emmmmmm这次的Hackgame还是脑洞为主。。。我只做出来了6道题,这里结合官方wp总结一下,题目现在还是可以做的(https://hack2018.lug.ustc.edu.cn/)
签到题
打开页面后得到信息: 
要求提交指定字符串。查看网页源码中表单名称: 1
<p>Key: <input type="text" name="key" maxlength="13"/></p>
1
http://202.38.95.46:12002/?key=hackergame2018
flag{Hackergame2018_Have_Fun!} ###
猫咪问答
emmmmmm我不是中科大学生所以没做完这道。。不过也算是一个小社工吧,自己网上检索信息
flag:flag{G00G1E-is-always-YOUR-FRIEND} ###
游园会的集章卡片
这个题就不细说了。。。主要是给了一堆图片拼图,自行拼就行了
flag:flag{H4PPY_1M4GE_PR0CE551NG} ### 猫咪和键盘
打开后是一份乱的C++代码,需要还原。可以看出代码按列打乱了。
使用vim编辑器,列编辑模式还原后: 1
2
3
4
5
6
7
8
9
10
11
12
13name: typed_printf.cpp
compile: g++ -std=c++17 typed_printf.cpp
title: type safe printf
author: nicekingwei
url: aHR0cHM6Ly96anUtbGFtYmRhLnRlY2gvY3BwZHQtcHJpbnRmLw==
related knowledge:
- value and type
value->value: function
type->value: parametric polymorphism
type->type: generic
value->type: dependent type
- auto
- if constexpr
Word文档
还真不知道docx文档结构是这样的 拖进winhex里: 
可以看出为zip文件,该后缀打开后里面就有flag文本文件了
flag:flag{xlsx,pptx,docx_are_just_zip_files} ###
猫咪银行
这道题开始以为要在js脚本上做文章,后来发现好像没用。。。然后买1/4的flag也没啥用。
后来存钱时,随便输了个很大的数字,发现结果不对劲,才反应过来是溢出问题。
输入一个大数,且收入不为负,时间在现在时间点前面就行(可以直接取出),多试几个数就可以了。
flag:flag{Evil_Integer._Evil_Overflow.} ###
黑曜石浏览器 这道题费了我好几天都没搞出来。。 抓包后是这样的:
1
2
3
4
5
6
7
8
9
10GET / HTTP/1.1
Host: 202.38.95.46:12001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2e76eef44e3dd8842a479aa79f7f6396
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
后来查看了http://heicore.com的代码(不是index.php那个页面!),可以看到下载文件的名称,里面附带的有版本号49.1.2623.213,这才有结果了。。
1
2
3
4
5
6
7$("#download_link").click(function() {
if (!window.loggedIn) {
alert("仅差一步!请于登录后下载黑曜石浏览器。");
}
else {
window.location.href="HEICORE.49.1.2623.213_installer_latest.exe";
}1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 HEICORE/49.1.2623.213
ps:官槽:除了百度以外的所有搜索引擎几乎都能找到该浏览器的官网:heicore.com
emmmmmmmmmmmmmmmmmmmmmmmmmm以后还是google吧
得到flag:flag{H3ic0re_49.1.2623.213_sai_kou} ###
回到过去 这道题只要熟悉unix/linux下的ed编辑器命令就好了。
题目也给出来了具体步骤,虚拟机里敲一遍即可。
flag:flag{t4a2b8c44039f93345a3d9b2} ### 我是谁
第一问:burp刷新了几次截包后,会在返回头里看到teapot,即关键字,得到flag:flag{i_canN0t_BReW_c0ffEE!}
打开链接来到第二问,提示需要换一种请求方式: 
我们在burp换为POST形式:
提示POST也不行,emmmmmmmmmm????当时做到这里就不会了,后面提到的BREW请求也没见过,所以没出来。。。
查看提示的文档 
得知还有BREW这种请求。。。 
还要带上一个参数Content-Type: message/teapot',返回结果:  从返回头中看到下一个链接,同样的方式访问:  得到flag:flag{delivering_tea_to_DaLa0}`
### 家里有矿
秘籍残篇
猫咪遥控器
下载下来一个文本,内容全部为D、R、L、U的组合,可以联想到up,down,left,right四个方向。即这是是一个图片,可由这个步骤画出。
这里使用HTML中的canvas标签,该标签相当于一个图形容器,可以根据js脚本来绘制相应的图形。(当然pyhton的Turtle也是可以画出来的)下面是脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Cat Controller</title>
<style>
#path {
border: 1px solid #000000;
}
</style>
</head>
<body>
<canvas id="path" width="1200" height="300"></canvas>
<script>
var seq = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRLLLLLLLLLLLLLLLLLLLLLLLLRRRRDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUUDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUULLLLLLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLLLUUUUUUUUUUUUUUUURRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRRRRRLLLLDDDDDDDDRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUURRRRRRRRRRRRRRRRRRRRRRRRLLLLDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRRRRRRRRRLLLLUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUURRRRRRRRLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDLLLLLLLLDDDDRRRRRRRRDDDDDDDDDDDDDDDDDDDDDDDDRRRRRRRRLLLLLLLLUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLUUUURRRRRRRRUUUURRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUURRRRDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUURRRRRRRRUUUUUUUURRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUURRRRRRRRRRRRUUUURRRRUUUURRRRRRRRRRRRRRRRDDDDRRRRDDDDRRRRDDDDDDDDLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLUUUURRRRUUUUDDDDLLLLDDDDDDDDRRRRDDDDRRRRDDDDRRRRRRRRRRRRUUUURRRRRRRRUUUUDDDDLLLLLLLLDDDDLLLLLLLLLLLLUUUULLLLUUUULLLLUUUUUUUURRRRUUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUURRRRRRRRUUUULLLLUUUUDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDDDDDRRRRUUUUUUUUUUUURRRRUUUUUUUUDDDDDDDDRRRRDDDDDDDDDDDDRRRRUUUUUUUUUUUUUUUUUUUURRRRUUUURRRRUUUUDDDDLLLLDDDDRRRRRRRRRRRRUUUUUUUUUUUUUUUUDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUURRRRDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUURRRRUUUURRRRUUUURRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUDDDDUUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRLLLLLLLLLLLLLLLLUUUULLLLUUUULLLLLLLLDDDDLLLLDDDDLLLLDDDDDDDDDDDDRRRRDDDDRRRRDDDDRRRRRRRRUUUURRRRRRRRUUUUDDDDLLLLLLLLDDDDLLLLLLLLUUUULLLLUUUULLLLUUUUUUUURRRRRRRRRRRRRRRRRRRRRRRRUUUULLLLUUUUDDDDRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLDDDDDDDDUUUUUUUURRRRRRRRRRRRRRRRRRRRDDDDRRRRRRRRRRRRUUUULLLLUUUUDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDDDDDRRRRUUUUUUUUUUUUUUUURRRRUUUUUUUUDDDDDDDDRRRRDDDDDDDDDDDDDDDDRRRRRRRRUUUUUUUUUUUUUUUURRRRUUUUUUUURRRRUUUUDDDDLLLLDDDDRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUULLLLLLLLRRRRRRRRDDDDDDDDDDDDDDDDDDDDRRRRRRRRDDDDLLLLLLLLDDDDDDDDDDDDDDDDDDDDLLLLLLLL";
// 题目中的序列
var ctx = document.getElementById('path').getContext('2d');
var x = 0, y = 0;
function move(type) {
switch (type) {
case 'U': y -= 1; break;
case 'D': y += 1; break;
case 'L': x -= 1; break;
case 'R': x += 1; break;
}
ctx.fillRect(x, y, 1, 1);
}
for (var i = 0; i < seq.length; i++) {
move(seq[i]);
}
</script>
</body>
//flag{MeowMeow} 
### 她的诗
下载附件,为一个文本和一个py文件。 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16#!/usr/bin/env python3
# This script helps you decode "her poem"
from codecs import decode
fin = open("poem.txt", "r")
fout = open("poem.out", "w")
for i in fin:
data = "begin 666 <data>\n" + i + " \nend\n"
decode_data = decode(data.encode("ascii"), "uu")
print(decode_data)
fout.write(decode_data.decode("ascii") + "\n")
fin.close()
fout.close()begin 666<data>,百度后:
得知加密方式为uuencode,在线解密后得结果:
1
---------There is something in this worldfthat no one has ever seen before.It is gentle and sweet.lMaybe if it could be seen,aeveryone would fight over it.gThat is why the world hid it,{so that no one could get their handson it so easily.STHowever, someday, someone will find it.The person who deserves it the mostewill definitely find it.---------Do you like this school?I really, really love it.gABut nothing can stay unchanged.n0Fun things... Happy things...gThey can't all possibly stay unchanged.Even so,rcan you go on loving this place?A---------Sometimes I wonder,Phwhat if this town was alive?y_What if it had thoughts and feelingslike one of us?If it did,w1I think it would want to make the peopletHwho live here happy._---------Expectations are what you havewhen you have given up.uExpectations are born fromUa despairingly large difference in skill.e---------A joke only lasts for a moment,Ncif it leaves a misunderstanding,0it becomes a lie.D---------If someone didn't have any pride,wouldn't they also be lackingEin self-confidence?_IIf someone was free of greed,5wouldn't they have trouble_supporting their family?And if people didn't envy one another,5wouldn't they stop inventing new things?0_---------If I don't have to do it, I won't.fuIf I have to do it, I'll make it.---------/* Here is the end of my poem.
flag{sSTegAn0grAPhy_w1tH_uUeNc0DE_I5_50_fun}
### 猫咪克星
这道题属于一道基础题,即使用py脚本进行简单的网络编程。
题目提示:nc 202.38.95.47 12009 先cmd试验一下: 
要求:快速运算一个算术式并在30s内返回结果
打开IDE直接输入式子,并将结果写进cmd发送,你会发现你源源不断的得到新的式子,这样的话手工运算30s内是肯定算不完的。
这是我们想到了python的eval函数----执行一个算数表达式。
下面是eval函数的解释: 1
2
3
4
5
6
7
8
9
10Help on built-in function eval in module builtins:
eval(source, globals=None, locals=None, /)
Evaluate the given source in the context of globals and locals.
The source may be a string representing a Python expression
or a code object as returned by compile().
The globals must be a dictionary and locals can be any mapping,
defaulting to the current globals and locals.
If only globals is given, locals defaults to it.