這題他提示我們說要用 picobrowser ,感覺就是要拿這個
User-Agent 來訪問,所以我就用 Burp Suite 來修改 User-Agent 變成
picobrowser 然後重新導向之後再修改一次 User-Agent
就可以看到 Flag 了
ImageImageImageImage
第二題:Power Cookie
就把 Cookie 的 isAdmin 改成 true
就可以了
ImageImageImage
第三題:Forbidden Paths
題目這麼說的
We know that the website files live in /usr/share/nginx/html/ and the
flag is at /flag.txt but the website is filtering absolute file paths.
Can you get past the filter to read the flag?
所以就用 ../../../../flag.txt 來繞過過濾器就成功得到
Flag 了
ImageImage
第四題:login
看一下他的 JS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
(async () => { awaitnewPromise((e =>window.addEventListener("load", e))), document.querySelector("form").addEventListener("submit", (e => { e.preventDefault(); const r = { u: "input[name=username]", p: "input[name=password]" } , t = {}; for (const e in r) t[e] = btoa(document.querySelector(r[e]).value).replace(/=/g, ""); return"YWRtaW4" !== t.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== t.p ? alert("Incorrect Password") : voidalert(`Correct Password! Your flag is ${atob(t.p)}.`) } )) } )();