[b01lers2020]Welcome to Earth

[b01lers2020]Welcome to Earth

开始就自动跳转

1
http://8105f9c9-1769-4152-bbf9-def72f06cd64.node5.buuoj.cn:81/die/

我们查看网页源代码,然后删除后面的/die/,刷新

1
2
3
4
5
6
7
document.onkeydown = function(event) {
       event = event || window.event;
       if (event.keyCode == 27) {
         event.preventDefault();
         window.location = "/chase/";
       } else die();
     };

发现另外一个跳转的路径/chase/,访问后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
async function dietimer() {
  await sleep(1000);
  die();
}

function die() {
  window.location = "/die/";
}

function left() {
  window.location = "/die/";
}

function leftt() {
  window.location = "/leftt/";
}

function right() {
  window.location = "/die/";

发现第二个路径/leftt/,访问

1
<!-- <button onClick="window.location='/shoot/'">Take the shot</button> -->

在注释这里发现了第三个路径/shoot/,访问

1
2
<img src="/static/img/parachute.png" alt="parachute" style="width:60vw;" />
<button onClick="window.location='/door/'">Continue</button>

这里发现了第四个路径/door/,访问,这里没有发现路径,但是调用了一个函数

1

函数不可能凭空出现,肯定是加载的js里面的函数,向上查找发现了js文件,/static/js/door.js,访问

1
2
3
4
5
6
7
8
9
10
11
function check_door() {
  var all_radio = document.getElementById("door_form").elements;
  var guess = null;

  for (var i = 0; i < all_radio.length; i++)
    if (all_radio[i].checked) guess = all_radio[i].value;

  rand = Math.floor(Math.random() * 360);
  if (rand == guess) window.location = "/open/";
  else window.location = "/die/";
}

发现了/open/路径,又发现调用了函数,肯定是js文件,继续查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<!DOCTYPE html>
<html>
  <head>
    <title>Welcome to Earth</title>
    <script src="/static/js/open_sesame.js"></script>
  </head>
  <body>
    <h1>YOU FOUND THE DOOR!</h1>
    <p>How do you open it?</p>
    <img src="/static/img/door.jpg" alt="door" style="width:60vw;" />
    <script>
      open(0);
    </script>
  </body>
</html>
1
2
3
4
5
6
7
8
9
10
11
//  /static/js/open_sesame.js
function sleep(ms) {
  return new Promise(resolve => setTimeout(resolve, ms));
}

function open(i) {
  sleep(1).then(() => {
    open(i + 1);
  });
  if (i == 4000000000) window.location = "/fight/";
}

发现了/fight/路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

<!DOCTYPE html>
<html>
  <head>
    <title>Welcome to Earth</title>
    <script src="/static/js/fight.js"></script>
  </head>
  <body>
    <h1>AN ALIEN!</h1>
    <p>What do you do?</p>
    <img
      src="/static/img/alien.png"
      alt="door"
      style="width:60vw;"
    />
    </br>
    <input type="text" id="action">
    <button onClick="check_action()">Fight!</button>
  </body>
</html>

又调用函数,那还是js文件呗

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {
  for (var i = 0; i < key.length; i++) {
    let n = key.charCodeAt(i) % flag.length;
    let temp = flag[i];
    flag[i] = flag[n];
    flag[n] = temp;
  }
  return flag;
}

function check_action() {
  var action = document.getElementById("action").value;
  var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];

  // TODO: unscramble function
}

终于找到了flag,还得自己拼,晕

pctf{hey_boys_im_baaaaaaaaaack!}