惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
IT之家
IT之家
Cyberwarzone
Cyberwarzone
T
Troy Hunt's Blog
有赞技术团队
有赞技术团队
阮一峰的网络日志
阮一峰的网络日志
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
Last Week in AI
Last Week in AI
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Jina AI
Jina AI
T
Tor Project blog
V
Vulnerabilities – Threatpost
酷 壳 – CoolShell
酷 壳 – CoolShell
Spread Privacy
Spread Privacy
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 司徒正美
V2EX - 技术
V2EX - 技术
I
Intezer
The Cloudflare Blog
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
博客园 - 【当耐特】
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Google Online Security Blog
Google Online Security Blog
量子位
The Last Watchdog
The Last Watchdog
AI
AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Security Affairs
P
Palo Alto Networks Blog
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Attack and Defense Labs
Attack and Defense Labs

猫涅的秘密结社

数据库原理相关 关于在与我互动前你可能需要了解的事 信安roadmap 个人主页开发汇报 六级生词速记本——附考后感想 数据结构C++自学相关 NewStarCTF-2025 三款steam付费番茄钟软件测评 夏令营-ai hello-world qt环境下的c++程序编写 新新的年 qq机器人配置二三事 搞点java 读书笔记-当下的力量 网页小修时间 glibc更新记录 Vulhub在线靶场记录 Vulhub记录(旧的) 神奇脚本在哪里-CTF之Pwn BaseCTF高校联合新生赛2024 逆逆逆逆逆向-CTF之reverse 求解 夺旗时间 学学学 渗透测试相关 协议/漏洞/网络 最新的知识点 数据分析相关 zico2解析 OverTheWire-bandit解析 CTF实战相关2 靶机解析-gigachad ctf实战相关1 复习time 开学季 维修时间 小小修整 学校实训-笔记 每周靶机之Beelzebub 读书笔记-如何阅读一本书 DC-4解析 DC-2解析 每周靶机之ted 靶机-DC-1 每周靶机之bob potato解析 xss跨站点脚本攻击 每周靶机之Tommyboy1dot0 owasp命令执行漏洞 owasp文件包含漏洞 每周靶机之WALLABY'S-NIGHTMARE owasp上传漏洞 Hackademic.RTB1 owasp与sql注入与sqlmap liunx中sudo服务相关知识 liunx中ssh服务相关知识 moneybox解析 C语言相关1 关于加入aplayer的方式 再来一次 关于在next7.8.0中建设评论功能这件事 目前的进展 编辑小提示
hackthissite-org
nirvana_felis · 2026-04-14 · via 猫涅的秘密结社

直接给了代码 来分析一下….

1
2
3
4
5
6
7
8
9
10
11
12
13
14
var foo = 5 + 6 * 7 
var bar = foo % 8
var moo = bar * 2
var rar = moo / 3
function check(x)
{
if (x.length == moo)
{
alert("win!");
window.location += "?lvl_password="+x;
} else {
alert("fail D:");
}
}

逆推下来 检测的变量x.length所输入字符串的长度 所以输入指定长度的随意字符即可通过
变量moo来自于变量bar*2 变量bar则是变量foo除以8的余数 变量foo等于5+6*7=5+42=47
过完整个流程得出moo 随意输入以moo为数量的字符 过关

1
2
3
4
5
6
7
8
9
10
11
12
13
<script language="Javascript">																RawrRawr = "moo";
function check(x)
{
"+RawrRawr+" == "hack_this_site"
if (x == ""+RawrRawr+"")
{
alert("Rawr! win!");
window.location = "../../../missions/javascript/4/?lvl_password="+x;
} else {
alert("Rawr, nope, try again!");
}
}
</script>

这里涉及了JavaScript中的字符拼接 用+号链接代表字符为从前往后的一个整体
因此 两个紧凑的双引号代表空符 我们要输入的密码就是早已定义过的变量RawrRawr 其值便是密码 为moo

1
2
3
4
5
6
7
8
9
10
11
12
13
<script language="Javascript">
moo = unescape('%69%6C%6F%76%65%6D%6F%6F');
function check (x) {
if (x == moo)
{
alert("Ahh.. so that's what she means");
window.location = "../../../missions/javascript/5/?lvl_password="+x;
}
else {
alert("Nope... try again!");
}
}
</script>

这里的密码涉及unescape函数 但寻遍整个网页都没法找到unescape函数的具体内容 于是需要使用浏览器自带的控制台
在控制台中 我们可以执行网页定义过的js函数并得出结果 因此转到控制台 输入unescape('%69%6C%6F%76%65%6D%6F%6F')
2
得到密码 ilovemoo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<script type="text/javascript" src="/missions/javascript/6/checkpass.js"></script>
<script language="javascript">
RawrRawr = "moo";
function check(x)
{
"+RawrRawr+" == "hack_this_site"
if (x == ""+RawrRawr+"")
{
alert("Rawr! win!");
window.location = "about:blank";
} else {
alert("Rawr, nope, try again!");
}
}

function checkpassw(moo)
{
RawrRawr = moo;
checkpass(RawrRawr);
}
</script>

一开始以为是和第四题类似的设计 于是输入moo 发现不对
仔细观察 发现check函数跳转到的是空页面(about:blank) 应该是诱饵选项
上面还应用了一个新js /missions/javascript/6/checkpass.js 看来关键在于那里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
// /missions/javascript/6/checkpass.js中的内容
dairycow="moo";
moo = "pwns";
rawr = "moo";

function checkpass(pass)
{
if(pass == rawr+" "+moo)
{
alert("How did you do that??? Good job!");
window.location = "../../../missions/javascript/6/?lvl_password="+pass;
} else {
alert("Nope, try again");
}
}
1
2
3
4
5
<script language="javascript">
var _0x4e9d=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x77\x72\x69\x74\x65"];document[_0x4e9d[0x1]](String[_0x4e9d[0x0]](0x3c,0x62,0x75,0x74,0x74,0x6f,0x6e,0x20,0x6f,0x6e,0x63,0x6c,0x69,0x63,0x6b,0x3d,0x27,0x6a,0x61,0x76,0x61,0x73,0x63,0x72,0x69,0x70,0x74,0x3a,0x69,0x66,0x20,0x28,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x22,0x70,0x61,0x73,0x73,0x22,0x29,0x2e,0x76,0x61,0x6c,0x75,0x65,0x3d,0x3d,0x22,0x6a,0x30,0x30,0x77,0x31,0x6e,0x22,0x29,0x7b,0x61,0x6c,0x65,0x72,0x74,0x28,0x22,0x59,0x6f,0x75,0x20,0x57,0x49,0x4e,0x21,0x22,0x29,0x3b,0x77,0x69,0x6e,0x64,0x6f,0x77,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x20,0x2b,0x3d,0x20,0x22,0x3f,0x6c,0x76,0x6c,0x5f,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3d,0x22,0x2b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x22,0x70,0x61,0x73,0x73,0x22,0x29,0x2e,0x76,0x61,0x6c,0x75,0x65,0x7d,0x65,0x6c,0x73,0x65,0x20,0x7b,0x61,0x6c,0x65,0x72,0x74,0x28,0x22,0x57,0x52,0x4f,0x4e,0x47,0x21,0x20,0x54,0x72,0x79,0x20,0x61,0x67,0x61,0x69,0x6e,0x21,0x22,0x29,0x7d,0x27,0x3e,0x43,0x68,0x65,0x63,0x6b,0x20,0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3c,0x2f,0x62,0x75,0x74,0x74,0x6f,0x6e,0x3e));
</script>

<button onclick="javascript:if (document.getElementById(&quot;pass&quot;).value==&quot;j00w1n&quot;){alert(&quot;You WIN!&quot;);window.location += &quot;?lvl_password=&quot;+document.getElementById(&quot;pass&quot;).value}else {alert(&quot;WRONG! Try again!&quot;)}">Check Password</button>