2021-ISCC
- web
-
- web01-ISCC客服冲冲冲(一)
- web02-这是啥
- web3-web01
- MISC
-
- MISC01-Retrieve the passcode
- MISC02-我的折扣是多少
- MISC03-海市蜃楼-1
- MISC04-美人计
- MISC05-检查一下
web
web01-ISCC客服冲冲冲(一)
1.写个脚本(不会)
2.用连点器(不想)
3.左右互换,让真正的一号票数增加(就这个)
然后就得出flag
web02-这是啥
F12查看源代码,jsfuck加密
也可以谷歌的控制台,复制粘贴回车得出flag
web3-web01
进入页面,让你想看看robots.txt协议
访问robots.txt
按照管理,不让访问,那必须访问,得到如下代码
<p>code.txt</p>
if (isset ($_GET['password'])) {
if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE)
{
echo 'You password must be alphanumeric
';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE)
{
die('Flag: ' . $flag);
}
else
{
echo('*-* have not been found
');
}
}
else
{
echo 'Invalid password
';
}
}
?>
由于看不懂代码,所以,看学长wp呗
大概是这样,get方式 传入password,会进入第一个if 语句
ereg函数要求password只能是一个或者多个数字或者大小写字母,这样才能绕过第一个if语句,ereg函数存在%00截断绕过。
进入else if 语句进行判断,password长度要小于8但是要大于9999999。正常逻辑来说这是不可能的
可以用科学计数法1e8=100000000 > 9999999
strpos函数会检测我们输入的password参数有没有*-*
所以,访问:?password=1e8%00*-*
得出flag
MISC
MISC01-Retrieve the passcode
题目描述:
Scatter说他能解开这个古怪的密码,你呢?来试试吧!
Flag格式:ISCC{XXX},XXX为小写字符串,不包括空格
解压等到一个txt文件和加密的压缩包
整理一下txt文件得到如下
1:3:1
1.25:3:1
1.5:3:1
1.75:3:1
2:3:1
2:2.75:1
2:2.5:1
2:2.25:1
2:2:1
2:1.75:1
2:1.5:1
1:2.25:1
1.25:2.25:1
1.5:2.25:1
1.75:2.25:1
1:1.5:1
1.25:1.5:1
1.5:1.5:1
1.75:1.5:1
3:3:1
3.25:3:1
3.5:3:1
3.75:3:1
4:3:1
3.25:2.25:1
3.5:2.25:1
3.75:2.25:1
4:2.25:1
4:2:1
4:1.75:1
4:1.5:1
3:1.5:1
3.25:1.5:1
3.5:1.5:1
3.75:1.5:1
3:1.75:1
3:2:1
3:2.25:1
3:2.5:1
3:2.75:1
5:3:1
5.25:3:1
5.5:3:1
5.75:3:1
6:3:1
6:2.25:1
6:2:1
6:1.75:1
6:1.5:1
5.75:1.5:1
5.5:1.5:1
5.25:1.5:1
5:1.5:1
5:2.25:1
5.25:2.25:1
5.5:2.25:1
5.75:2.25:1
5:2.5:1
5:2.75:1
7:3:1
7.25:3:1
7.5:3:1
7.75:3:1
8:3:1
8:2.75:1
8:2.5:1
8:2.25:1
8:2:1
8:1.75:1
8:1.5:1
9:3:1
9.25:3:1
9.5:3:1
9.75:3:1
10:3:1
10:2.75:1
10:2.5:1
10:2.25:1
9.75:2.25:1
9.5:2.25:1
9.25:2.25:1
9:2.25:1
9:2:1
9:1.75:1
9:1.5:1
9.25:1.5:1
9.5:1.5:1
9.75:1.5:1
10:1.5:1
11:3:1
11.25:3:1
11.5:3:1
11.75:3:1
12:3:1
12:2.75:1
12:2.5:1
12:2.25:1
12:2:1
12:1.75:1
12:1.5:1
11.75:1.5:1
11.5:1.5:1
11.25:1.5:1
11:1.5:1
11:1.75:1
11:2:1
11:2.25:1
11:2.5:1
11:2.75:1
11.25:2.25:1
11.5:2.25:1
11.75:2.25:1
然后跑一下脚本就得到密码
from matplotlib import pyplot as plt
from mpl_toolkits.mplot3d import Axes3D
dot1 = [[1, 3, 1], [1.25, 3, 1], [1.5, 3, 1], [1.75, 3, 1], [2, 3, 1], [2, 2.75, 1], [2, 2.5, 1], [2, 2.25, 1], [2, 2, 1], [2, 1.75, 1], [2, 1.5, 1], [1, 2.25, 1], [1.25, 2.25, 1], [1.5, 2.25, 1], [1.75, 2.25, 1], [1, 1.5, 1], [1.25, 1.5, 1], [1.5, 1.5, 1], [1.75, 1.5, 1], [3, 3, 1], [3.25, 3, 1], [3.5, 3, 1], [3.75, 3, 1], [4, 3, 1], [3.25, 2.25, 1], [3.5, 2.25, 1], [3.75, 2.25, 1], [4, 2.25, 1], [4, 2, 1], [4, 1.75, 1], [4, 1.5, 1], [3, 1.5, 1], [3.25, 1.5, 1], [3.5, 1.5, 1], [3.75, 1.5, 1], [3, 1.75, 1], [3, 2, 1], [3, 2.25, 1], [3, 2.5, 1], [3, 2.75, 1], [5, 3, 1], [5.25, 3, 1], [5.5, 3, 1], [5.75, 3, 1], [6, 3, 1], [6, 2.25, 1], [6, 2, 1], [6, 1.75, 1], [6, 1.5, 1], [5.75, 1.5, 1], [5.5, 1.5, 1], [5.25, 1.5, 1], [5, 1.5, 1], [5, 2.25, 1], [5.25, 2.25, 1], [5.5, 2.25, 1], [5.75, 2.25, 1], [5, 2.5, 1], [5, 2.75, 1], [7, 3, 1], [7.25, 3, 1], [7.5, 3, 1], [7.75, 3, 1], [8, 3, 1], [8, 2.75, 1], [8, 2.5, 1], [8, 2.25, 1], [8, 2, 1], [8, 1.75, 1], [8, 1.5, 1], [9, 3, 1], [9.25, 3, 1], [9.5, 3, 1], [9.75, 3, 1], [10, 3, 1], [10, 2.75, 1], [10, 2.5, 1], [10, 2.25, 1], [9.75, 2.25, 1], [9.5, 2.25, 1], [9.25, 2.25, 1], [9, 2.25, 1], [9, 2, 1], [9, 1.75, 1], [9, 1.5, 1], [9.25, 1.5, 1], [9.5, 1.5, 1], [9.75, 1.5, 1], [10, 1.5, 1], [11, 3, 1], [11.25, 3, 1], [11.5, 3, 1], [11.75, 3, 1], [12, 3, 1], [12, 2.75, 1], [12, 2.5, 1], [12, 2.25, 1], [12, 2, 1], [12, 1.75, 1], [12, 1.5, 1], [11.75, 1.5, 1], [11.5, 1.5, 1], [11.25, 1.5, 1], [11, 1.5, 1], [11, 1.75, 1], [11, 2, 1], [11, 2.25, 1], [11, 2.5, 1], [11, 2.75, 1], [11.25, 2.25, 1], [11.5, 2.25, 1], [11.75, 2.25, 1]] # 得到五个点
plt.figure() # 得到画面
ax1 = plt.axes(projection='3d')
ax1.set_xlim(0, 15) # X轴,横向向右方向
ax1.set_ylim(15, 0) # Y轴,左向与X,Z轴互为垂直
ax1.set_zlim(0, 15) # 竖向为Z轴
color1 = ['r', 'g', 'b', 'k', 'm']
marker1 = ['o', 'v', '1', 's', 'H']
i = 0
for x in dot1:
ax1.scatter(x[0], x[1], x[2], c=color1[1],
marker=marker1[1], linewidths=4) # 用散点函数画点
i += 1
plt.show()
得到下图
密码是:365728
打开压缩包得到一串摩斯密码
得到flag:CONGRATULATIONTHEFLAGISCHALLENGEISCCTWOZEROTWOONE
MISC02-我的折扣是多少
题目描述:
小c同学去参加音乐会,在官网买票时发现了有提示消息,提供给的有“give_me_discount”的压缩包,好奇的小c下载下来,但却无从下手,为了节省零花钱,你能帮帮他吗?
cmd运行give.exe得到pass1{\u006b\u0072\u0077}
Unicode解码后得到:krw
把压缩包me.zip放入010中得到一串base64编码
base64解码得到pass2{gcc666}
两个密码放在一起是压缩包me.zip的密码krwgcc666
打开me.zip,base64解码得到下图
最后使用MP3Stego
MP3Stego下载
MP3Stego使用方法
decode.exe -X -P youfoundme? discount.mp3
最后base32解出flag
MISC03-海市蜃楼-1
题目描述: 或许你看到的只是海市蜃楼…
打开压缩包是一个docx文件
修改后缀名为zip
在word/document.xml文件中(用记事本打开)ctrl+f搜索ISCC
得到flag
方法二:使用winrar在文件中搜索ISCC字符串
MISC04-美人计
题目描述:美人说的话里有解题提示,但是美人的话不能全信
找到grhe4q4h6eta.jpg文件的属性,查看详细信息得到提示
可能是AES加密,密钥是ISCC2021
扫描ny4w1nbmry4m.docx中的二维码
U2FsdGVkX1/Ka+sScszwQkwhO+VLiJwV/6IFg5W+TfNHGxG2qZsIr2iwMwb9X9Iu 3GuGWmPOtO27z8vNppD2D50fwsD+8VWhdtW9J4cewYivH/Z/7GoUvcJXJMrvf+vu +CBqWDGp6HWd0e5whGhuzlK0ZtBcDZdPDSIHA7+GuUlifp8PcFCtJPgiuk143REE +pKFiSJXolXLR1vJCdGY9w5mXFbiWPrb2U7r/v5noP8=
用三次AES加密得到:y0u_h@ve_fal1en_intO_tHe_tr@p_0f_tHe_be@uty_!
这样你就被骗了
正确过程:
把docx后缀改为zip
在word/media文件里发现第二张二维码
得到:U2FsdGVkX19eOY/pDh8+vPAcvfkLi1XLUneVzjLLOMul53sKK8UpobdCOiPIv4KE
用DES解码(密钥还是ISCC2021)得到flag
AES和DES解码网站
MISC05-检查一下
把图片拉进kali里,用binwalk分离,得出一个文件夹
binwalk -e /home/kali/Desktop/221B.png
分离得出的文件夹,用记事本打开75645B
得到一堆这玩意,在百度上找个脚本转化为二维码
1111111000100100110000111111110000010011011110010101000001101110100111010011010010111011011101000000111011110101110110111010010111101110001011101100000101110111000010010000011111111010101010101010111111100000000011100100110100000000100101101110000101010101000001101000011101011011011100101000001110010010001111011110010001100000101101100111111001010110101101110000100011110100110001001100010010101110000111111111110010100110101001111110010110001100110111110111000110011110010001111001110000100011010000110100100000001011001010101101110100011011010011100011101001111011111000101001101101101100101010001111101000000000011101101101010001011011111110000011110000101011010100000101011110010101000101101011101001010011001011111001010111010110101111000001101001101110100101010000010100111011000001000011101000011001001011111110100100100000111100110
脚本如下:
import PIL.Image
MAX = 29
pic = PIL.Image.new("RGB",(MAX,MAX))
str = "1111111000100100110000111111110000010011011110010101000001101110100111010011010010111011011101000000111011110101110110111010010111101110001011101100000101110111000010010000011111111010101010101010111111100000000011100100110100000000100101101110000101010101000001101000011101011011011100101000001110010010001111011110010001100000101101100111111001010110101101110000100011110100110001001100010010101110000111111111110010100110101001111110010110001100110111110111000110011110010001111001110000100011010000110100100000001011001010101101110100011011010011100011101001111011111000101001101101101100101010001111101000000000011101101101010001011011111110000011110000101011010100000101011110010101000101101011101001010011001011111001010111010110101111000001101001101110100101010000010100111011000001000011101000011001001011111110100100100000111100110"
i = 0
for y in range (0,MAX):
for x in range (0,MAX):
if(str[i] == '1'):
pic.putpixel([x,y],(0,0,0))
else:
pic.putpixel([x,y],(255,255,255))
i = i+1
pic.show()
pic.save("flag.png")
扫描得到的二维码就是flag