BUUCTF WEB WELCOME TO THE EARTH

BUUCTF WEB WELCOME TO THE EARTH

日常刷题，打开场景，发现图片过了一段时间会变，看来有js代码
emmm，这题属于是送分题，找路径啥的属实没意思，不妨直接看最后的python脚本呢?
看页面内容

<!DOCTYPE html>
<html><head><title>Welcome to Earth</title></head><body><h1>AMBUSH!</h1><p>You've gotta escape!</p><img src="/static/img/f18.png" alt="alien mothership" style="width:60vw;" /><script&keydown = function(event) {event = event || window.event;if (event.keyCode == 27) {event.preventDefault();window.location = "/chase/";} else die();};function sleep(ms) {return new Promise(resolve => setTimeout(resolve, ms));}async function dietimer() {await sleep(10000);die();}function die() {window.location = "/die/";}dietimer();</script></body>
</html>

关键代码

 if (event.keyCode == 27) {event.preventDefault();window.location = "/chase/";} else die();};

给了chase目录，访问页面

function sleep(ms) {return new Promise(resolve => setTimeout(resolve, ms));}async function dietimer() {await sleep(1000);die();}function die() {window.location = "/die/";}function left() {window.location = "/die/";}function leftt() {window.location = "/leftt/";}function right() {window.location = "/die/";}

下一个hint:
leftt目录，访问

<!DOCTYPE html>
<html><head><title>Welcome to Earth</title></head><body><h1>YOU SHOT IT DOWN!</h1><p>Well done! You also crash in the process</p><img src="/static/img/parachute.png" alt="parachute" style="width:60vw;" /><button onClick="window.location='/door/'">Continue</button></body>
</html>

下一关：访问/door/

<!DOCTYPE html>
<html><head><title>Welcome to Earth</title><script src="/static/js/door.js"></script></head><body><h1>YOU APPROACH THE ALIEN CRAFT!</h1><p>How do you get inside?</p><img src="/static/img/ship.png" alt="crashed ship" style="width:60vw;" /><form id="door_form">"176" />176<input type="radio" name="side" value="177" /&</form><button onClick="check_door()">Check</button></body>
</html>

看来我们要在里面选一个数字，调用的是check_door函数，逻辑在/static/js/door.js里，先看看内容

function check_door() {var all_radio = ElementById("door_form").elements;var guess = null;for (var i = 0; i < all_radio.length; i++)if (all_radio[i].checked) guess = all_radio[i].value;rand = Math.floor(Math.random() * 360);if (rand == guess) window.location = "/open/";else window.location = "/die/";
}

下一关：/open/

<!DOCTYPE html>
<html><head><title>Welcome to Earth</title><script src="/static/js/open_sesame.js"></script></head><body><h1>YOU FOUND THE DOOR!</h1><p>How do you open it?</p><img src="/static/img/door.jpg" alt="door" style="width:60vw;" /><script>open(0);</script></body>
</html>
同样：/static/js/open_sesame.js
function sleep(ms) {return new Promise(resolve => setTimeout(resolve, ms));
}function open(i) {sleep(1).then(() => {open(i + 1);});if (i == 4000000000) window.location = "/fight/";
}

想都不用想，傻子才去真做呢。/fight/

<!DOCTYPE html>
<html><head><title>Welcome to Earth</title><script src="/static/js/fight.js"></script></head><body><h1>AN ALIEN!</h1><p>What do you do?</p><imgsrc="/static/img/alien.png"alt="door"style="width:60vw;"/></br><input type="text" id="action"><button onClick="check_action()">Fight!</button></body>
</html>
访问/static/js/fight.js
// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {for (var i = 0; i < key.length; i++) {let n = key.charCodeAt(i) % flag.length;let temp = flag[i];flag[i] = flag[n];flag[n] = temp;}return flag;
}function check_action() {var action = ElementById("action").value;var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];// TODO: unscramble function
}

emmmmm，终于是是没有下一关的目录了，看一下逻辑，就是个简单的排列组合
那么写爆破代码，目的是要找以pctf{hey_boys_im开头和ck!}结尾的特定字符串,这就是一个全排列问题,直接拿python的模块permutations来做了

from itertools import permutations
flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]
item = permutations(flag)
for i in item:k = ''.join(list(i))if k.startswith('pctf{hey_boys_im') dswith == 'ck!}':print(k)
得到flag：pctf{hey_boys_im_baaaaaaaaaack!}

参考视频链接:/