<h1>CHASE!</h1> <p> You managed to chase one of the enemy fighters, but there's a wall coming up fast! </p> <script> functionsleep(ms) { returnnewPromise(resolve =>setTimeout(resolve, ms)); }
<h1>SHOOT IT</h1> <p>You've got the bogey in your sights, take the shot!</p> <buttononClick="window.location='/die/'">Take the shot</button> <!-- <button onClick="window.location='/shoot/'">Take the shot</button> -->
……
4. /shoot/
1 2 3
<h1>YOU SHOT IT DOWN!</h1> <p>Well done! You also crash in the process</p> <buttononClick="window.location='/door/'">Continue</button>
5. /door/
很多按钮……
1
<buttononClick="check_door()">Check</button>
点击触发事件,看引入的js文件
door.js
1 2 3 4 5 6 7 8 9 10 11
functioncheck_door() { var all_radio = document.getElementById("door_form").elements; var guess = null;
for (var i = 0; i < all_radio.length; i++) if (all_radio[i].checked) guess = all_radio[i].value;
functionopen(i) { sleep(1).then(() => { open(i + 1); }); if (i == 4000000000) window.location = "/fight/"; }
7. /fight/
又是点击触发,js:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
// Run to scramble original flag //console.log(scramble(flag, action)); functionscramble(flag, key) { for (var i = 0; i < key.length; i++) { let n = key.charCodeAt(i) % flag.length; let temp = flag[i]; flag[i] = flag[n]; flag[n] = temp; } return flag; }
functioncheck_action() { var action = document.getElementById("action").value; var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];
// TODO: unscramble function }
“混淆”了flag,直接手解:pctf{hey_boys_im_baaaaaaaaaack!}
大佬的 python 脚本解法
1 2 3 4 5 6 7 8 9 10
#coding:utf-8 from itertools import permutations
flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]
item = permutations(flag) for i in item: k = ''.join(list(i)) if k.startswith('pctf{hey_boys') and k[-1] == '}': print(k)
