HackTheWeb Challenges

Posted on 2026-03-21 In ctf Views: Disqus:

OSINT II

TIFFANY&Co.

Halloween Day 3 - Python Obfuscation

多层 zlib(base64(reverse())) 混淆，递归解包：

import base64
import re
import zlib

payload_bytes = b""  # <- 第一层 payload

layer = 1
while True:
    try:
        decoded = zlib.decompress(base64.b64decode(payload_bytes[::-1])).decode()
        match = re.search(r"b'([^']+)'|b\"([^\"]+)\"", decoded)
        if match:
            payload_bytes = (match.group(1) or match.group(2)).encode()
            layer += 1
        else:
            print(decoded)
            break
    except Exception:
        print(decoded)
        break

print(f"[*] Layer: {layer}")

最终明文是一个逐字符打印脚本，答案藏在变量里：zieltext = "Die Antwort lautet GRABREDE."

→ GRABREDE

Halloween Day 4 - Scream Cipher

1	ĀA̰Á AÂÃȀÁȂ A̦ÅÄ AȂÁ ĂÅÅẠẢÂA̋ A̮ÅȂ ẢÃ ȦĂÅÅA̱...

Scream Cipher (XKCD) → BLOOD

Halloween Day 5 - Hex Colors

6 个弹孔的红色色值，取高位字节：

1 2	#670000 #650000 #660000 #610000 #680000 #720000 67 65 66 61 68 72

from hex → gefahr

Halloween Day 6a - Base64

直接 base64 decode → Bein

Halloween Day 6b - Morse Code

... - .. .-. -... → STIRB

Winter Day 1 - View Source

Ctrl+Shift+U 查看源码，答案在被雪覆盖的 <p> 标签中 → snowflake

Winter Day 2 - Base64

QXBlcmxhYXE= → Aperlaaq

Winter Day 4 - Wham! Typos

歌词中混入了 prompt injection 和故意拼写错误，提取异常字母：

原文	应为	异常字母
beby	baby	e
A wrapped	I wrapped	A
Nor	Now	r
sowl	soul	w
rear	year	r
mover	lover	m

→ Earworm

Octopus

A human counts with 10 fingers, an octopus with 8 tentacles. The answer is octopus2471.

2471 (octal) → 1337

Brainfuck?

实际是 JSFuck，Node.js 中 console.log(/* code */) 执行即可。

Host

1	$ curl http://185.26.156.141

响应中 <kbd>aegir.uberspace.de</kbd> 即为答案。

Rockyou

前端 JS 校验 sha256(salt + value)，rockyou 字典爆破：

from hashlib import sha256

salt = "3NL/usjb4vEg"
target = "9bcf0c8289a97d33021b4790659396d9f8af1085210d2186b8ec38efcdc31472"

with open("/path/to/rockyou.txt") as f:
    for line in f:
        word = line.strip()
        if sha256((salt + word).encode()).hexdigest() == target:
            print(word)
            break

Time Zones

Chameleon 插件修改浏览器时区为 UTC-10。

Free Fall

$$h = \frac{1}{2} g t^2 = \frac{1}{2} \times 9.81 \times 1.43^2$$

Treasure Hunt

The largest online encyclopedia → wikipedia
Delay to allow data to travel from one point to another → latency
A finite, unambiguous set of instructions → algorithm
A machine learning model inspired by the human brain’s structure → neural network

UTF-5

□ = 0, ■ = 1，5-bit 编码（1=A, 2=B, …）：

编码	二进制	值	字母
`□■■□□`	01100	12	L
`□■■■■`	01111	15	O
`□□□■■`	00011	3	C
`□■□□□`	01000	8	H
`□■□■■`	01011	11	K
`□□□□■`	00001	1	A
`■□□■□`	10010	18	R
`■□■□□`	10100	20	T
`□□■□■`	00101	5	E

→ LOCHKARTE

Alphabet - Control Characters

ASCII contains an alphabet of uppercase letters and one of lowercase letters. But there is also a third, which is used in this file.

控制字符 = 第 N 个字母，空格保持：

1
2
3

$ xxd a
00000000: 1420 2020 010e 2020 2020 2009 2020 2020  .   ..     .
00000010: 0e14 2020 0c0a                           ..  ..

字节	值	字母
0x14	20	T
0x01	1	A
0x0e	14	N
0x09	9	I
0x0e	14	N
0x14	20	T
0x0c	12	L

T _ _ _ A N _ _ _ _ _ I _ _ _ _ N T _ _ L → control

Honey Morello - Zero-Width Steganography

文本中藏有 zero-width characters（U+200B = 0, U+200C = 1），每行提取后按 5-bit 解码：

for line in text.split("\n"):
    bits = ""
    for ch in line:
        if ch == "\u200b":
            bits += "0"
        elif ch == "\u200c":
            bits += "1"
    if bits and (val := int(bits, 2)):
        print(chr(96 + val), end="")

→ the answer is meme

Mental Arithmetic

15 道限时算术题，JS 自动填充：

for (let i = 0; i < 15; i++) {
  let task = document.getElementById("task" + i).innerText.replace("=", "").trim();
  document.getElementById("ans" + i).value = eval(task);
}
document.forms[0].submit();

Base4096

Emoji 编解码：https://base4096.infinityfreeapp.com/?i=1

Transposed - Rail Fence Cipher

Rail Fence Cipher decode, key = 4