Shulou(Shulou.com)06/01 Report--

In Zhihu to find an answer about the introduction to CTF, the respondent gave professional advice and some corresponding training platforms, here I tried a few, their own half-level, can only play some simple, here to record their own process, these are basically able to find customs clearance secret books (how do I know? Yes, I am too bad to go through customs to check the secret books), I wrote it down as my own memo, Daniel, please ignore it.

ISA TEST looks like a Mini Game made by the Information Security Association of the computer School of Shenzhen Vocational and Technical College, a total of 7 hurdles, the difficulty is low, I can do this kind of scum, but the last level is still checked writeup.

The first level:

And similar game routines, the first pass is very simple, the password must be hidden in the web source code, look at the source code in the comments to get the password is 26212baa24fecb0e22ebb545534ea766, the password is automatically randomly generated, the password here is not meaningful. Move on to the next level.

Second level, simple encryption

Just before I learned some simple encryption knowledge, I can see that this is a password encrypted by base64 (also randomly generated). Go to a website that can decrypt base64 to get dd94ee970c52d62052ff6f635bf5eaa7 and enter the third level.

The third level is a topic that bypasses local verification:

Looking at the source code, it is found that function check () will be triggered when the form is submitted. Through the function code in the source code, we can see that the function of this function is to determine whether the password box is empty, if it is empty, it indicates that the password cannot be empty, and if it is not empty, it determines whether the length is more than 30 bits (if you submit without any modification or enter any password longer than 30) If it exceeds 30 characters, the password length cannot exceed 30. If it is neither empty nor less than 30, the password is balabala, and then change the contents of the box to this password. In either case, the function will return false, that is, the submission cannot be completed. So our idea here is to bypass this function, and here are two ways of thinking. One is: since verification is achieved by calling the js function, disable js. The chrome browser I use can disable the js script for this domain name alone. After disabling it, refresh it and enter the fourth level again, but don't forget to enable js again. The second idea is to use firebug's powerful real-time web page modification function to skip the step of calling the function, such as changing the onsubmit event to "return true" (as shown below), and submit the form anyway, so that you can enter the next level and see a hint of successful customs clearance.

Level 4:

This is also a very common practice of hiding key in a file. The picture of the community logo is downloaded locally and opened into hexadecimal and text with UE. According to the general routine, pull it directly to the bottom of the file and see

…… We can feel the author's sincere and urgent desire for us to find the password.

Level 5:

A social work question:

The house number of the association, this is going to look for it on the relevant website of the association. First go to the main domain name, which is a home page, link to forums, games, etc., and enter the forum. It is not difficult to find an introduction about the association at the bottom of the page. Of course, there is also a house number 401.

Level 6:

The hints of this game usually play two roles: providing clues or disturbing thoughts. Here is the former. The author said that he had already given it to me. My first reaction was to hide in the previous levels. I had no idea to ignore it. I went over the previous topic from the beginning, and did not find it. I wondered if the server gave me the http response package, whether it would be hidden in the bag, or whether it would be hidden in the cookie. Here tentatively use the very powerful plug-in edit this cookie on chrome to take a look. Sure enough, there is an ISA_Level_6_password in cookie, and its value is the customs clearance password.

The last level: this is what I think is the most difficult, difficult and interesting level. To be honest, I didn't do it. I searched the answer. I didn't understand what the author said that habitual thinking would hinder me. And the author said he told me the password. I checked the cookie and grabbed the bag. I didn't find any valuable information. In the end, I couldn't find the answer. It seems that my brain is not big enough. The author did tell us what the password is, because the password is "what".

This clearance game is relatively simple, suitable for me as a novice, and it is also very interesting. I think the interface is great, which can make me feel like a layman YY.

Again, I am scum, this article is only a memo, if there is anything wrong (there must be) also ask for your advice, I am also studying hard.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.