解。
然后群里管理员说是有点web
可能这些命令都被‘过滤’了吧。
然后一个个试绕过。
![clip_image002[13]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102748862-2034598752.jpg "clip_image002[13]")
![clip_image002[15]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102749579-1339065329.jpg "clip_image002[15]"){kind=small}
得到flag。
这里很坑的是func_globals也会被‘过滤’。
CRYPTO:
flag_in_your_hand:
下载文件解压
得到html和js
![clip_image002[17]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102750398-1835512254.jpg "clip_image002[17]")
![clip_image002[19]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102751087-2027419081.jpg "clip_image002[19]")
![clip_image001[17]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102751684-1061053048.png "clip_image001[17]")
算出
![clip_image001[19]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102752457-273193502.png "clip_image001[19]")
然后有个很坑的地方:这题的flag不是ciscn{}规范的。导致我按了很多次get flag按键,然后随便提交一个,导致被禁赛30min。
![clip_image001[21]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102753320-1079225966.png "clip_image001[21]")
得到flag。
Web:
easyweb:
![clip_image001[23]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102801093-1290608089.png "clip_image001[23]")
![clip_image002[21]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102802257-649084303.jpg "clip_image002[21]")
复制这个token
![clip_image002[23]](https://images2018.cnblogs.com/blog/1330447/201804/1330447-20180430102803653-1403259273.jpg "clip_image002[23]")
得到flag。