The game platform is closed, no, forgive me. The process of solving ideas: Analyzing the structure of the website, looking at source code, element audit. The following information is found.
- To get flag to get a pro CDN
- Pro Sub-domain length 3 to 6 characters
- There is a submit Ticke page
How do I get a pro CDN? There are several ways to think about this.
- Apply directly to a pro CDN
- Can you promote a basic to pro
- Login to admin's account to see if there is a pro CDN inside
No application is impossible. You are not allowed to design Pro's actions. Attempt to inject, weak password is invalid. After these are done, the idea jams and goes back to submitting ticket there. It is very certain that the last flag is ticket here. The length of the ticket page tried a wave of blasting, but not valid, up to 6 open at a time. Using the sub-domain blasting tool and Google hack have not been able to get useful. This problem oneself to do here, realize can not come out what else. See writeup Discovery is a knowledge blind area, learn a wave. The knowledge points come mainly from the dark clouds This article: http://www.cnblogs.com/deen-/p/6919326.html reference writeup:http://lorexxar.cn/2017/05/23/rctf2017/ Http://www.math1as.com/index.php/archives/479/?utm_source=tuicool&utm_medium=referral after reading the article in return to the topic. The final correct process is:
The
- continues to apply for basic, generating a random eight-length subdomain. These subdomains of the application will exist in the database of the server background. The
- determines the character of the subdomain to see if it contains those Unicode, more than two groups, a set of lengths of 7, and two groups of 6. Remove basic if not included. Here's a script blast.
?: DZ//valid domain ext
?: RS//valid domain ext
№: No//valid domain ext
?: SM//valid domain ext
℡: Tel//valid domain ext
?: TM//valid Domain ext
?: NA//valid domain ext
u+3377:dm//valid domain ext< br>? : MA//valid domain ext
?: NF//valid domain ext
?: ml//valid domain ext
?: FM//valid domain ext
㎝: cm Valid domain ext
?: PS//valid domain ext
?: Ms//valid domain ext
?: PW//valid domain ext
?: MW//vali D Domain ext
㏄: CC//valid domain ext
?: CD//valid domain ext
?: Gy//valid domain ext
?: in//valid do Main ext
?: ph//valid domain ext
?: PR//valid domain ext
?: SR//valid domain ext
?: FI//valid Doma In ext
?: St//valid domain ext
?: St//valid domain ext
- If it is found to be included, it is submitted on the ticket page. At the time of submission, for example:
Assuming that the basic subdomain of the application is 23FDANAPW, this subdomain contains PW, NA, submit the time we submit 23FD?? 。 The backstage will be judged in two steps. One is to determine whether the database, the two in the background database is equivalent, exists. Second, the background will be simulated click on this link, with the browser to judge, and the browser on the length of the subdomain is 6-bit, reached the pro length standard. It is considered pro and returns flag. Summary: Unicode length encoding trick. See more clouds.
[RCTF] (web) RCDN problem Solving analysis, Knowledge point Summary
