Bilibili has launched a security challenge module on the 1024 Programmer's Day, which is similar to the CTF Challenge. At present, there are 10 questions for users to answer.
Question and solution process/answer
1. What is behind the page
Address: http://45.113.201.36/index.html
For direct access, you will be prompted to use the bilibili Security Browser browser to access ~.
View the source code. There are two pieces of js code:
$.ajax({ url: "api/admin", type: "get", success:function (data) { //console.log(data); if (data.code == 200){ //If there is a value: jump to the front end var input = document.getElementById("flag1"); input.value = String(data.data); } else { //If it's not worth it $('# flag1'). html ("Interface exception, please try again later~"); } } }) $.ajax({ url: "api/ctf/2", type: "get", success:function (data) { //console.log(data); if (data.code == 200){ //If there is a value: jump to the front end $('#flag2').html("flag2: " + data.data); } else { //If it's not worth it $('# flag2'). html ("You need to use the bilibili Security Browser browser to access ~"); } } })
Try to access/api/admin, and the data returned in json is flag1.
2. The real secret can only be seen by special equipment
Change the browser UA to the bilibili Security Browser, and visit the page to see Flag2.
Firefox can store and install the User Agent Switcher and Manager extension.
3. What is the password
Address: http://45.113.201.36/login.html
Guess the password, and finally:
User name: admin Password: bilibili
Login is visible.
4. Sorry, insufficient permission
Address: http://45.113.201.36/superadmin.html
Prompt after access: some secrets can only be seen by super administrators~
View cookies and find that the value of role is md5 of user.
After multiple queries, it is known that the role should be Administrator (the default administrator on the Windows platform).
The browser directly changes the role in cookies to 7b7bc2512ee1fedcd76bdc68926d4f7b, and then refresh the page.
5. Others' secrets
Address: http://45.113.201.36/user.html
Interview tip: There is no answer you want.
According to the code, a magic uid 100336889 has an interface api/ctf/5?uid=uid 。
The interface is requested from 100336889. When the return is not 403, it is the answer.
6. The end is also the beginning
Address: http://45.113.201.36/blog/single.php?id=1
As the group leader said, first visit/blog/test.php to get a string of jsfucks, and then decrypt to get two strings:
" U7a0b u5e8f u5458 u6700 u591a u7684 u5730 u65b9" ->Github is the place with most programmers "bilibili1024havefun"
Github searches the string 2 to find the warehouse:
https://github.com/interesting-1024/end
According to the content of this document, splicing request:
http://45.113.201.36/blog/end.php?id []=1
Interview tip: It's a little short
The php file also involves a Get parameter url. Fill in url="/flag. txt"
http://45.113.201.36/blog/end.php?id []=1&url=/flag.txt
Get a picture, open the picture in text mode, search for flag, and get the following string:
flag10:2ebd3b08-47ffc478-b49a5f9d-f6099d65
However, this is the answer to question 10.
7. Young people need to explore by themselves
8. Young people need to explore by themselves
The server has opened the Redis port, no password:
The server has enabled port 6379, which is the default port of Redis
redis-cli -h 45.113.201.36 -p 6379
Query:
keys *
Return results:
1) "flag8"
Query:
get flag8
Get the answer to flag8.
In addition, I tried to add a custom key to it, but it was pulled black by the server.
9. Young people need to explore by themselves
No data available.
10. Young people need to explore by themselves
I got flag10 in the picture of question 6.
other
Now many people are directly blasting 679 questions.
120.92.151.189 seems to have hung up, and the following topic should be moved to 45.113.201.36.
