I heard that people who want to be hackers have played the Monyer game (1-14 introduction)

Zero pass
Enter the portal to start the zeroth close (game link)

Please click the link to go to the first level: the connection is on the left → ← the connection is on the right

I can't see it.... (I can only see the names of a bunch of big guys, and I can also see the vegetable chicken. I'm in the back ~ ~)
Direct fn+f12

<span>Connected on the left→</span>
<a href="first.php"></a>
<span>←Connected to the right</span>

ok, go to the next level
First pass
Quickly enter the first level
And a routine at the beginning
See code (fn+f12)

<script type="text/rocketscript" data-rocketoptimized="true">
    function check(){
        if(document.getElementById('txt').value=="  "){
            window.location.href="hello.php";
        }else{
            alert("Password error");
        }
    }
</script>

I see. The password is a space
And the next file is hello.php
The second pass
Quickly enter the second level

<script type="text/rocketscript" data-rocketoptimized="true">
    document.oncontextmenu=function(){return false};

    var a,b,c,d,e,f,g;
    a = 3.14;
    b = a * 2;
    c = a + b;
    d = c / b + a;
    e = c - d * b + a;
    f = e + d /c -b * a;
    g = f * e - d + c * b + a;
    a = g * g;
    a = Math.floor(a);

    function check(){
        if(document.getElementById("txt").value==a){
            window.location.href=a + ".php";
        }else{
            alert("Password error");
            return false;
        }
    }
</script>

Let's just think about it (or just type it in the console of chrome and put it in the console)

var a,b,c,d,e,f,g;
    a = 3.14;
    b = a * 2;
    c = a + b;
    d = c / b + a;
    e = c - d * b + a;
    f = e + d /c -b * a;
    g = f * e - d + c * b + a;
    a = g * g;
    a = Math.floor(a);
    
//Obtain424178

The password knows the next level
Third pass
Quickly enter the third level
There is js in the head (the method is the same as above) and it is directly put into the console

<script type="text/rocketscript" data-rocketoptimized="true">
    eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,99,104,101,99,107,40,41,123,13,10,09,118,97,114,32,97,32,61,32,39,100,52,103,39,59,13,10,09,105,102,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,116,120,116,39,41,46,118,97,108,117,101,61,61,97,41,123,13,10,09,09,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,97,43,34,46,112,104,112,34,59,13,10,09,125,101,108,115,101,123,13,10,09,09,97,108,101,114,116,40,34,23494,30721,38169,35823,34,41,59,13,10,09,125,13,10,125));
</script>

String.fromCharCode(102,117,110,99,116,105,111,110,32,99,104,101,99,107,40,41,123,13,10,09,118,97,114,32,97,32,61,32,39,100,52,103,39,59,13,10,09,105,102,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,116,120,116,39,41,46,118,97,108,117,101,61,61,97,41,123,13,10,09,09,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,97,43,34,46,112,104,112,34,59,13,10,09,125,101,108,115,101,123,13,10,09,09,97,108,101,114,116,40,34,23494,30721,38169,35823,34,41,59,13,10,09,125,13,10,125)

Output is

function check(){
    var a = 'd4g';
    if(document.getElementById('txt').value==a){
        window.location.href=a+".php";
    }else{
        alert("Password error");
    }
}

var a = 'd4g';
I know the password is d4g,
Next hurdle!
Hold down esc
The fourth pass
Page will jump automatically
Press esc to stop immediately after opening
Quickly enter the fourth level

<script type="text/rocketscript" data-rocketoptimized="true">
    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('a="e";d c(){b(9.8(\'7\').6==a){5.4.3=a+".2"}1{0("Password error")}}',15,15,'alert|else|php|href|location|window|value|txt|getElementById|document||if|check|function|3bhe'.split('|'),0,{}))
</script>

This is an encrypted js. It needs to be decrypted. Use the decryption tool
(thanks for the tools provided by hack)
Decryption tool
After decryption:

a = "3bhe";

function check() {
    if (document.getElementById('txt').value == a) {
        window.location.href = a + ".php"
    } else {
        alert("Password error")
    }
}

Is the password 3bhe? No
Check the source code and find another line below

eval("\141\75\141\56\164\157\125\160\160\145\162\103\141\163\145\50\51\53\61\73");

Declassified

a = a.toUpperCase() + 1;//. toUpperCase() is a conversion to uppercase

So the password is 3BHE1
continue~
The fifth pass

Quickly enter the fifth level

Where is the password? Well, I hid it in the page!

(this pass belongs to the great deity)
Hidden in
In the network
Message header

monyer	the password for the next level is asdf

Enter, Sixth
The sixth pass
Fast Sixth
What I find directly in Baidu's way is
The answer is: seventeen, the input is right
It is said that the normal problem solving
Familiar with ps can also be solved. Use red channel, add color balance, ctrl+B, and adjust red and magenta to the maximum.
Next pass ~
The seventh pass
Quickly enter the seventh level

Tip 3: similar to social engineering is violent cracking, so Monyer gives you MD5: 5e023995fb3f5e840ee684784f8f0799 (less than 10 numbers + letters)

MD5 decryption tool
Decrypt the password eighteen8
The eighth pass
404
Really 404. The console's always on

<p style="display:none">
The eighth pass
 Hello, my friend. Welcome to pass 8!
I'm surprised at your intelligence!
Believe me, more than 85% of the world's people are under you now,
So you can stride forward and do your business without hesitation.
Because as long as you are willing to work hard and not afraid of setbacks, there is nothing difficult for you in the world.
Then, to continue our agreement, I will tell you the entrance of gate 9:
All prime numbers and. php within 10000
</p>

Sum of all prime numbers within 10000 = 5736396
OK, how can I get in?
http://monyer.com/game/game1/5736396.php
I see.
The ninth pass

1) Easy way to save pictures and open them in Notepad
2) Use Notepad + + or winhex to open the view
MonyerLikeYou_the10level
The tenth pass
Fast to the tenth level

The current user identity is simpleuser, not admin, unable to display the next pass code

A session/cookie cheat problem
Check the element to see the cookie and use the js command to change it. Write js command in the browse address bar: javascript: document.cookie = 'username=admin';

document.cookie="username=admin"

Or change simpleuser to admin in the Cookie,
Refresh
The eleventh pass
http://monyer.com/game/game1/doyouknow.php?action=show_login_false

Your session is not a passer. You cannot view the next pass code

The cookie can be modified locally, and the session is server-side, so we can't follow the previous question. Let's lose whatever we want. Step back and find out there's more to the address. Yes, his authentication status is coming out. Action = show login ﹣ flash, so change it to true. I don't know why
The twelfth pass
Quickly enter the 12th level

JTRBJTU0JTYzJTdBJTRBJTU0JTVBJTQ3JTRBJTU0JTU5JTc5JTRBJTU0JTU5JTMxJTRBJTU0JTU5JTc4JTRBJTU0JTYzJTMxJTRBJTU0JTYzJTMwJTRBJTU0JTU5JTM1JTRBJTU0JTU5JTMyJTRBJTU0JTYzJTMxJTRBJTU0JTVBJTQ0JTRBJTU0JTRBJTQ2JTRBJTU0JTYzJTc3JTRBJTU0JTU5JTM0JTRBJTU0JTYzJTc3

It's also decryption (tools directly Baidu is online, such as webmaster's home)
Base64 decrypt, UrlEncode decrypt, and then, and then
OK, sobeautiful.php, next step~
The thirteenth pass
No chain stealing on this page
It should be script control on the server side. If you break a certain condition, you will be given a key to prevent chain stealing,
Try stealing the chain, find a web page, and write a link with the review element
Or add the referer < a href = "http://monyer.com/game/game1/sobeautiful. PHP" >


    Welcome to level 13

    Please enter the password to enter the 14th off:

    No password is entered or the password is wrong or the system is wrong!

Source code has post submission
This is a SQL injection problem. The code prompts the database
There's a universal code

' or 1=1 

input
The fourteenth pass
Thank you for teaching me how to get rid of the shell
Using upx static sheller


See ipasscrackme.asp (fake)
Try again. php
The fifteenth pass
http://monyer.com/game/game1/ipasscrackme.php
There are two eggs
cookies in level 10 and session s in level 11.
If one of them is not correct, it will display:
Although you failed to set cookies to admin in the end
Although you failed to set the session to admin in the end
If you don't have this interface, you do it step by step
If you click the link above, it will pop up
So we have to do the 11th or 10th level again
Well, it's time to make a name in history. (see me, O(∩∩) O hahaha ~)
Welcome comments and questions

More fun ctf games, focus + like~

Published 14 original articles, won praise 117, visited 10000+
Private letter follow

Tags: PHP Session network less

Posted on Fri, 31 Jan 2020 06:09:15 -0800 by devangel