From 7df45e445352ab208570d6d0e1f5b46c98f4cfc2 Mon Sep 17 00:00:00 2001
From: cnrenil <renil@foxmail.com>
Date: Mon, 9 Sep 2024 17:16:59 +0800
Subject: [PATCH] First Commit

---
 Dockerfile            |   6 ++++++
 _files/src/dump.pcap  | Bin 0 -> 5219 bytes
 _files/src/index.html |  48 ++++++++++++++++++++++++++++++++++++++++++
 _files/src/server.php |  40 +++++++++++++++++++++++++++++++++++
 4 files changed, 94 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 _files/src/dump.pcap
 create mode 100644 _files/src/index.html
 create mode 100644 _files/src/server.php

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..2374b6c
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,6 @@
+FROM php:8.2-cli
+
+COPY _files/src /app
+WORKDIR /app
+
+CMD [ "php", "-S", "0.0.0.0:80" ]
diff --git a/_files/src/dump.pcap b/_files/src/dump.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f14ae42e0b2f7e25f125806ac841d41d27e221b9
GIT binary patch
literal 5219
zcmc&&Uu+vm8Q=U-nz{sC`$8pzIvCtISFd;dH@4#qP1B_5HNB>ZL(|eryV)Jv+pKrD
z>vilTifGa4D23DIXhC-(2Pxv=?&$>5apFjMLFj})NSr_sF9#w@OP}E3ju&XcH?v;<
ztK$lgVA`p7XJ>x%`@Z?jH}my(KmXCacBYf5mQJP(ULJqv!}M>02bkyJnbg|S&5STi
za_6hZnd4o9!7npR8>w5}M^@jz_qlJ9p6l(qn>#$iw0G`qcD8rBzMy}mowT=gbnGL@
ze`tx!Fa$aIo`Za3b*uY><=Hm@{m%NK-Cs2#6LbgpPk?*^W+Jt=P|o3<Ta<I$K`wK?
z1L$wvc&44%@dC#-n=e5nT)RW9ys&nWAg*7nARa!ly7~B0mdyP$FMP5kauY8cUQS$i
z0nnAFdEpQs@9l-POO$h_fwKbWvwL~rc=!Nws-2;=(XZ|Cov#tZWT=8@Yr*#GVHoDG
z_v@*V6ynfWDmB3c{DB_Vn4Y&1i1*V!i5MT_dtAf1reVoabS;7AF*aCHRTglMYr+&W
zIWd7Wos~o>3oXOshlT!@sjIagrj3j#%9uT^<*`&SF*}K`7jWLnClE|JoyR6Sl))NI
zeO6ymR8{06eja&e0)YWEu4si4D#fB#qTxO?WEd*GfalIA78eQi`$JLWJu{X%JMKfO
zGLO+IEY0hEXgF)?Im`uuG20Y0C8kAFDG%v!4M`F<U^)wzEG}#1RG$dIiX;*<xe{qP
zR%&d`sRP#q-XHfVIWdDdaY0F!AB%X-a9Ry5<9n8SmUfNR!RD2WhGiC)q^ziA@W6sF
z7oy$z9YXAgCh4-GWfCZ}q!>OV<FqPT;98q7I}QU2FnIzkW!d59eM?!J5?LjEUV(NK
zgQHD<9_RC5iomDS{d`mwW0ANVpTiMRlERU|TreEM!LXQ?dR#p&vbjb;R(lIII74LR
zy5`8L90=Ze|DNZy8_%@;v)OiC0mMIoLP@PHGywcINVn_$UpGYrq3-;mUZ{>lQIO}+
zxiig`dJ<ekB&7KeA4gNzfZo9{;-iU3BoXOHr_QG8<t(Xsp6C`73+iK2iw2CZXkq}t
zLYaAN3Dc=jHdgI7j<t-H1?~0+V1L*Se6ghicWx604)#0d+VRfw+6T*5M!|u*%^bK2
zh=1#1Xl-<0*Pnwlc62nv<}0IgNx*@foAnM%e)i<K;nc;65k$m2=t`0wq=KFV_fpnP
z8bCRNE(9f+!<JYv-c7BC9@S5pn8Sj5LBT~sH!U}kYzGSNq9R*aLB<P;gjxFHLyD$Y
zim0-ANmQ{A@beCorC2H+eE9lLx9@-J(Y<#bz484dXSdl?<t0-wEPGxuce<d_Foa6F
z2^+;+G%T+yTA~la(qbQ4rlUwlQdDdqy<i~$_4W?beM##k@{-RAeB=k<Cy5A*U!}_m
z4abf(q7g)bc1%E1mI)iwpN0T44DuM(WlUN4iCD<nkmXhS&@3TU*M>Z_$)2UJub$LO
z9Yqsc1ydt4R(q|uDqSj$Q1y(Wc^k>XYUC|cfT&8=35=9=sgMJK`!m=YQ89Tuv3Oec
z_Bwrf`}_-{TENxWh`~0FA?EW%-IQD5IDJ~-fIG-y1aN;);v;c3B*sH*I2}#1u}~bd
zqR2~pe=ID?!8j~f#a2Ru<Iwi)_3gJ`g1-;fZ`OUYNn%?LSe~e|tx<`?&sItk^jBVe
zbmQh<-hTJN55Lj`y_7Y9x`vBr=Ir>GWf|q;%iFMs(9f?MSo8KyoSRDZ`cN;d!2(2M
zBWu8$WfpLg5fEU?cw;nndwYj#;t@fqJDb>IvB-jkb8Nu`Ex~z#<=!T+x<-zI#k>VU
z(LQj%hKh2Y5DoFOl15%)106U;1|mTaP#7IOiby-bD&%P!gyBZn5d>1mYW?8FhpR7b
z-+6iay}Nb(w0k(xGI8DjtrCga)7q~oIF##^=nR7ZVp?8jScB1|Q~fqtsYjtEU`_U3
zb#yO$e%bcm^yKMbJqKi9Yj~ZneJe*D;WY2~gzEZMuGWyU$s{=^jwLxe#3tu-d9fT$
zvw?B|gpYx8n<~y>6~Ph<Zik9{@ZsGzAKZF(d-df+lA|5UofXZ1xMab}CAi7S<wlBJ
zGY;+p*9(e?<-z2fNh@8CWX&9ojqX8vd$pLL(v?n9ecNM_xq@Zs5XLkKu2%DcyBw~-
z7#j1FoZSJ=9?o_NIDsBc^h$EK^@;j*dZI?3JW=sSaCd&C*@?Q|5;6ECddaEW#_dZE
z{)nEa2b<?4N8_!oO*`M993xFQethF#9mftQ%L%kZ3|^)j(+*;p<Hx}9^@farAa=B`
zeVE<~>}S3WSASA#3%Q83-&&(qfA^4sxMk-}b`C-^h85=?!FLgkB(fo{8rS~A<iQDX
zm8%pFH>rOoqxj$F3=U=cmiW||?A+NC2(p15*Ev&xvpNB{FUv@9Tz!f)iPPA`X49{n
z1H_K}Kav9{0tup=Q?zP8^zec6=RN$13sW9G>fvJ^p7-$Kiyr<YeTNr*!o!b38$4Z_
zr0wO#{uCKJeF^@ZoQCI<M5TWRmF}H@Y;+Ud-}s56QqVog!DlxgU%n6b=YLdpJ5ed$
zMG&us_A^@`cv5Q%O+bFXv7aJ-swv`OK>TGz_xlLqf17|r6MS&b1Z0Mt(2Jk|nLV+X
zKoesVT+AQx2Ou|gL`MRAtJI{&MNC$}<h`A^MuW#Xc1*Un`sMrJ$ldxRgeNBNBZzrG
zEP?k(tu54v*EU?#i8md@^0MsGWg$+St#jf&JMKTYwYq)#dw<=yIjV|~=}Ol|OH-5b
z#hDRf@j~{w+$5hJ8_CTNo&TabJvk%@)Usl0%U&Qn)@6rB)v}q$UY4!4MBF$)E&H*9
zXj?WDp_U!26I{ht-LaP5pQRin2eF1@6b^%$|MKFy9q)g-CE~^>D93jk#4^VyaQs=r
JrXYyj{{jO<gB1V(

literal 0
HcmV?d00001

diff --git a/_files/src/index.html b/_files/src/index.html
new file mode 100644
index 0000000..0adc574
--- /dev/null
+++ b/_files/src/index.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html lang="zh">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>登录页面</title>
+    <script>
+        function xorEncrypt(data, key) {
+            let out = '';
+            for (let i = 0; i < data.length; i++) {
+                out += String.fromCharCode(data.charCodeAt(i) ^ key.charCodeAt(i % key.length));
+            }
+            return out;
+        }
+
+        function login() {
+            const username = document.getElementById('username').value;
+            const password = document.getElementById('password').value;
+            const key = 'FakeKey'; // localhost/dump.pcap
+
+            // 加密密码
+            const encryptedPassword = xorEncrypt(password, key);
+
+            // 发送请求
+            const xhr = new XMLHttpRequest();
+            xhr.open('POST', 'server.php', true);
+            xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+            xhr.onreadystatechange = function () {
+                if (xhr.readyState === 4 && xhr.status === 200) {
+                    // 处理响应
+                    const response = xhr.responseText;
+                    alert(response);
+                }
+            };
+            xhr.send(`username=${encodeURIComponent(username)}&password=${encodeURIComponent(encryptedPassword)}`);
+        }
+    </script>
+</head>
+<body>
+    <h1>登录</h1>
+    <label for="username">用户名:</label>
+    <input type="text" id="username" required><br><br>
+    <label for="password">密码:</label>
+    <input type="password" id="password" required><br><br>
+    <button onclick="login()">登录</button>
+</body>
+</html>
+
diff --git a/_files/src/server.php b/_files/src/server.php
new file mode 100644
index 0000000..2d6e273
--- /dev/null
+++ b/_files/src/server.php
@@ -0,0 +1,40 @@
+<?php
+// server.php
+
+// 定义一个简单的用户数据库
+$users = [
+    'admin' => '04f94c31-7845-469b-ba4e-1fdbabb511f4', // 用户名 => 密码
+];
+
+// 从环境变量中读取 Flag，如果没有则使用默认值
+$flag = getenv('GZCTF_FLAG') ?: 'CTF{this_is_test_flag}';
+
+// 异或加密函数
+function xor_encrypt($data, $key) {
+    $out = '';
+    for ($i = 0; $i < strlen($data); $i++) {
+        $out .= $data[$i] ^ $key[$i % strlen($key)];
+    }
+    return $out;
+}
+
+// 处理 POST 请求
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $username = $_POST['username'] ?? '';
+    $encrypted_password = $_POST['password'] ?? '';
+    $key = '1e72c059-3a93-4f6f-839e-aa0c0784cd29';
+
+    // 解密密码
+    $password = xor_encrypt($encrypted_password, $key);
+
+    // 验证用户
+    if (isset($users[$username]) && $users[$username] === $password) {
+        // 登录成功，返回加密的 Flag
+        $encrypted_flag = xor_encrypt($flag, $key);
+        echo "登录成功！Flag: " . base64_encode($encrypted_flag); // 使用 Base64 编码以便于传输
+    } else {
+        echo "用户名或密码错误！";
+    }
+}
+?>
+