pythonchallenge Level 20
第20关地址:http://www.pythonchallenge.com/pc/hex/idiot2.html
账号:butter 密码:fly
标题:go away!
图片文字:private property beyond this fence
提示:but inspecting it carefully is allowed.
查看源码只有一张图,没有更多信息,检查图片信息
发现一个Content-Range: bytes 0-30202/2123456789
从这个信息知道原始图片大小有2123456789 个字节,目前的“unreal.jpg” 只有前面的30202个字节,需要使用断点续传,获取后面的信息。
import base64 import requests def get_unreal(start,end=''): url = "http://www.pythonchallenge.com/pc/hex/unreal.jpg" Authorization = format(base64.b64encode(b'butter:fly').decode()) headers = {'Range': 'bytes=%s-%s' % (start, end), # end可以不传 'Authorization':'Basic %s' % Authorization} response = requests.request("GET", url, headers=headers) data = response.content if data: print(response.content) print(response.headers['Content-Range'])
先试一下get_unreal(0)
get_unreal(0) # bytes 0-30202/2123456789
返回了Content-Range信息,接下来获取后续字节从30203开始
get_unreal(30203) # b"Why don't you respect my privacy?\n" # bytes 30203-30236/2123456789
返回了Content-Range信息30203-30236,出现了新的文本,接下来从30237开始
get_unreal(30237) # b'we can go on in this way for really long time.\n' # bytes 30237-30283/2123456789
又返回了一段话,开始改脚本,循环获取文本信息
import base64,requests,re def get_unreal(start,end=''): url = "http://www.pythonchallenge.com/pc/hex/unreal.jpg" Authorization = format(base64.b64encode(b'butter:fly').decode()) headers = {'Range': 'bytes=%s-%s' % (start, end), # end可以不传 'Authorization':'Basic %s' % Authorization} response = requests.request("GET", url, headers=headers) data = response.content if data: print(response.content) return response.headers['Content-Range'] else: return False ''' 从30203开始, 下一个start是返回的Content-Range的后面一个数字+1 直到后面返回response.content为空结束 ''' def get_Info(start=30203): while True: contentRange = get_unreal(start) if contentRange: reg = re.compile('-(.*)/') start = reg.findall(str(contentRange)) start = int(''.join(start))+1
else: break get_Info(start=30203)
得到一段提示信息
b"Why don't you respect my privacy?\n"
b'we can go on in this way for really long time.\n'
b'stop this!\n'
b'invader! invader!\n'
b'ok, invader. you are inside now. \n'
打开http://www.pythonchallenge.com/pc/hex/invader.html
得到信息Yes! that's you! 但并不是下一关地址
把range倒过来在试一下
def get_Reverse(start=2123456789): while True: contentRange = get_unreal(start) if contentRange: reg = re.compile('bytes (.*)-') start = reg.findall(str(contentRange)) start = int(''.join(start))-1 else: break get_Reverse(start=2123456789)
得到一段信息
b'esrever ni emankcin wen ruoy si drowssap eht\n'
b'and it is hiding at 1152983631.\n'
先处理信息
msg = 'esrever ni emankcin wen ruoy si drowssap eht' print(msg[::-1]) # the password is your new nickname in reverse
得到密码是把昵称反过来,之前打开invader.html的返回Yes! that's you!,所以昵称是invader
nickname = 'invader' print(nickname[::-1]) # redavni
得到密码redavni
接下来处理1152983631,根据提示这里藏了东西,查看response.content时发现是个压缩包,获取压缩包存为data.zip
url = "http://www.pythonchallenge.com/pc/hex/unreal.jpg" Authorization = format(base64.b64encode(b'butter:fly').decode()) headers = { 'Range': 'bytes=1152983631-', 'Authorization':'Basic %s' % Authorization} response = requests.request("GET", url, headers=headers) # 存为data.zip h = open("data.zip", "wb") h.write(response.content) h.close()
输入密码redavni解压
打开readme.txt,发现这是第21关
第21关隐藏在20关中