我现在再做一个ctf的web题，社团“活动”统计站的小秘密等你来挖～题目地址：39.105.213...

Creato il: 14 maggio 2026

Risposto usando GPT-5.5 Thinking da Chat01

Domanda

我现在再做一个ctf的web题，社团“活动”统计站的小秘密等你来挖～
题目地址：39.105.213.28:8000这是题干，首先，我输入39.105.213.28：8000
进入题目页面源代码为

<!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> 然后我输入39.105.213.28:8000/admin进入了源代码为 <!DOCTYPE html> <html> <head> <title>Admin Area</title> <style> body { background: #f5f5f5; padding: 50px; text-align: center; font-family: "微软雅黑", sans-serif; } .hint { font-size: 14px; color: #666; margin-top: 20px; line-height: 1.6; } .hidden-hint { font-size: 24px; color: rgba(0,0,0,0.1); margin: 50px 0; } .anti-brute-hint { font-size: 16px; color: #e74c3c; margin: 30px 0; font-weight: 500; padding: 10px; border: 1px dashed #e74c3c; border-radius: 8px; display: inline-block; background: rgba(231, 76, 60, 0.05); }

text
    .clue-hint {
        font-size: 13px;
        color: #3498db;
        margin-top: 15px;
        cursor: pointer;
        transition: color 0.3s;
    }
    .clue-hint:hover {
        color: #2980b9;
        text-decoration: underline;
    }
</style>

</head> <body> <h1>Admin Access</h1> <div class="hidden-hint">flag{stat</div> <div class="hint">Nothing here directly, but maybe start from here...</div>

text
<div class="clue-hint" onmouseover="this.innerText='💡 提示：暴力走不通，观察=通关～'" onmouseout="this.innerText='👉 点击没用，观察才有用～'">
    👉 点击没用，观察才有用～
</div>

</body> </html> 下一步，我根据题目的提示输入39.105.213.28:8000/stat进入 <!DOCTYPE html> <html> <head> <title>Stat Page</title> <style> body { background: #f5f5f5; padding: 50px; text-align: center; } .hint { font-size: 14px; color: #666; margin-top: 20px; } .keyword { color: #2196F3; font-weight: bold; } </style> </head> <body> <h1>Statistics</h1> <div class="hint">Maybe this is a middle step?</div> <div style="margin-top: 30px; font-size: 16px;">Keyword: <span class="keyword">maybe</span></div> </body> </html> 之后输入39.105.213.28:8000/activity进入 <!DOCTYPE html> <html> <head> <title>Activity List</title> <style> body { background: #f5f5f5; padding: 50px; text-align: center; font-family: "微软雅黑", sans-serif; } .hint { font-size: 14px; color: #666; margin-top: 20px; line-height: 1.6; } .here { font-size: 36px; color: #4CAF50; margin: 40px 0; position: relative; }

text
    .hidden-flag {
        display: none; 
    }
</style>

</head> <body> <h1>Activity Area</h1> <div class="here">here</div>

text
<div class="hidden-flag">ISCC{Campus_Stat_A_</div>

<div class="hint">This is an end, and also a new beginning.</div>

<script>

    console.log("%c[Clue] Half of the truth: ISCC{Campus_Stat_A_", "color: #4CAF50; font-size: 14px;");
    console.log("%c[Hint] The target might be combined with previous clues...", "color: #2196F3; font-size: 12px;");
</script>

</body> </html>其次 39.105.213.28:8000/robots.txt中有User-agent: * Allow: /static/hint/tech_stack.txt 39.105.213.28:8000/static/hint/tech_stack.txt中是 Backend: Django 5.2.5 ATTENTION： To access the core interface, you need to set two request headers correctly: 1. User-Agent: Must strictly follow "Campus-Stat/1.0" (including case and special symbols); 2. Referer: Must be a valid HTTPS URL containing "campus-stat.example.com" (no extra content, only the root domain).

Pensiero

你已经把前半段关键信息基本挖出来了：现在重点不是再扫路径，而是把“核心接口需要的三个条件”拼齐：UA、Referer、校园令牌。下面我按你现有线索推下一步。

Thought for 29s

Risposta

你下一步可以按这个方向试：构造带 3 个条件的请求。

你现在已经拿到：

User-Agent 必须是：

http
Campus-Stat/1.0

Referer 应该是官方根域名：

http
https://campus-stat.example.com/

也可以顺手试一下无结尾 / 的版本：

http
https://campus-stat.example.com

“校园令牌”大概率来自你收集到的三个页面线索：

text
/admin    -> flag{stat
/stat     -> maybe
/activity -> here

所以校园令牌很可能是：

text
flag{stat_maybe_here}

或者不带下划线：

text
flag{statmaybehere}

而隐藏 flag 前半段是：

text
ISCC{Campus_Stat_A_

优先尝试的 curl

先试核心接口路径，最可能是 /core 或 /api/core：

bash
curl -i "http://39.105.213.28:8000/core" \
  -H "User-Agent: Campus-Stat/1.0" \
  -H "Referer: https://campus-stat.example.com/" \
  -H "Campus-Token: flag{stat_maybe_here}"

如果不行，试：

bash
curl -i "http://39.105.213.28:8000/api/core" \
  -H "User-Agent: Campus-Stat/1.0" \
  -H "Referer: https://campus-stat.example.com/" \
  -H "Campus-Token: flag{stat_maybe_here}"

再试你线索拼出来的路径：

bash
curl -i "http://39.105.213.28:8000/stat/maybe/here" \
  -H "User-Agent: Campus-Stat/1.0" \
  -H "Referer: https://campus-stat.example.com/" \
  -H "Campus-Token: flag{stat_maybe_here}"

如果返回提示“token missing / invalid”

换 header 名：

bash
-H "X-Campus-Token: flag{stat_maybe_here}"

完整命令：

bash
curl -i "http://39.105.213.28:8000/core" \
  -H "User-Agent: Campus-Stat/1.0" \
  -H "Referer: https://campus-stat.example.com/" \
  -H "X-Campus-Token: flag{stat_maybe_here}"

再试另一个 token 拼法：

bash
curl -i "http://39.105.213.28:8000/core" \
  -H "User-Agent: Campus-Stat/1.0" \
  -H "Referer: https://campus-stat.example.com/" \
  -H "Campus-Token: flag{statmaybehere}"

建议你重点枚举这些路径

text
/core
/core/
/api
/api/
/api/core
/api/core/
/api/stat
/api/stat/
/api/statistics
/stat/maybe/here
/activity/stat
/admin/stat

可以用这个小循环：

bash
for p in /core /core/ /api /api/ /api/core /api/core/ /api/stat /api/stat/ /api/statistics /stat/maybe/here /activity/stat /admin/stat; do
  echo "===== $p ====="
  curl -s -i "http://39.105.213.28:8000$p" \
    -H "User-Agent: Campus-Stat/1.0" \
    -H "Referer: https://campus-stat.example.com/" \
    -H "Campus-Token: flag{stat_maybe_here}" | head -n 20
done

我判断最可能的组合是：

http
GET /core
User-Agent: Campus-Stat/1.0
Referer: https://campus-stat.example.com/
Campus-Token: flag{stat_maybe_here}

如果正确，返回内容里大概率会给 flag 后半段，和你已经拿到的：

text
ISCC{Campus_Stat_A_

拼起来。

Domanda

cmd写成一行，方便执行

Pensiero

Thought for a couple of seconds

Risposta

在 Windows cmd 里直接复制这一行先试：

cmd
curl -i "http://39.105.213.28:8000/core" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"

如果不行，试这个 header 名：

cmd
curl -i "http://39.105.213.28:8000/core" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: flag{stat_maybe_here}"

再试 /api/core：

cmd
curl -i "http://39.105.213.28:8000/api/core" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"

路径批量测试一行版：

cmd
for %p in (/core /core/ /api /api/ /api/core /api/core/ /api/stat /api/stat/ /api/statistics /stat/maybe/here /activity/stat /admin/stat) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"

Domanda

Microsoft Windows [版本 10.0.26200.8246]
(c) Microsoft Corporation。保留所有权利。

C:\Users\15003>curl -i "http://39.105.213.28:8000/core" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"
HTTP/1.1 404 Not Found
Date: Thu, 14 May 2026 04:01:12 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 179
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

<!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html>

C:\Users\15003>curl -i "http://39.105.213.28:8000/core" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: flag{stat_maybe_here}"
HTTP/1.1 404 Not Found
Date: Thu, 14 May 2026 04:01:16 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 179
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

<!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html>

C:\Users\15003>curl -i "http://39.105.213.28:8000/api/core" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"
HTTP/1.1 404 Not Found
Date: Thu, 14 May 2026 04:01:19 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 179
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

<!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html>

C:\Users\15003>for %p in (/core /core/ /api /api/ /api/core /api/core/ /api/stat /api/stat/ /api/statistics /stat/maybe/here /activity/stat /admin/stat) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"
===== /core =====
HTTP/1.1 404 Not Found
Date: Thu, 14 May 2026 04:01:24 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 179
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

<!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /core/ ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:24 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:25 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api/ ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:25 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api/core ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:25 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api/core/ ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:25 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api/stat ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:26 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api/stat/ ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:26 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /api/statistics ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:26 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /stat/maybe/here ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:27 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /activity/stat ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:27 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html> ===== /admin/stat ===== HTTP/1.1 404 Not Found Date: Thu, 14 May 2026 04:01:27 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Content-Length: 179 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!doctype html> <html lang="en"> <head> <title>Not Found</title> </head> <body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p> </body> </html>

C:\Users\15003>

Pensiero

Testing headers and tokens for request manipulation

I need to work out the command lines, maybe use curl or Windows cmd loop. I’m experimenting with headers and tokens for a root URL endpoint like /?page=2. The tech stack suggests two headers, but I’m unsure if the token should be in a URL, cookie, or body. I’ll test and verify these variations carefully.

Thought for 15s

Risposta

你的 404 说明：路径不存在，不是权限没过。接下来不要继续猜 /core，优先打这个前端真实出现过的接口：

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"

再试无 / 的 Referer：

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "Campus-Token: flag{stat_maybe_here}"

如果没出，再试 token 不带 flag{}：

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: stat_maybe_here"

再试 token 作为 Cookie：

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Cookie: campus_token=flag{stat_maybe_here}"

再试常见 header 名：

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: flag{stat_maybe_here}"

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Token: flag{stat_maybe_here}"

cmd
curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Authorization: flag{stat_maybe_here}"

我现在最看好的是第一个，因为页面 JS 里唯一真实请求就是：

js
fetch('/?page=2', { method: 'GET' })

而题干叫“活动统计站”，不是一定有 /core 路径。你把 /?page=2 的返回贴出来，我可以继续判断是 token 错、header 名错，还是还差别的参数。

Domanda

Microsoft Windows [版本 10.0.26200.8246]
(c) Microsoft Corporation。保留所有权利。

C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: flag{stat_maybe_here}"
HTTP/1.1 200 OK
Date: Thu, 14 May 2026 04:02:40 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
X-Campus-Token: campus-ctf-2024-abc123
X-Frame-Options: DENY
Content-Length: 6148
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "Campus-Token: flag{stat_maybe_here}" HTTP/1.1 200 OK Date: Thu, 14 May 2026 04:02:45 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Campus-Token: campus-ctf-2024-abc123 X-Frame-Options: DENY Content-Length: 6148 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: stat_maybe_here" HTTP/1.1 200 OK Date: Thu, 14 May 2026 04:02:49 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Campus-Token: campus-ctf-2024-abc123 X-Frame-Options: DENY Content-Length: 6148 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Cookie: campus_token=flag{stat_maybe_here}" HTTP/1.1 200 OK Date: Thu, 14 May 2026 04:02:53 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Campus-Token: campus-ctf-2024-abc123 X-Frame-Options: DENY Content-Length: 6148 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: flag{stat_maybe_here}" HTTP/1.1 200 OK Date: Thu, 14 May 2026 04:02:57 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Campus-Token: campus-ctf-2024-abc123 X-Frame-Options: DENY Content-Length: 6148 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Token: flag{stat_maybe_here}" HTTP/1.1 200 OK Date: Thu, 14 May 2026 04:03:00 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Campus-Token: campus-ctf-2024-abc123 X-Frame-Options: DENY Content-Length: 6148 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>curl -i "http://39.105.213.28:8000/?page=2" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Authorization: flag{stat_maybe_here}" HTTP/1.1 200 OK Date: Thu, 14 May 2026 04:03:03 GMT Server: WSGIServer/0.2 CPython/3.12.13 Content-Type: text/html; charset=utf-8 X-Campus-Token: campus-ctf-2024-abc123 X-Frame-Options: DENY Content-Length: 6148 X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin <!DOCTYPE html> <head> <script> document.addEventListener('keydown', function(e) { if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && (e.key === 'I' || e.key === 'J' || e.key === 'C'))) { e.preventDefault(); alert('该页面禁止直接调试，请尝试其他方式'); } }); document.addEventListener('contextmenu', function(e) { e.preventDefault(); alert('右键菜单已禁用'); }); let devToolsOpen = false; const checkDevTools = setInterval(function() { const widthThreshold = window.outerWidth - window.innerWidth > 100; const heightThreshold = window.outerHeight - window.innerHeight > 100; if (widthThreshold || heightThreshold) { if (!devToolsOpen) { devToolsOpen = true; location.reload(); } } else { devToolsOpen = false; } }, 1000); </script> <meta charset="UTF-8"> <title>校园社团活动平台</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; font-family: "微软雅黑", sans-serif; } .header { background: #2c3e50; color: white; padding: 15px 30px; display: flex; justify-content: space-between; align-items: center; } .header h1 { font-size: 22px; } .nav a { color: white; text-decoration: none; margin-left: 20px; } /* 新增：高亮关键词样式 */ .highlight-key { color: #3498db; /* 醒目蓝色，和页面主色调呼应 */ font-weight: bold; /* 加粗 */ text-decoration: underline; /* 下划线 */ padding: 2px 4px; border-radius: 3px; background: rgba(52, 152, 219, 0.1); /* 浅蓝背景，增强视觉 */ } .container { max-width: 1200px; margin: 30px auto; padding: 0 20px; } .section-title { font-size: 20px; margin-bottom: 20px; border-left: 4px solid #3498db; padding-left: 10px; } .activity-card { border: 1px solid #eee; border-radius: 8px; padding: 15px; margin-bottom: 20px; display: flex; gap: 20px; } .activity-card img { width: 150px; height: 100px; object-fit: cover; border-radius: 4px; } .activity-info h3 { font-size: 18px; margin-bottom: 8px; color: #2c3e50; } .activity-info p { font-size: 14px; color: #666; margin-bottom: 5px; } .load-more { display: block; width: 200px; margin: 20px auto; padding: 10px; background: #3498db; color: white; border: none; border-radius: 4px; cursor: pointer; text-align: center; } .load-more:hover { background: #2980b9; } .hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; } </style> </head> <body> <div class="header"> <h1>校园社团活动平台</h1> <div class="nav"> <a href="#">首页</a> <a href="#">"<span class="highlight-key">活动</span>"分类</a> <a href="#">社团"<span class="highlight-key">管理</span>"</a> <a href="#">数据统计</a> </div> </div>

text
<div class="container">
    <div class="section-title">近期活动</div>
    <div id="activity-list">
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=1" alt="活动封面">
            <div class="activity-info">
                <h3>2024秋季编程大赛</h3>
                <p>时间：2024-09-15 14:00</p>
                <p>地点：科技楼B302</p>
                <p>类型：技术类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=2" alt="活动封面">
            <div class="activity-info">
                <h3>社团招新宣讲会</h3>
                <p>时间：2024-09-01 19:00</p>
                <p>地点：学术报告厅</p>
                <p>类型：综合类</p>
            </div>
        </div>
        <div class="activity-card">
            <img src="https://picsum.photos/200/150?random=3" alt="活动封面">
            <div class="activity-info">
                <h3>志愿服务活动</h3>
                <p>时间：2024-09-20 09:00</p>
                <p>地点：校外社区</p>
                <p>类型：公益类</p>
            </div>
        </div>
    </div>

    <button class="load-more" onclick="loadMore()">加载更多活动</button>
</div>

<div style="margin-top: 100px; text-align: center; font-size: 12px; color: #999;">
    <p>关于校园统计系统 © 2024</p>
    <p style="margin-top: 10px;" onmouseover="this.style.color='#333'" onmouseout="this.style.color='#999'">
        🕵️ 访问核心功能需：用户代理+官方来源页+校园令牌
    </p>
</div>

<script>
    function loadMore() {
        fetch('/?page=2', { method: 'GET' })
            .then(res => {
                console.log('加载更多成功！！！');
                const newCard = `
                    <div class="activity-card">
                        <img src="https://picsum.photos/200/150?random=4" alt="活动封面">
                        <div class="activity-info">
                            <h3>音乐鉴赏沙龙</h3>
                            <p>时间：2024-09-10 16:00</p>
                            <p>地点：艺术楼101</p>
                            <p>类型：文艺类</p>
                        </div>
                    </div>
                `;
                document.getElementById('activity-list').insertAdjacentHTML('beforeend', newCard);
            })
            .catch(err => {
                alert('加载失败，请重试');
            });
    }
</script>

</body> </html> C:\Users\15003>

Pensiero

好，关键突破出来了：服务器在响应头里主动给了真正的校园令牌 campus-ctf-2024-abc123。之前你传的 token 基本被忽略了，下一步应改用这个值，并且优先用 X-Campus-Token 这个 header 名。

Thought for 16s

Risposta

现在真正的 token 是响应头里的这个：

text
campus-ctf-2024-abc123

下一步直接用它试。先跑这个：

cmd
curl -i "http://39.105.213.28:8000/activity" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123"

再试 /stat：

cmd
curl -i "http://39.105.213.28:8000/stat" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123"

再试 /admin：

cmd
curl -i "http://39.105.213.28:8000/admin" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123"

重点批量测这些路径：

cmd
for %p in (/activity /activity/ /stat /stat/ /admin /admin/ /data /data/ /statistics /statistics/ /manage /manage/ /activity/manage /activity/manage/ /stat/activity /stat/activity/ /activity/stat /activity/stat/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP ISCC flag token campus secret hidden"

如果上面没出，再试 query 参数型接口，因为它已经用过 ?page=2：

cmd
for %q in (admin stat activity manage data statistics secret flag core) do @echo ===== ?page=%q ===== & curl -s -i "http://39.105.213.28:8000/?page=%q" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP ISCC flag token campus secret hidden"

再试 token 用 Campus-Token 名称，而不是 X-Campus-Token：

cmd
curl -i "http://39.105.213.28:8000/stat" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: campus-ctf-2024-abc123"

我现在更倾向于：/?page=2 的作用不是返回内容，而是发放真正令牌。拿到 X-Campus-Token: campus-ctf-2024-abc123 后，再访问某个已有/隐藏统计接口才会出 flag。先把上面两个批量命令的输出贴出来，尤其是非 404、非普通首页的那几项。

Domanda

Microsoft Windows [版本 10.0.26200.8246]
(c) Microsoft Corporation。保留所有权利。

C:\Users\15003>curl -i "http://39.105.213.28:8000/activity" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 May 2026 04:04:40 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
Location: /activity/
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Connection: close

C:\Users\15003>curl -i "http://39.105.213.28:8000/stat" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 May 2026 04:04:49 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
Location: /stat/
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Connection: close

C:\Users\15003>curl -i "http://39.105.213.28:8000/admin" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 May 2026 04:04:56 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
Location: /admin/
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Connection: close

C:\Users\15003>for %p in (/activity /activity/ /stat /stat/ /admin /admin/ /data /data/ /statistics /statistics/ /manage /manage/ /activity/manage /activity/manage/ /stat/activity /stat/activity/ /activity/stat /activity/stat/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP ISCC flag token campus secret hidden"
===== /activity =====
HTTP/1.1 301 Moved Permanently
===== /activity/ =====
HTTP/1.1 200 OK
.hidden-flag {
<div class="hidden-flag">ISCC{Campus_Stat_A_</div>
console.log("%c[Clue] Half of the truth: ISCC{Campus_Stat_A_", "color: #4CAF50; font-size: 14px;");
===== /stat =====
HTTP/1.1 301 Moved Permanently
===== /stat/ =====
HTTP/1.1 200 OK
===== /admin =====
HTTP/1.1 301 Moved Permanently
===== /admin/ =====
HTTP/1.1 200 OK
.hidden-hint { font-size: 24px; color: rgba(0,0,0,0.1); margin: 50px 0; }
<div class="hidden-hint">flag{stat</div>
===== /data =====
HTTP/1.1 404 Not Found
===== /data/ =====
HTTP/1.1 404 Not Found
===== /statistics =====
HTTP/1.1 404 Not Found
===== /statistics/ =====
HTTP/1.1 404 Not Found
===== /manage =====
HTTP/1.1 404 Not Found
===== /manage/ =====
HTTP/1.1 404 Not Found
===== /activity/manage =====
HTTP/1.1 404 Not Found
===== /activity/manage/ =====
HTTP/1.1 404 Not Found
===== /stat/activity =====
HTTP/1.1 404 Not Found
===== /stat/activity/ =====
HTTP/1.1 404 Not Found
===== /activity/stat =====
HTTP/1.1 404 Not Found
===== /activity/stat/ =====
HTTP/1.1 404 Not Found

C:\Users\15003>for %q in (admin stat activity manage data statistics secret flag core) do @echo ===== ?page=%q ===== & curl -s -i "http://39.105.213.28:8000/?page=%q" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP ISCC flag token campus secret hidden"
===== ?page=admin =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=stat =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=activity =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=manage =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=data =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=statistics =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=secret =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=flag =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">
===== ?page=core =====
HTTP/1.1 200 OK
X-Campus-Token: campus-ctf-2024-abc123
.hint-hidden { position: absolute; left: -9999px; font-size: 12px; color: #ccc; }
<img src="https://picsum.photos/200/150?random=1" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=2" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=3" alt="娲诲姩灏侀潰">
<img src="https://picsum.photos/200/150?random=4" alt="娲诲姩灏侀潰">

C:\Users\15003>curl -i "http://39.105.213.28:8000/stat" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com/" -H "Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 May 2026 04:05:21 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
Location: /stat/
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Connection: close

C:\Users\15003>

Pensiero

现在输出里还有一个细节：Django 自动把 /activity、/stat、/admin 301 到带斜杠版本，后续都应该直接访问 /activity/ 这种形式。你已经验证了这几个只是线索页，真正还差“核心接口”的路由名。

Thought for 17s

Risposta

目前关键信息是：

text
X-Campus-Token: campus-ctf-2024-abc123

说明真正 token 已经拿到了。下一步不是换 token，而是继续找真正核心接口路径。

先试这几个最可能的带 / 路径，注意 Referer 我这里用无结尾斜杠版本，更符合提示里的“only the root domain”：

cmd
for %p in (/secret/ /flag/ /core/ /token/ /api/ /api/flag/ /api/secret/ /api/token/ /api/stat/ /api/activity/ /campus/ /campus-stat/ /campus_stat/ /manage/ /admin/flag/ /stat/flag/ /activity/flag/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP Location ISCC flag secret token campus error forbidden denied"

再试把 token header 名换成 Campus-Token：

cmd
for %p in (/secret/ /flag/ /core/ /token/ /api/ /api/flag/ /api/secret/ /api/token/ /api/stat/ /api/activity/ /campus/ /campus-stat/ /campus_stat/ /manage/ /admin/flag/ /stat/flag/ /activity/flag/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP Location ISCC flag secret token campus error forbidden denied"

再检查提示文件和 robots 在正确 header 下有没有额外响应头：

cmd
curl -i "http://39.105.213.28:8000/robots.txt" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123"

cmd
curl -i "http://39.105.213.28:8000/static/hint/tech_stack.txt" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123"

还有一个很可能的点：既然它是 Django，路径可能有尾斜杠，curl 不自动跟随 301。你可以对已知页面用 -L 看完整返回：

cmd
curl -i -L "http://39.105.213.28:8000/admin" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123"

如果上面批量里某个路径不是 404 Not Found，把那一段贴出来。现在最值得关注的是：

text
/secret/
/flag/
/token/
/api/flag/
/api/token/
/campus-stat/

Domanda

Microsoft Windows [版本 10.0.26200.8246]
(c) Microsoft Corporation。保留所有权利。

C:\Users\15003>for %p in (/secret/ /flag/ /core/ /token/ /api/ /api/flag/ /api/secret/ /api/token/ /api/stat/ /api/activity/ /campus/ /campus-stat/ /campus_stat/ /manage/ /admin/flag/ /stat/flag/ /activity/flag/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP Location ISCC flag secret token campus error forbidden denied"
===== /secret/ =====
HTTP/1.1 404 Not Found
===== /flag/ =====
HTTP/1.1 404 Not Found
===== /core/ =====
HTTP/1.1 404 Not Found
===== /token/ =====
HTTP/1.1 404 Not Found
===== /api/ =====
HTTP/1.1 404 Not Found
===== /api/flag/ =====
HTTP/1.1 404 Not Found
===== /api/secret/ =====
HTTP/1.1 404 Not Found
===== /api/token/ =====
HTTP/1.1 404 Not Found
===== /api/stat/ =====
HTTP/1.1 404 Not Found
===== /api/activity/ =====
HTTP/1.1 404 Not Found
===== /campus/ =====
HTTP/1.1 404 Not Found
===== /campus-stat/ =====
HTTP/1.1 404 Not Found
===== /campus_stat/ =====
HTTP/1.1 404 Not Found
===== /manage/ =====
HTTP/1.1 404 Not Found
===== /admin/flag/ =====
HTTP/1.1 404 Not Found
===== /stat/flag/ =====
HTTP/1.1 404 Not Found
===== /activity/flag/ =====
HTTP/1.1 404 Not Found

C:\Users\15003>for %p in (/secret/ /flag/ /core/ /token/ /api/ /api/flag/ /api/secret/ /api/token/ /api/stat/ /api/activity/ /campus/ /campus-stat/ /campus_stat/ /manage/ /admin/flag/ /stat/flag/ /activity/flag/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP Location ISCC flag secret token campus error forbidden denied"
===== /secret/ =====
HTTP/1.1 404 Not Found
===== /flag/ =====
HTTP/1.1 404 Not Found
===== /core/ =====
HTTP/1.1 404 Not Found
===== /token/ =====
HTTP/1.1 404 Not Found
===== /api/ =====
HTTP/1.1 404 Not Found
===== /api/flag/ =====
HTTP/1.1 404 Not Found
===== /api/secret/ =====
HTTP/1.1 404 Not Found
===== /api/token/ =====
HTTP/1.1 404 Not Found
===== /api/stat/ =====
HTTP/1.1 404 Not Found
===== /api/activity/ =====
HTTP/1.1 404 Not Found
===== /campus/ =====
HTTP/1.1 404 Not Found
===== /campus-stat/ =====
HTTP/1.1 404 Not Found
===== /campus_stat/ =====
HTTP/1.1 404 Not Found
===== /manage/ =====
HTTP/1.1 404 Not Found
===== /admin/flag/ =====
HTTP/1.1 404 Not Found
===== /stat/flag/ =====
HTTP/1.1 404 Not Found
===== /activity/flag/ =====
HTTP/1.1 404 Not Found

C:\Users\15003>curl -i "http://39.105.213.28:8000/robots.txt" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 200 OK
Date: Thu, 14 May 2026 04:07:10 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/plain
X-Frame-Options: DENY
Content-Length: 48
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

User-agent: *
Allow: /static/hint/tech_stack.txt
C:\Users\15003>curl -i "http://39.105.213.28:8000/static/hint/tech_stack.txt" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 200 OK
Date: Thu, 14 May 2026 04:07:16 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/plain; charset=utf-8
X-Frame-Options: DENY
Content-Length: 320
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

Backend: Django 5.2.5
ATTENTION：
To access the core interface, you need to set two request headers correctly:

User-Agent: Must strictly follow "Campus-Stat/1.0" (including case and special symbols);
Referer: Must be a valid HTTPS URL containing "campus-stat.example.com" (no extra content, only the root domain).
C:\Users\15003>curl -i -L "http://39.105.213.28:8000/admin" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123"
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 May 2026 04:07:29 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
Location: /admin/
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Connection: close

HTTP/1.1 200 OK
Date: Thu, 14 May 2026 04:07:29 GMT
Server: WSGIServer/0.2 CPython/3.12.13
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 1411
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

<!DOCTYPE html> <html> <head> <title>Admin Area</title> <style> body { background: #f5f5f5; padding: 50px; text-align: center; font-family: "微软雅黑", sans-serif; } .hint { font-size: 14px; color: #666; margin-top: 20px; line-height: 1.6; } .hidden-hint { font-size: 24px; color: rgba(0,0,0,0.1); margin: 50px 0; } .anti-brute-hint { font-size: 16px; color: #e74c3c; margin: 30px 0; font-weight: 500; padding: 10px; border: 1px dashed #e74c3c; border-radius: 8px; display: inline-block; background: rgba(231, 76, 60, 0.05); }

text
    .clue-hint {
        font-size: 13px;
        color: #3498db;
        margin-top: 15px;
        cursor: pointer;
        transition: color 0.3s;
    }
    .clue-hint:hover {
        color: #2980b9;
        text-decoration: underline;
    }
</style>

</head> <body> <h1>Admin Access</h1> <div class="hidden-hint">flag{stat</div> <div class="hint">Nothing here directly, but maybe start from here...</div>

text
<div class="clue-hint" onmouseover="this.innerText='💡 提示：暴力走不通，观察=通关～'" onmouseout="this.innerText='👉 点击没用，观察才有用～'">
    👉 点击没用，观察才有用～
</div>

</body> </html> C:\Users\15003>

Pensiero

bash -lc set -o pipefail for p in /campus-ctf-2024-abc123/ /campus-ctf-2024-abc123 /static/hint/campus-ctf-2024-abc123.txt /static/hint/core.txt /static/hint/token.txt /static/hint/flag.txt /static/hint/.hidden /stat/maybe/here/ /flag%7Bstatmaybehere%7D/; do echo ==== $p; curl -s -i --max-time 5 "http://39.105.213.28:8000$ p" -H 'User-Agent: Campus-Stat/1.0' -H 'Referer: https://campus-stat.example.com' -H 'X-Campus-Token: campus-ctf-2024-abc123' | head -n 12; done

Thought for 40s

Risposta

这轮说明：普通路径枚举不够，核心接口名很可能由三段线索拼出来。

你目前有三段：

text
/admin/    -> flag{stat
/stat/     -> maybe
/activity/ -> here

所以重点试这些组合路径和参数。直接复制执行：

cmd
for %p in (/flag/stat/maybe/here/ /flag/stat_maybe_here/ /stat/maybe/here/ /stat_maybe_here/ /stat-maybe-here/ /maybe/here/ /here/maybe/ /admin/stat/maybe/here/ /activity/stat/maybe/here/ /stat/core/ /activity/core/ /admin/core/ /stat/secret/ /activity/secret/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP Location ISCC flag secret token campus forbidden denied"

再试 token 放 Cookie，因为“校园令牌”不一定是 header：

cmd
for %p in (/flag/stat/maybe/here/ /flag/stat_maybe_here/ /stat/maybe/here/ /stat_maybe_here/ /stat-maybe-here/ /stat/core/ /activity/core/ /admin/core/ /stat/secret/ /activity/secret/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "Cookie: X-Campus-Token=campus-ctf-2024-abc123; campus_token=campus-ctf-2024-abc123" | findstr /i "HTTP Location ISCC flag secret token campus forbidden denied"

再试 参数型核心接口。因为首页已有 ?page=2，这个站可能用 query 参数控制逻辑：

cmd
for %u in ("http://39.105.213.28:8000/?token=campus-ctf-2024-abc123" "http://39.105.213.28:8000/?campus_token=campus-ctf-2024-abc123" "http://39.105.213.28:8000/?core=1" "http://39.105.213.28:8000/?action=core" "http://39.105.213.28:8000/?module=stat" "http://39.105.213.28:8000/?page=core&token=campus-ctf-2024-abc123" "http://39.105.213.28:8000/?page=stat&token=campus-ctf-2024-abc123" "http://39.105.213.28:8000/?page=flag&token=campus-ctf-2024-abc123") do @echo ===== %u ===== & curl -s -i %u -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP ISCC flag secret token campus forbidden denied"

还有一个关键点：tech_stack.txt 说只需要 两个请求头 访问 core interface，没说 token 也作为请求头。所以试一下只带 UA 和 Referer 访问组合路径：

cmd
for %p in (/stat/core/ /activity/core/ /admin/core/ /flag/stat_maybe_here/ /stat_maybe_here/ /stat/maybe/here/) do @echo ===== %p ===== & curl -s -i "http://39.105.213.28:8000%p" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" | findstr /i "HTTP Location ISCC flag secret token campus forbidden denied"

如果还是全 404，下一步我会建议测 HTTP 方法，因为“核心接口”可能不是 GET：

cmd
for %m in (GET POST PUT OPTIONS HEAD) do @echo ===== %m ===== & curl -s -i -X %m "http://39.105.213.28:8000/stat/" -H "User-Agent: Campus-Stat/1.0" -H "Referer: https://campus-stat.example.com" -H "X-Campus-Token: campus-ctf-2024-abc123" | findstr /i "HTTP Allow ISCC flag secret token campus forbidden denied"

重点看有没有不是 404、不是普通页面的返回。尤其关注 403 Forbidden、405 Method Not Allowed、Allow:、ISCC、flag。

Domanda

Pensiero

Risposta

优先尝试的 curl

如果返回提示“token missing / invalid”

建议你重点枚举这些路径

Domanda

Pensiero

Risposta

Domanda

Pensiero

Risposta

Domanda

Pensiero

Risposta

Domanda

Pensiero

Risposta

Domanda

Pensiero

Risposta

Condividi questa Q&A