sundry

ISCC 2018 writeup

Ji Changxin Ji Changxin sundry 2018-05-25
2.99K

1、 Misc
1. What is that?

answer:
(1) After opening the title, it is found that it is a gesture, as shown in the following figure:

(2) Open the WinHex tool and search for 0000027200001f4, as shown in the figure below;

(3) It is modified to 0000027200002f4, as shown in the figure below;

(4) Save and open the picture to see the flag, as shown in the figure below;

(5) Flag: Flag = {welcome to ISCC};
(6) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1ut_ w9nQRqCbmJGUqIk_ 9Og
Password: svyb

Title: Secret telegram

answer:
(1) After opening the title, it is found that: abaaaabababaaabaaabaaaaabaaaaabaaaabaaabaaabaaabaaabaaabaaabaaabaaabaaabaaababaaabaaabaaabaaabaaabaaabaaababaaabaaabaaabaaabaaabaaabaaabaaabaaabaaabaaabaaabaaabaaaba;

(2) According to the nature of bacon code, it is shown in the figure below;

(3) Use online tools to decrypt, as shown in the figure below;
Decrypt URL link: http://tool.bugku.com/peigen/

(4) Results: ilikeisc, ilikeisc
(5) Flag:ILIKEISCC
(6) Download Baidu disk link:
Link: https://pan.baidu.com/s/1QVTLEruYe-s4BqohhUya5A
Password: kank

3. Title: where is the flag?

answer:
(1) After opening the title, it is found that it is a PNG picture, as shown in the figure below;

(2) Use Adobe fireworks CS5 tool to open this image, as shown in the figure below;

(3) Move the logo of ISCC to see the QR code, as shown in the figure below;

(4) N QR codes are found, as shown in the figure below;

(5) These two-dimensional codes are spliced into a two-dimensional code, as shown in the figure below;

(6) Scan the flag, as shown in the figure below;

(7) Flag:a332b700-3621-11e7-a53b-6807154a58cf
(8) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1H7UQ7kRkX6DslTNF_ 1-pTA
Password: 5dgt

Title: a cat's mind

answer:
(1) After opening the title, it is found that it is a game cat, as shown in the figure below;

(2) Use WinHex to view and open, as shown in the following figure;

(3) It is found that there is a word document of WPS version in the picture, as shown in the figure below;

(4) Manually separate and report the wrong doc version, as shown in the figure below;
Note: header value of hex file in WPS version: d0cf11e0a1b11ae1

(5) Open the extracted word document, as shown in the figure below;

(6) Use the Buddhist theory to decrypt, as shown in the figure below;
Decrypt URL link: http://www.keyfc.net/bbs/tools/tudoucode.aspx

(7) Click to understand the true meaning of Buddha's words and decrypt it as shown in the figure below;

(8) Copy the decryption result to the left of WinHex;

(9) Decrypt the content on the right side with Base64;
Decrypt URL link: http://base64.xpcha.com/

(10) The decryption results were decrypted by base32;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base.php

(11) Copy the decryption result of base32 to the left of WinHex, as shown in the following figure;

(12) Decrypt the base64 obtained in WinHex, as shown in the following figure;

(13) The decryption results are decrypted by base32, as shown in the figure below;

(14) Copy the decryption result to the left of WinHex, as shown in the following figure;

(15) Flag:F1a9_ is_ I5cc_ ZOl8_ G3TP01NT
(16) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1fi_ DoySdBLQUUrj0ZSo80w
Password: yvp7

Topic: violence is not advisable

answer:
(1) After opening the title, it is found that it is an encrypted zip package, as shown in the figure below;

There are two solutions. Let's first look at method one
(1) Copy it to Linux Kali and decompress it with binwalk - e command, as shown in the following figure;

(2) Access the unzipped folder, as shown in the figure below;

(3) Use the command cat flag.txt to view the contents of the txt file, as shown in the following figure;

Vfppjrnerpbzvat
Method 2
(1) Open the compressed package in WinHex, as shown in the following figure;

(2) Find 504b030414000008 and 4b01023f00140007, as shown in the figure below;

(3) It is modified to 504b030414000000 and 4b01023f00140000, as shown in the figure below;

(4) Save and then decompress, as shown in the following figure;

(5) Open the flag.txt text file after opening the file, as shown in the following figure;

(6) Open the flag.txt file, as shown in the following figure;

Vfppjrnerpbzvat
(7) Rot13 to decrypt
Decrypt URL link: http://www.mxcz.net/tools/rot13.aspx

(8) Flag:isccwearecoming
(9) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1Yv9BX4QMFlqGftZjareWbw
Password: 37c3

6. Title: numerous Spy Films

answer:
(1) After downloading the title, it is found that it is a large section of base64 encryption, as shown in the figure below;

(2) Decrypt Base64, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(3) It is found that the decryption result is still Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(4) It is found that the decryption result is still Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(5) At the fourth layer, it is found that it is a URL ciphertext, so decrypt it, as shown in the figure below;
Decrypt URL link: http://www.convertstring.com/zh_ CN/EncodeDecode/UrlDecode

(6) The decryption result is Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(7) At the sixth layer, it is found that it is a URL ciphertext, so decrypt it, as shown in the figure below;
Decrypt URL link: http://www.convertstring.com/zh_ CN/EncodeDecode/UrlDecode

(8) The decryption result is Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(9) At the eighth layer, it is found that the ciphertext is URL ciphertext, so decryption is performed, as shown in the figure below;
Decrypt URL link: http://www.convertstring.com/zh_ CN/EncodeDecode/UrlDecode

(10) The decryption result is Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(11) The decryption result is Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(12) The decryption result is Base64, so continue to decrypt, as shown in the figure below;
Decrypt URL link: http://www.qqxiuzi.cn/bianma/base64.htm

(13) At the 12th layer, it is found that the ciphertext is URL ciphertext, so decryption is performed, as shown in the figure below;
Decrypt URL link: http://www.convertstring.com/zh_ CN/EncodeDecode/UrlDecode

(14) At the 13th layer, it is found that the decryption result is AES, so decryption, as shown in the figure below;
Decrypt URL link: https://www.sojson.com/encrypt_ aes.html

(15) The decryption result of the fourteenth layer is encrypted with Buddhism, as shown in the figure below;
Decrypt URL link: http://www.keyfc.net/bbs/tools/tudoucode.aspx

(16) Flag: copy me
(17) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1ygIKTa3AVnPhzbUheWbiog
Password: afwk

Title: Caesar XIII

answer:
(1) The first clause of the title indicates Caesar, as shown in the figure below;

(2) So try to decrypt by using the rot13 shift, as shown in the figure below;
Decrypt URL link: http://www.mxcz.net/tools/rot13.aspx

(3) The second clause of Title description is keyboard, as shown in the figure below;

(4) According to the decryption content, move one bit up and down on the keyboard, as shown in the figure below;
A add a small knowledge point, as shown in the figure below;

B returns to the text, as shown in the figure below (the flag is obtained according to the decrypted ciphertext order);

(5) Flag:yougotme
(6) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1yOy0OPs4PiOxyIHST6JhQg
Password: 53pq

8. Topic: interesting ISCC

answer:
(1) Download the title and unzip it, as shown in the figure below;

(2) It is found that it is a JPG image and put it into WinHex to view, as shown in the following figure;

(3) It is found that the image is the head of the PNG image, as shown in the figure below;

(4) See the end of the picture and find that there is Unicode code behind iend, as shown in the figure below;

(5) Decrypt the Unicode code (click the Unicode code to convert to Chinese), as shown in the figure below;
Decrypt URL link: http://tool.chinaz.com/tools/unicode.aspx

(6) After decryption, it is found that there is a hexadecimal code, so continue to decrypt (click hexadecimal to character). As shown in the figure below;
Decrypt URL link: https://www.bejson.com/convert/ox2str/

(7) Flag:flag{iscc is fun}
(8) Download Baidu disk link:
Link: https://pan.baidu.com/s/1Uwat1hXovCRmZHhg8Fw1bg
Password: w9ui

9. Title: Digital ciphertext

answer:
(1) As shown in the title is hexadecimal, so converted to characters, as shown in the following figure;
Decrypt URL link: https://www.bejson.com/convert/ox2str/

(2) Flag:it’s easy!
(3) Download Baidu disk link:
Link: https://pan.baidu.com/s/13IuYVJx_ HtYg7zr4QUtV6g
Password: vhex

10. Title: Treasure digging plan

answer:
(1) After downloading the title, it is found that it is a compressed package, as shown in the figure below;

(2) Try to decompress, found a password. As shown in the figure below;

(3) Zip compression package, detected in WinHex is not pseudo encryption. As shown in the figure below;

(4) Use plaintext to hit the password, as shown in the figure below;

(5) The password of the compressed package is (iscczxc), as shown in the figure below;

(6) After decompressing the compressed package, it is found that the title is the same as last year. I don't know what the organizers want to do with this question;
(7) Download Baidu disk link:
Link: https://pan.baidu.com/s/1ZjmkZuuksJfpwPJrqaHsZg
Password: bkpa

11. Title: nested zips

answer:
(1) After downloading the title, it is found that it is a compressed package, as shown in the figure below;

(2) A password is found when the compressed package is decompressed, as shown in the figure below;

(3) Firstly, the digital type mask blasting is performed, as shown in the figure below;

(4) Get the first layer password and decompress it, as shown in the figure below;

(5) Look at the decompressed tips.txt file, as shown in the following figure;

(6) According to the content, it is a plaintext attack, as shown in the figure below;

(7) Use archpr to attack plaintext, as shown in the figure below;

(8) Get the decompression password: Z! C@t #F $12 and extract the file, as shown in the figure below;

(9) Put the third layer of compressed package into WinHex, as shown in the figure below;

(10) Pseudo encryption is found, as shown in the figure below;

(11) Change 14000008 to 14000000, as shown in the figure below;

(12) Save and unzip, as shown in the figure below;

(13) Unzip and open flag.txt, as shown in the following figure;

(14) Flag : ISCC_! S_ my_ favor1te_ CTF
(15) Download Baidu disk link:
Link: https://pan.baidu.com/s/1XY_ QvoK9vaAQcZXNI0QrRQ
Password: IPBT

�0�2

2、 Web
1. Title: compare the size of numbers
answer:

(1) There is only one submit dialog box when opening the website page, as shown in the figure below;

(2) Open the audit element, as shown in the following figure;

(3) Modify the MaxLength of the audit element to "3", as shown in the following figure;

(4) Change MaxLength = 3 to MaxLength = 4, as shown in the figure below;

(5) Input 9999 in the dialog box, as shown in the figure below;

(6) Click Submit, as shown in the figure below;

(7) Flag:key is 768HKyu678567&*&K

Title: can you cross it?

answer:
(1) Open the website, as shown in the figure below;

(2) Base64 is found in the web page link, as shown in the figure below;

ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA
(3) Decrypt Base64 in the web page link, as shown in the figure below;
Decrypt URL link: http://base64.xpcha.com/

(4) Reorganize the decrypted results, as shown in the figure below;


(5) Copy /% nsfocusxsstest% / to the dialog box, as shown in the following figure;

(6) Click submit to open the dialog box, as shown in the figure below;

(7) Flag:flag{Hell0World}

Title: everything is routine

answer:
(1) Open the link, as shown in the figure below;

(2) Scan with a scanner, as shown in the figure below;

http://118.190.152.202:8009/index.php.txt
(3) Open the link of scan results, as shown in the figure below;

(4) Open the hackbar of FOXFIRE browser, as shown in the following figure;

(5) Click loadurl to copy the URL to the dialog box, as shown in the figure below;

(6) Click post data, as shown in the figure below;

(7) Add "index. PHP" after the URL of loadurl_ 200 = flag, as shown in the figure below;

(8) Enter flag = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

(9) Click execute to access the web page, as shown in the figure below;

(10) Flag:ISCC{taolu2333333….}

Title: can you bypass it?

answer:
(1) Open the link, as shown in the figure below;

(2) Click one randomly, as shown in the figure below;

(3) Change id = 2 to 6668952, as shown in the figure below;

(4) There is no filtering after the ID is found, so try to read the file containing the flag, as shown in the figure below;

(5) The discovery page displays Base64 and decrypts it, as shown in the figure below;
Decrypt URL link: http://base64.xpcha.com/

(6) It is found that the decryption result is the source code of HTML static page, as shown in the figure below;

(7) Flag:ISCC{LFIOOOOOOOOOOOOOO}
(8) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1_ 5OWy8TCFKbq6vIz-wPhPA
Password: id8e

5. Title: Web02

answer:
(1) Open the link, as shown in the figure below;

(2) There is a local link in the text of the title link, so the HTTP request header is modified by packet capture, as shown in the figure below;

Client-IP:127.0.0.1
(3) Click intercept is on to release the package, as shown in the figure below;

(4) View the web page, as shown in the figure below;

(5)Flag:ISCC{iscc_059eeb8c0c33eb62}

6. Title: the art of SQL injection

answer:
(1) Open the link, as shown in the figure below;

(2) Click personal information, as shown in the figure below;

(3) Put the link into sqlmap and try to inject it, as shown in the figure below;
Command:
sqlmap –u http://118.190.152.202:8015/index.php?id=1

(4) It is found that it is a wide character injection and indicates that there is a WAF, so try to bypass the WAF, as shown in the figure below;
Command:
sqlmap -u “ http://118.190.152.202:8015/index.php?id=1 “ —tamper unmagicquotes.py —batch -v 3 —level 3 –dump

(5) Flag:Y0u_@@ 33w_ dxxmn_ 9rf0Od

7. Title: try it

answer:
(1) Open the link, as shown in the figure below;

(2) Test whether there is a file containing vulnerability at img =, as shown below;

(3) It is found that there are file containing vulnerabilities, as shown in the figure;
A. Payload, as shown in the figure below;

B. Prove that the existing file contains vulnerabilities, as shown in the figure below;

(4) Construct payload, as shown in the figure below;

(5) After opening the web page, it is blank, as shown in the figure below;

(6) Open the source code of the web page, as shown in the figure below;

(7)Flag:flag{1ntere5ting_PHP_Regu1ar_express1onssssss}
(8) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1hpljgBPsE-V6VWz0YB91_ A
Password: m5x3

8. Topic: local temptation

answer:
(1) All said it was a sign in question, so open the link. As shown in the figure below;

(2) Check the source code, as shown in the figure below;

(3) Flag:ISCC{^&*(UIHKJjkadshf}

9. Title: can you Ping my IP?

answer:
(1) Open the link, as shown in the figure below;

(2) Using a scanner, scan the catalog. As shown in the figure below;

Scanning results: http://118.190.152.202:8018/flag.txt
(3) Open the scan results, as shown in the figure below;

(4) Flag:ISCC{8a8646c7a2fce16b166fbc68ca65f9e4}

10. Title: please give me username and password!

answer:
(1) Open the title link, as shown in the figure below;

(2) The user name and password are required in the link page, as shown in the figure below;

(3) Therefore, the payload of user password access is constructed, as shown in the figure below;
Payload:/?username[]&password=3e9

(4) Flag:flag{ISCC2018_Very_GOOD!}

11. Title: web01

answer:
(1) Open the link and find that it is a code audit problem, as shown in the figure below;

(2) The get type submits the password, and the requirements for obtaining the flag are as follows:
A. password=0
B. sha(password)=0
(3) In this way, it seems that the final result of password is equal to 0, and if condition is true, flag is obtained. The construction statement is shown in the figure below;

(4) Flag:ISCC{iscc_ef3w5r5tw_5rg5y6s3t3}

12. Title: collide

answer:
(1) Open the link and find that it is a code audit topic, as shown in the figure below;

(2) After auditing the source code, use the hashpump attack;
(3) Install hashpump;
A. Method 1
git clone https://github.com/bwall/HashPump.git
apt-get install g++ libssl-dev
cd HashPump
make
make install
B. Method 2
pip install hashpumpy
(4) Run hashpump and replace x with% and use hacbar urlcode, as shown in the figure below;

(5) Run hackbar, as shown in the figure below;

(6) Change the MD5 value with burp, as shown in the figure below;

(7) Flag:ISCC{MD5_1s_n0t_5afe}

13. Title: only admin can see flag

answer:
(1) Open the title link and find that there is only one login dialog box. As shown in the figure below;

(2) Check the source code and find an index.txt prompt, as shown in the following figure;

(3) Open index.txt and audit the source code. It is found that it is a CBC inversion vulnerability, as shown in the following figure;

(4) The following describes the principle of CBC byte flipping attack, as shown in the figure below;

(5) As shown in the figure above, the schematic diagram of CBC encryption is shown;
A. Plaintext: data to be encrypted.
B. IV: the bit block used for random encryption to ensure that different ciphertexts can be obtained even if the same plaintext is encrypted multiple times.
C. Ciphertext: encrypted data.
D. The important point here is that CBC works on a fixed length bit group, which is called block. In this article, we will use blocks containing 16 bytes.
(6) The whole process of encryption is simply as follows;
A. First of all, the plaintext is grouped (usually 16 bytes in a group), and the insufficient bits are filled with special characters.
B. Generate a random initialization vector (IV) and a key.
C. XOR IV with the first set of plaintext.
D. The ciphertext generated after XOR in C is encrypted with the key.
E. The ciphertext generated in D is used to XOR the second set of plaintexts.
F. Encrypt the ciphertext generated in E with the key.
G. Repeat E-G to the last set of plaintext.
H. IV and encrypted ciphertext are spliced together to get the final ciphertext.
Starting from the first block, first XOR with an initial vector IV (IV only works in the first place), and then encrypts the result of XOR with the key to get the ciphertext of the first block, and XOR the encrypted result with the plaintext of the next block, and go on like this. Therefore, the most important characteristics of this mode are as follows:
(7) The ciphertext of the former block is used to generate the ciphertext of the latter block, as shown in the figure below;

(8) This is the decryption process. In fact, as long as you understand the encryption, it is very simple to look at the decryption process in turn. Similarly, the previous ciphertext participates in the restoration of the next ciphertext.
A. IV is extracted from ciphertext, and then ciphertext is grouped.
B. The key is used to decrypt the ciphertext of the first group, and then XOR with IV to get the plaintext.
C. The key is used to decrypt the second set of ciphertexts, and then the plaintext is obtained with the ciphertext XOR in 2.
D. Repeat B-C until the last set of ciphertexts.
(9) This is the schematic of our flip attack:

Here, we can notice that the previous ciphertext is used to generate the next plaintext. If we change a byte in the previous ciphertext and then use XOR to decrypt the ciphertext, we can get a different plaintext, which we can control. Using this, we cheat the server or bypass the filter.
(10) Enter an account number and password randomly in the login dialog box, and use BP to capture packets, as shown in the figure below;

(11) View the returned package, as shown in the figure below;

(12) Use the script to reverse, as shown in the figure below;

(13) Set IV and flipped cipher in the cookie in BP and clear the post value before submitting, as shown in the figure below;

(14) The returned results are shown in the figure below;

(15) The server prompts that the deserialization failed, but in fact, as long as we decode this Base64, we will find that our username has become admin; The reason is that when we want to change mdmin to admin, we modify it by modifying the first block of data, so the first block data is destroyed. Because the program requires that the user name should be equal to admin, so you can't use the filling characters mentioned in the article. Because the first block data is destroyed and the first block data is related to IV, the first block data can be repaired as long as the character flipping attack in CBC is used to obtain a new IV. As shown in the figure below;

(16) Replace IV with the obtained value, and submit the cipher. As shown in the figure below;

(17) Flag:ISCC{123dasd89as10aas}
(18) Download Baidu disk link:
Link: https://pan.baidu.com/s/1mr6NTo2sAkdH90hcFRHW8g
Password: 1kny

Title: PHP is the best language in the world

answer:
(1) Open link discovery is code audit, as shown in the figure below;

(2) Scanning with a scanner, no was found_ MD5. PHP file. As shown in the figure below;

(3) Audit title of the source code, found that the file contains. As shown in the figure below;

(4) So construct the statement in this way, as shown in the following figure:
/no_ md5.php?a=GLOBALS

(5) Flag:ISCC{a39f9a1ff7eb4bab8a6a21b2ce111b4}

15. Title: only admin

answer:
(1) Open link discovery is a login dialog box, as shown in the following figure

(2) Use a scanner to scan and find the backup file. As shown in the figure below;

http://118.190.152.202:8020/web.zip
(3) Decompress the backup file, as shown in the figure below;

(4) Open config.php and find the code to be audited, as shown in the following figure;

(5) In the login dialog box, enter 'or 1 ා, and enter password randomly, as shown in the following figure;

(6) Click login, as shown in the figure below;

(7) Run the script and write it into the cookie, as shown in the figure below;

(8) After the script runs, a new one will be added to the cookie, as shown in the following figure;

(9) Open the audit element, as shown in the following figure;

(10) Flag:flag{USer1ali2e1sInt4rt1n9}
(11) Download Baidu disk link:
Link: https://pan.baidu.com/s/1btTm5HfZOJkmS7OMgbVGxQ
Password: 6cyp

Title: why is it so simple

answer:
(1) Open the link and find it is a barrier, as shown in the figure below;

(2) See these two elements, as shown in the figure below;

(3) This is similar to the web topic in ddctf 2018. Use burpsuite to capture packets and modify the HTTP header, as shown in the figure below;

(4) Click go, and the returned result is shown in the figure below;

(5) Get the second level address and find that you need to enter a password to get the flag, as shown in the figure below;

(6) Right click to view the source code of the web page, as shown in the figure below;

(7) Click. / password.js in the source code, as shown in the figure below;

(8) Find a section of Base64 code, as shown in the figure below;

(9) Decrypt Base64, as shown in the figure below;
Decrypt URL link: http://base64.xpcha.com/

(10) The result of decryption is XSS statement and the password to obtain flag is found, as shown in the figure below;

password:xinyiji.com
(11) Enter the password and click Get flag, as shown in the figure below;

(12)Flag:B1H3n5u0xI2n9JIscc
(13) Download Baidu disk link:
Link: https://pan.baidu.com/s/11SPmCZ8h7Xov –P-jknpEA
Password: 7vef

17. Title: sqli

answer:
(1) Open link discovery is a login dialog box, as shown in the following figure;

(2) Use burpsuite to capture packets, as shown in the figure below;

(3) In the login dialog box, enter - 1'or (1 = 1 *) or ', and enter x for password, as shown in the following figure;

(4) Save the packet capture content as TXT, as shown in the figure below;

(5) Use sqlmap injection, as shown in the figure below;
A. Inject command statements, as shown in the figure below;

B. The injection results are shown in the figure below;

(6) Flag:flag{hahaha999999999}
(7) Download Baidu disk link:
Link: https://pan.baidu.com/s/1TUw4fcYsbH7-sJ9IAPhSxw
Password: tn7y

18. Title: you can do it

answer:
(1) Open link discovery is a login dialog box, as shown in the following figure;

(2) Use burpsuite to capture the package and log in, as shown in the figure below;
C
(3) According to the result, the user name is admin, as shown in the figure below;

(4) Use burpsuite to capture and inject, as shown in the figure below;

(5) The returned results are shown in the following figure:

(6) Use the script to run the password, as shown in the figure below;

(7) The password obtained is: nishishabi1438
(8) Log in with the account and password, as shown in the figure below;

(9) Enter flag to get the flag, as shown in the figure below;

(10) Flag:flag{sql_iNjEct_Is_Easy}
(11) Download Baidu disk link:
Link: https://pan.baidu.com/s/1E7PuabjjP4ovxw1H0KANtg
Password: 5vsi

�0�2

3、 Reverse
1. Title: rsa256

answer:
(1) Download the title as shown in the figure below;

(2) Decompress and get the result as shown in the figure below;

(3) Is there any misunderstanding about the password? Place an RSA password in re, as shown in the figure below;

(4) First of all, you can see the public key file public.key. Without thinking about it, you can directly throw it to Kali and use OpenSSL to solve E and N, as shown in the figure below;
Command: OpenSSL RSA - pubin - text - module - in wartup - in public.key

(5) E is 65537, and N is relatively short. First convert it to decimal system, as shown in the figure below;

(6) Factorize n as shown in the figure below;
Decryption website: http://factordb.com/

(7) P and Q are easily solved, as shown in the figure below;

(8) Here, the parameters of RSA are complete, as shown in the figure below;

(9) Use Python 3 code to decrypt ciphertext, as shown in the figure below;

(10) Run the program to get the answer, as shown in the figure below;

(11) Flag:flag{3b6d3806-4b2b-11e7-95a0-000c29d7e93d}
(12) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1ewjLGoTQN685ly1Q2nY09Q
Password: px37

2. Title: my math is bad

answer:
(1) Download the title and find that it is elf attribute file, as shown in the figure below;

(2) Throw it into IDA, as shown in the figure below;

(3) Press F5, as shown in the figure below;

(4) Is to solve two equations, using Python Z3 to solve. As shown in the figure below;

(5)Flag:flag{th3_ Line@r_4lgebra_1s_d1fficult !}
(6) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1fdFgCYlrQVW-lwTRxAZLZw
Password: hfbv

3. Title: confusion and encode
�0�2

answer:
(1) Download the title to get ELF file, as shown in the figure below;

(2) Open it with IDA, as shown in the following figure;

(3) The problem is verified by comparing the strings by two-layer encryption;
(4) Two layer encryption is confused by while. In fact, two-layer loops can be regarded as if else;
(5) The second layer is to find a Base64 script on the base64 network with the character table changed, as shown in the figure below;

(6) The first layer needs blasting, and the script is shown in the figure below;

(7) The running results of the script are shown in the following figure;

(8) Flag:flag{dO_y0U_KNoW_0IlVm?}
(9) Download Baidu disk link:
Link: https://pan.baidu.com/s/12Pv9G89pzZAlwVTlpSkE5g
Password: 3r36

4. Title: leftleftrightright

answer:
(1) Download the title to get the EXE file, as shown in the figure below

(2) Put the downloaded file into IDA, as shown in the figure below;

(3) This is a very simple reverse problem, which is shifted left and right according to the title
(4) There's a shell out there. Find a sheller to take it off
(5) Open IDA and observe that the input length needs to be 29
(6) Directly input 29 length non duplicate data into WinDbg, as shown in the figure below;

(7) The substitution rule of character position can be observed
(8) Compare the target string in IDA, as shown in the figure below;

(9) Replace the script corresponding program, as shown in the figure below;

(10) The operation results are shown in the figure below;

(11) Flag:Flag{this_was_simple_isnt_it}
(12) Download Baidu cloud disk link:
Link: https://pan.baidu.com/s/15HC3pH81JdxJWnXM6tKCCA
Password: x8bi

4、 PWN
1. Title: Login

answer:
(1) Download the title, as shown in the figure below;

(2) Throw the program into IDA, as shown in the figure below;

(3) It is found that there is a login function, which needs login to enter the menu function, as shown in the figure below;

(4) The account password has been given in the program, as shown in the figure below;

(5) Enter the menu function, and analysis shows that there is a stack overflow when inputting options, and the return address can be overridden, as shown in the figure below;

(6) First, return to the puts function to set the puts@got as well as read@got Address leakage, then find out libc on the server through libcdatabase, calculate the addresses of system and binsh, and execute system ('/ bin / sh') again after stack overflow
(7) Script, as shown in the figure below;

(8) Flag:flag{welcome_to_iscc}
(9) Title download Baidu disk link;
Link: https://pan.baidu.com/s/10EG4ubVKQIQytjvzst6VuQ
Password: rqdy

2. Title: write some paper

answer:
(1) Download the title, as shown in the figure below;

(2) Throw the title into IDA, as shown in the figure below;

(3) To find out is the HOS method, first use get_ Num leaks the stack address. As shown in the figure below;

(4) Then use the secret option to construct fakes on the stack_ Chunk, as shown in the figure below;

(5) Finally, UAF and fastbin stack are used to return the stack memory, and the return address of secret function is covered with the address of GG function, as shown in the figure below;

(6) Finally, exit the secret function;
(7) The script is shown in the following figure;

(8) The operation results are shown in the figure below;

(9) Flag:flag{ISCC_SoEasy}
(10) Title download Baidu disk link;
Link: https://pan.baidu.com/s/1hxDG1o7XvBz6u6DQfoq7qA
Password: ge1i

2. Title: Happy Hotel

answer:
(1) Download the title, as shown in the figure below;

(2) Use IDA to open the program, as shown in the figure below;

(3) If we find that NX is not involved in the program, then we can find a way to construct shellcode
(4) In the game function, we can enter shellcode and disclose the stack address, as shown in the figure below;

(5) In the next sub_ In the 400a29 function (as shown in the figure below), the dest pointer can be covered by buf. In the previous step, we arranged shellcde in the stack and disclosed the stack address. Therefore, we can cover the dest pointer with the got address of a function (I choose free@got )In the following strcpy, we can override the got address to the previous shellcode address, In this way, we can execute shellcode and get shell in subsequent function calls

(6) The script is shown in the following figure:

(7) The flag obtained by running the script is shown in the figure below;

(8) Flag:flag{wish_you_have_a_good_day}
(9) Download Baidu disk link:
Link: https://pan.baidu.com/s/10Yp9pAWzYPfe473hm8phVg
Password: 8yhi

�0�2

5、 Mobile
1. Title: small trial ox knife

answer:
(1) Download the title, as shown in the figure below;

(2) Using jadx_ Apk decompiler tool decompiles, as shown in the figure below;

(3) Find bfsprotect.jar in the assets folder, as shown in the following figure;

(4) Modify the jar of bfsprotect.jar to DEX, as shown in the following figure;

(5) Use the Android reverse assistant tool to decompile to dex2jar.jar, as shown in the following figure;

(6) Use JD GUI to view the decompiled dex2jar.jar, as shown in the following figure;

(7) Open org.isclab.shh.protectapp, as shown in the following figure;

(8) Open the protectclass file and find the flag, as shown in the following figure;

(9) Flag:BFS-ISCC
(10) Download Baidu disk link:
Link: https://pan.baidu.com/s/1F0DjPqp2wRNjNr-7CSQK5A
Password: k3vg

fabulous ( six )
Appreciation

This paper is written by Ji Changxin Creation, article address: https://blog.isoyu.com/archives/iscc-2018-writeup.html
use Knowledge sharing signature 4.0 International license agreement. Except for the reprint / source, they are all original or translated by our website. Please sign before reprinting. Last editing time: May 26, 2018 at 09:20 am

key word:

Related articles

Hot articles

Comments:

6 comments, visitors: 0, bloggers: 0
    • Ji Changxin
      Ji Changxin Published on:  
      reply

      Boss, I don't know what to update

  3. Ji Changxin
    Ji Changxin Published on:  
    reply

    Good morning

    • Ji Changxin
      Ji Changxin Published on:  
      reply

      Ma Huateng: QQ has been sent

Comment

[required]

I am a human?

Please wait three seconds after submitting to avoid unsuccessful submission and repetition