Routarded Points: 1
Description:
Wow, they forwarded http on a router with default creds? It must be my birthday!
http://routarded_87f7837f50a5370771b9467d840c93c5.2014.shallweplayaga.me:5000/
我不会向你叙述一个汉语狗由于对It must be my birthday的错误理解引起的辛酸历程...
题目已述,使用默认凭据可以登陆服务器,基础认证,BurpSuite跑了几遍,没有结果,后google默认密码,发现自己忘记尝试空账户
故使用
Username:
Password:admin
成功登陆
登陆后发现web提供一个ping功能,看了下,这是最直观的输入点,尝试:
localhost;ls
发现;被过滤,不过很明显是本地JS干的好事
禁用后提交,列出目录
bower_components
flag
requirements.txt
routarded.py
static
templates
接着
localhost;cat flag
即可
Hackertool Points: 1
Description:
hey, we need to check that your connection works, torrent this file and md5 it
http://services.2014.shallweplayaga.me/hackertool.torrent_fe3b8b75e9639d35e8ac1d9809726ee2
题目给出一个种子文件,大约4M,会下载一个every_ip_address.txt的文件.要求给出文件的MD5
起初下载一部分,发现是就是单纯的IP信息,以0A分隔,但是没想到要自己构造.后想了各种思路,分析了torrent格式,种子中只提供了info信息的info_hash,尤其是官方给出这样一个提示后:
KINDA A HINT FOR HACKERTOOL: http://imgur.com/XCtMjJ2
说什么限速到1KB/s,然后就傻乎乎去看数据包里有没有猫腻.
最后才开始从0.0.0.0跑到255.255.255.255看MD5
测试脚本如下:
import hashlib,time
m = hashlib.md5()
starttime = time.time()
for a in range(256):
for b in range(256):
for c in range(256):
for d in range(256):
ip = str(a)+"."+str(b)+"."+str(c)+"."+str(d)+"\n"
m.update(ip)
print ip
print time.time() - starttime
print m.hexdigest()
print time.time() - starttime
速度略慢,考虑过多线程,写了这样一个Demo:
import hashlib
from threading import Lock, Thread
lock=Lock()
ip = 0
now = 0
m = hashlib.md5()
class IncrementThread(Thread):
def run(self):
global ip,now,m
lock.acquire()
genip=ip+str(int(now))+'\n'
now+=1
print genip
m.update(genip)
lock.release()
def use_increment_thread():
threads=[]
for i in range(256):
t=IncrementThread()
threads.append(t)
t.start()
for t in threads:
t.join()
for a in range(256):
for b in range(256):
for c in range(256):
global ip,now
now=0
ip = str(a)+"."+str(b)+"."+str(c)+"."
use_increment_thread()
print m.hexdigest()
写完就发现,线程锁可能更耗时间.事实也证明是这样子.
后来默默的等第一个脚本跑完,得到flag
感谢官方给我们一个这么认真学习种子文件知识的机会
3DTTT Points: 1
Description:
Play well and play fast.
3dttt_87277cd86e7cc53d2671888c417f62aa.2014.shallweplayaga.me:1234
一个3D的井字棋游戏,无奈玩2D的赢起来都费劲...
靠脚本取胜50轮可得到flag
#!/usr/bin/env python2
import itertools
import socket
import random
import os
import time
def read_until(s, u):
d = ""
while not d.endswith(u):
c = s.recv(4096)
if not c:
print d
assert(False)
d += c
return d
s = socket.socket()
s.connect(("3dttt_87277cd86e7cc53d2671888c417f62aa.2014.shallweplayaga.me", 1234))
cs = {" ":"free", "X": "X", "O": "O"}
fieldAnnotated = {}
preferencesVector = { 'corners': 1, 'centers': 2, 'attack': 3, 'defense': 4 }
def annotate(field):
for x,y,z in itertools.product(range(3), repeat = 3):
fieldAnnotated[x,y,z] = { 'attack':0, 'defend':0, 'niceness':0 }
if field[x,y,z] == "free":
for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
if (dx,dy,dz) == (0,0,0): continue
for d in xrange(2):
p1 = x+dx+d*dx, y+dy+d*dy, z+dz+d*dz
p2 = x+ 0+d*dx, y+ 0+d*dy, z+ 0+d*dz
p3 = x-dx+d*dx, y-dy+d*dy, z-dz+d*dz
if any( p not in field for p in [p1,p2,p3] ): continue
s1,s2,s3 = field[p1],field[p2],field[p3]
if ("X","X") in [(s1,s2),(s2,s3),(s3,s1)]:
fieldAnnotated[x,y,z]['attack'] += 1
elif ("O","O") in [(s1,s2),(s2,s3),(s3,s1)]:
fieldAnnotated[x,y,z]['defend'] += 1
for x1,y1,z1 in itertools.product(range(0,3,2), repeat = 3):
if field[x1,y1,z1] == "X":
for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
x2,y2,z2 = x1+2*dx, y1+2*dy, z1+2*dz
if ( not (x2,y2,z2) in field ) or any( d == 0 for d in [x2,y2,z2] ): continue
if field[x2,y2,z2] == "free" and field[x1+dx,y1+dy,z1+dz] == "free":
#print "taking max distant corner..."
fieldAnnotated[x2,y2,z2]['niceness'] += preferencesVector['centers'] + 1
for x1,y1,z1 in itertools.product(range(0,3,2), repeat = 3):
if field[x1,y1,z1] == "free":
fieldAnnotated[x1,y1,z1]['niceness'] += preferencesVector['centers']
if field[1,1,1] == "free":
fieldAnnotated[1,1,1]['niceness'] += preferencesVector['corners'] + 2
for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
if (dx,dy,dz) == (0,0,0) or (0,0) not in [(dx,dy),(dy,dz),(dz,dx)]: continue
if field[1+dx,1+dy,1+dz] == "free":
fieldAnnotated[1+dx,1+dy,1+dz]['niceness'] += preferencesVector['corners'] + 1
for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
if (dx,dy,dz) == (0,0,0) or 0 not in [dx,dy,dz]: continue
if field[1+dx,1+dy,1+dz] == "free":
fieldAnnotated[1+dx,1+dy,1+dz]['niceness'] += preferencesVector['corners'] + 0
return fieldAnnotated
def highestRankedCell(fieldAnnotated):
currentHighestRank = 0
currentHighestRankedCell = 0,0,0
for x,y,z in itertools.product(range(3), repeat = 3):
currentRank = 0
currentRank += fieldAnnotated[x,y,z]['attack'] * 10 * preferencesVector['attack']
currentRank += fieldAnnotated[x,y,z]['defend'] * 10 * preferencesVector['defense']
currentRank += fieldAnnotated[x,y,z]['niceness']
if currentRank > currentHighestRank:
currentHighestRank = currentRank
currentHighestRankedCell = x,y,z
return currentHighestRankedCell, currentHighestRank
while 1:
d = read_until(s, "Choose Wisely (x,y,z): ").split("\n")
assert(len(d) != 1)
field = {}
for l in d:
print l
if l.startswith(" x 0 1 2 z="):
z = int(l[-1])
elif any(l.startswith("%d " % i) for i in xrange(3)):
y = int(l[0])
for x, c in enumerate(l[3::4]):
field[x,y,z] = cs[c]
preferencesVector = {
'corners': 1,
'centers': 2,
'attack': 3,
'defense': 4
}
fieldAnnotated = annotate(field)
(x,y,z),rank = highestRankedCell(fieldAnnotated)
while rank == 0:
x,y,z = random.randrange(3), random.randrange(3), random.randrange(3)
if field[x,y,z] == "free":
print "taking random, how desperate..."
#exit()
break
print "choosing %d,%d,%d cause of overall rank %d %s" % (x,y,z,rank,fieldAnnotated[x,y,z])
s.sendall("%d,%d,%d\n" % (x,y,z))
赛中还有很多有趣的经历,其他题目也会在后续Writeup中描述我们的解决思路.
最后L的Achievements
@le4f Zing To1ight Luo DM_ Nobody::L TEAM::
Comment Closed.