ISCC2025

ISCC:

Web:

哪吒的试炼:

提示在这里:

屏幕截图 2025-05-15 025009

第一个猜测是传参:http://112.126.73.173:9999/?food=lotus%20root

屏幕截图 2025-05-15 024633

一个按不动的按钮,F12中禁用disabled即可看到源码:

屏幕截图 2025-05-15 025147

就是md5弱比较加双写绕过,在isflag.php路由下构建payload:

1
nezha=%7b%0a%20%20%22%69%6e%63%61%6e%74%61%74%69%6f%6e%22%3a%20%22%49%5f%61%6d%5f%74%68%65%49%5f%61%6d%5f%74%68%65%5f%73%70%69%72%69%74%5f%6f%66%5f%66%69%72%65%5f%73%70%69%72%69%74%5f%6f%66%5f%66%69%72%65%22%2c%0a%20%20%22%6d%64%35%22%3a%20%22%51%4e%4b%43%44%5a%4f%22%2c%0a%20%20%22%70%6f%77%65%72%22%3a%20%22%61%61%62%67%37%58%53%73%22%0a%7d

最后是一个字谜,解开即可获得Flag:

屏幕截图 2025-05-15 024816

Misc:

睡美人:

用foremost处理图片。输出一个压缩包:

屏幕截图 2025-05-15 004447

解压发现里面有段音频:

屏幕截图 2025-05-15 005621

音频中提示有隐藏信息可以提取,写个音频信号脚本处理一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import numpy as np
import wave
import struct


class AudioProcessor:
    def __init__(self, file_path):
        self.file_path = file_path
        self.sample_rate = None
        self.signal = None

    def load_audio(self):
        with wave.open(self.file_path, 'rb') as wav_file:
            self.sample_rate = wav_file.getframerate()
            frames = wav_file.readframes(wav_file.getnframes())
            data = struct.unpack(f'{len(frames) // 2}h', frames)
            #将二进制数据转换为short整数(16位PCM)

        self.signal = np.array(data, dtype=np.float32)
        if len(self.signal.shape) > 1:
            self.signal = self.signal[:, 0]
        self.signal /= np.max(np.abs(self.signal))

    def find_signal_changes(self, threshold=0.5):
        diffs = np.abs(np.diff(self.signal))
        return np.where(diffs > threshold)[0] + 1

    def trim_leading_silence(self, changes, min_silence=1000):
        if len(changes) == 0:
            return changes

        first_change = changes[0]
        if first_change > min_silence:
            print(f"Trimming initial silence: {first_change} samples")
            self.signal = self.signal[first_change:]
            return changes - first_change
        return changes

    # 计算比特周期
    def calculate_bit_interval(self, changes):
        intervals = np.diff(changes)
        return int(np.median(intervals) * 2)

    def extract_bits(self, bit_interval, sensitivity=0.2):
        bit_data = []
        half_interval = bit_interval // 2

        for pos in range(0, len(self.signal) - bit_interval, bit_interval):
            first_half = self.signal[pos:pos + half_interval]
            second_half = self.signal[pos + half_interval:pos + bit_interval]

            diff = np.abs(np.mean(first_half) - np.mean(second_half))
            bit_data.append(1 if diff > sensitivity else 0)

        return bit_data


def process_audio(file_path):
    processor = AudioProcessor(file_path)
    processor.load_audio()

    transitions = processor.find_signal_changes()
    print(f"Detected {len(transitions)} transitions, first 10: {transitions[:10]}")

    transitions = processor.trim_leading_silence(transitions)
    print(f"After trimming: {len(transitions)} transitions remain")

    if len(transitions) < 2:
        print("Insufficient transitions for decoding")
        return None

    bit_span = processor.calculate_bit_interval(transitions)
    print(f"Estimated bit period: {bit_span} samples")
    print(f"Approximate bit rate: {processor.sample_rate / bit_span:.2f} bps")

    binary_stream = processor.extract_bits(bit_span)
    binary_string = ''.join(map(str, binary_stream))
    print(f"Binary output (first 100 bits): {binary_string[:100]}...")

    return binary_stream


if __name__ == "__main__":
    audio_file = "C:/Users/34274/Desktop/暂存/00026285/36.wav"
    result = process_audio(audio_file)

输出的二进制数据如图:

屏幕截图 2025-05-15 005353

需要再编写个脚本转字符:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
def binary_to_text(binary_str):
    
    # 验证输入是否有效
    if not all(c in '01' for c in binary_str):
        raise ValueError("输入必须只包含0和1")
    
    bytes_list = [
        ''.join(byte) 
        for byte in zip(*[iter(binary_str)]*8)
    ]
    
    return ''.join(chr(int(byte, 2)) for byte in bytes_list)

binary_data = "0100001101110010011110010111000001110100011010010110001" 
decoded_text = binary_to_text(binary_data)
print(f"结果: {decoded_text}")

微调字符串后解码出一个单词,套上ISCC{}即是Flag

屏幕截图 2025-05-15 010858

签个到吧:

附件解压发现如下:

屏幕截图 2025-05-15 013526

还是用foremost进行处理,输出结果包含一张图片:

屏幕截图 2025-05-15 020508

用stegsolve处理有结果,确定是猫脸变换:

屏幕截图 2025-05-15 013916

编写脚本进行修复:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import cv2
import numpy as np


def arnold_transform(image, transform_type, shuffle_times, a, b):
    #假设图片是方形
    transformed_image = np.zeros_like(image)
    h, w = image.shape[:2]
    N = h  

    # 根据变换类型选择不同的变换矩阵
    if transform_type == 'encode':
        def transform(x, y):
            return (x + b * y) % N, (a * x + (a * b + 1) * y) % N
    elif transform_type == 'decode':
        def transform(x, y):
            return ((a * b + 1) * x - b * y) % N, (-a * x + y) % N

    for _ in range(shuffle_times):
        coords = np.indices((h, w)).reshape(2, -1)
        new_coords = np.array([transform(x, y) for x, y in coords.T]).T

        transformed_image[new_coords[0], new_coords[1]] = image[coords[0], coords[1]]
        image = transformed_image.copy()

    output_filename = f'flag_arnold_{transform_type}.png'
    cv2.imwrite(output_filename, transformed_image, [int(cv2.IMWRITE_PNG_COMPRESSION), 0])
    return transformed_image


if __name__ == "__main__":
    img_path = 'C:/Users/34274/Downloads/attachment-30/foremost_output/png/00000000.png'
    img = cv2.imread(img_path)

    # 解码示例
    arnold_transform(img, 'decode', 1, 1, -2)

修复完成后得到图像:

flag_arnold_decode

联想到附件中还给了一张二维码,应该是要两张重叠到一起,经测试,要将以上图片进行反色,逆时针旋转90度等操作,再与附件二维码重叠得到新的二维码,扫一扫,用ISCC{}括起来获得flag:

屏幕截图 2025-05-15 023525

蛇壳下的秘密:

题目页面看到hint:

屏幕截图 2025-05-18 173834

工具检验发现是用PyInstaller打包的程序,于是用pyinstxtractor解包:

屏幕截图 2025-05-18 181203

发现其中有.pyc文件:

屏幕截图 2025-05-18 181139

在线反编译获得关键源码:

1
2
3
4
5
6
 if score == 180:
 log_message('ISCC')
 log_message('ISCC{U2FsdGVkX1+L/wKmHIDfApCg80p+D+QrET/NmTD7QNeRSGbAkJFM}')
 reached_300 = True

ref(APA): Ron.The Way of Ron.https://www.sujohn-ron.cn. Retrieved 2025/6/28.

找个网站在线解密RC4,由提示想到密码为serpentyearISCC,解码获得Flag:

屏幕截图 2025-05-18 181053

正正得负:

这里用到是zipCrypto加密以及Store压缩,已知压缩包尾部编码,我们可以爆破压缩包文件尾

使用bkcrack,最少12字节,故我们随意挑选12个:

原始⼤⼩为194,由⽂件尾(共22个字节)固定的字节可以得到偏移172

屏幕截图 2025-05-18 185732

1
2
3
4
5
6
7
8
9
10
11
12
13
bkcrack.exe -C attachment.zip -c flag.zip -x 172 504B05060000000001000100 -d flag.zip
bkcrack 1.7.1 - 2024-12-21
[00:52:54] Z reduction using 4 bytes of known plaintext
100.0 % (4 / 4)
[00:52:54] Attack on 1255721 Z values at index 179
Keys: e7f9d150 4e8fc2d9 c333de18
82.6 % (1036642 / 1255721)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 1036642
[01:02:42] Keys
e7f9d150 4e8fc2d9 c333de18
[01:02:42] Writing deciphered data flag.zip
Wrote deciphered data (not compressed).

在zipCrypto加密中明密⽂互相对应,可以爆破提取出flag,zip:

这里还有一次加密,和上一次一样的zipCrypto加密,Store压缩,包括使用的密钥也是一样的:

1
2
3
4
bkcrack.exe -C flag.zip -c flag.txt -k e7f9d150 4e8fc2d9 c333de18 -d flag.txt
bkcrack 1.7.1 - 2024-12-21
[01:06:47] Writing deciphered data flag.txt
Wrote deciphered data (not compressed).

提取出flag.txt:

屏幕截图 2025-05-18 184316

比赛
#Web Sec #CTF
ISCC2025
https://sujohn-ron.github.io/2025/12/22/ISCC2025/
作者
SancyZyW0o
发布于
2025年12月22日
许可协议