刚点进来会一直加载，然后跳转到了/die

看一下刚进来页面的源代码

AMBUSH!
You've gotta escape!

可以看到keycode == 27的时候会跳转到/chase/页面，27是键盘上的ESC键，当然我们也可以直接输入chase直接跳转到这个页面，然后查看chase页面的源码

CHASE!
You managed to chase one of the enemy fighters, but there's a wall comingup fast!
LeftRight

可以看到有个leftt，访问他

页面源代码

SHOOT IT
You've got the bogey in your sights, take the shot!

Take the shot

点Take the shot会跳转到die

在注释里面可以看到shoot，访问

点击Continue跳转到door

页面源代码

YOU APPROACH THE ALIEN CRAFT!
How do you get inside?
0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359
Check

在最下面有个check_door函数，他是从上面的/static/js/door.js导入的

function check_door() {jvar all_radio = document.getElementById("door_form").elements;var guess = null;for (var i = 0; i < all_radio.length; i++)if (all_radio[i].checked) guess = all_radio[i].value;rand = Math.floor(Math.random() * 360);if (rand == guess) window.location = "/open/";else window.location = "/die/";
}

直接访问open

页面源代码

YOU FOUND THE DOOR!
How do you open it?

查看/static/js/open_sesame.js

function sleep(ms) {return new Promise(resolve => setTimeout(resolve, ms));
}function open(i) {sleep(1).then(() => {open(i + 1);});if (i == 4000000000) window.location = "/fight/";
}

访问fight

同样的，得到

// Run to scramble original flag
//console.log(scramble(flag, action));
function scramble(flag, key) {for (var i = 0; i < key.length; i++) {let n = key.charCodeAt(i) % flag.length;let temp = flag[i];flag[i] = flag[n];flag[n] = temp;}return flag;
}function check_action() {var action = document.getElementById("action").value;var flag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"];// TODO: unscramble function
}

可以看到有flag，但是被打乱了

这里就可以对这个存放flag的数组进行排列了，python中组合用的是itertolls中的combinations，而排列则是permutations

脚本：

from itertools import permutationsflag = ["{hey", "_boy", "aaaa", "s_im", "ck!}", "_baa", "aaaa", "pctf"]item = permutations(flag)
for i in item:k = ''.join(list(i))if k.startswith('pctf{hey_boys') and k[-1] == '}':print(k)

得到

flag为pctf{hey_boys_im_baaaaaaaaaack!}