Ctfshow web entry explosion

web21

First, enter an account password casually

Grab the bag

The account name and password entered are base64 Encrypted , Decoding found that its form is ——admin： password , Next, construct payload

Using a custom iterator The first paragraph is admin The second paragraph is “:”  The third paragraph is the password for downloading the title attachment   Conduct base64 After encryption, it can be exploded

web22

 web23

Open to see php Code , First analyze the code , You can know token By md5 encryption , And its first = Fourteenth = 17th ,（ first place + Fourteenth + 17th ）/ first place = 31st place

 php Script

<?php 
error_reporting(0); 
 
$a="asdfghjklqwertyuiopzxcvbnm1234567890";
for($i=0;$i<36;$i++){
    for($j=0;$j<36;$j++){
        $token=$a[$i].$a[$j];    
        $token = md5($token); 
        if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){ 
            if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){ 
                echo $a[$i].$a[$j];
                exit(0);
            } 
        } 
    }
} 
?> 

After running, get 3j   The ginseng token=3j

web24

mt_scrand(seed) This function means , By distributing seed seeds , Then the seeds have , by mt_rand() Generate random Count

stay kali Run on Or by php Script

Run a pseudo-random number 1155388967  Pass on ?r=1155388967 Can get flag

web25

web26

Direct input I can't find out

Blow up the password

  After blasting