level 1#
./robot/index.html
Open the URL to display
I hate spiders the most!!!
spider 爬虫
Many websites have a robots.txt file to regulate, restrict, or prohibit the collection of data from websites by spiders. The robots.txt file is used to prevent web crawlers from accessing specified directories on a website.
Open ./robot/robots.txt to display
sir, this way!!!
f1a9.zip
tip: winrar Yes!!!
Access ./robot/f1a9.zip to download the zip file
The zip file is encrypted, and the tip "tip: winrar Yes!!!" suggests opening it with WinRAR
After opening, the comment shows "Password: ??????338"
A six-digit number plus 338 is a total of nine digits
Brute force cracking
flag{th1s_1s_crc_crack}
Password: 860834338
After decompression, it is an image with the Netease Cloud Music logo in the upper left corner, with a length and width of 798px X 733px
Thinking that music cover images should be square, modify it to 798x798 using 010
level 2#
Open ./xss/index.php is about xss,
Related -> Tag Closure Bypass
Enter "aaaaa" in the search box, the DOM structure is as follows
<form action="index.php" method="GET">
<input name="keyword" value="aaaaaa">
<input type="submit" name="submit" value="Search">
</form>
Before value=" and after ">
Enter "><p>test</p> to close the input tag and insert a paragraph, the display is as follows
<form action="index.php" method="GET">
<input name="keyword" value="">
<p>test</p>
">
<input type="submit" name="submit" value="Search">
</form>
The p tag is parsed
Success is indicated by a pop-up box, enter "><script>alert("q")</script>